Cloud Platform
Solutions
Subscriptions
Cloud platform apps
Customers
Partners
Community
Support
Company
Login

Cloud platform apps

Container Security.

Discover, track and continuously secure containers – from build to runtime.

SABA

Security and risk management leaders must address container security issues around vulnerabilities, visibility, compromise and compliance.

Neil MacDonald Neil MacDonald VP and Distinguished Analyst, Gartner

Highlights

Visibility into your container projects

Qualys Container Security (CS) gives you a complete visibility of container hosts wherever they are in your global IT environment — on premises and in clouds. It gathers comprehensive topographic information about your container projects — images, image registries, and containers spun from the images. With dynamic, customizable dashboards, you can see your complete inventory and security posture from containers to hosts.

Security for the entire DevOps pipeline

Containerized application development is an easy and open process, but it has a downside: The often inadvertent use of third-party software components that have vulnerabilities. With Qualys CS, security teams can enforce policies to block the use of images that have specific vulnerabilities, or that have vulnerabilities above a certain severity threshold. Developers can do continuous vulnerability detection and remediation in the DevOps pipeline by deploying plugins for CI/CD tools like Jenkins or Bamboo, or via REST APIs.

Threat identification, impact assessment and remediation prioritization

By the nature of their deployment, containers have an increased surface area. With Qualys CS, you can search for images in your environment that have high-severity vulnerabilities, unapproved packages, and older or test release tags. You can then assess their impact by identifying all containers — active or dormant — that use the unapproved, vulnerable images. Qualys CS helps you determine if these images are cached on different hosts, and identify all the containers on exposed vulnerable network ports running with privileges, which could lead to attacks.

Container runtime protection

Qualys CS lets you scan, protect and secure the running containers. You can also detect containers drifting from the parent image, breaking the immutable behavior with a different vulnerability posture and software configuration. Qualys CS also features policy-based orchestration to stop containers vulnerable images from being spun up in Kubernetes clusters. You can also understand how the host impacts the containers by easily drilling down to the host level to identify its vulnerabilities and patch compliance.

Discover and inventory container assets

Qualys Container Security provides centralized, continuous discovery and tracking for containers and images. Deploy Qualys’ new native container sensor as a ‘side-car’ container on the docker hosts across build, registry or active deployments located on premises or clouds.

  • Provide users a quick overview of inventory via pre-built dashboards, and personalize or build your own with custom widgets.

  • Get a comprehensive topographic information of the container environments: images, registries, associated containers (both active and dormant), and hosts.

  • View comprehensive metadata for every image including labels, tags, installed software, layers and the association information.

  • View comprehensive metadata for every container, including environment variables used during deployment, services, users, network information, exposed ports, privileged status, and association information to other containers built off the same parent image, in addition to the host or pod they are on.

  • Use smart filters for quick lookup based on all the attributes, save searches and download search results in various formats such as CSV and PDF.

Perform container-native vulnerability analysis

Qualys CS provides wide coverage and high accuracy vulnerability scanning of images by understanding how all of an image’s layers work in unison. This allows security analysts to rapidly analyze the real threats and focus on remediation, rather than wasting time clearing false positives which are prevalent in results from other container scanning products.

  • Get comprehensive coverage, from standard Linux OS distributions to container-centric OSes (like CoreOS and Alpine), applications (like NGINX, PostGres, mySQL, Redis and MongoDB), and programming languages (like Python, NodeJS, RubyGems, GoLang and Java).

  • Run vulnerability scans on images and running containers, and obtain detailed reports of vulnerable software with patchable version information.

  • Identify the composition of the image using layer details gathered by Qualys CS.

Vulnerability analysis in DevOps pipeline

Qualys CS features a vulnerability analysis plug-in for CI/CD tool Jenkins, and soon for other CI/CD tools including Bamboo, TeamCity, and CircleCI. You can download the plugins directly from within the container security module. With Qualys CS, security teams can participate in the DevOps process to gate vulnerable images entering the system, while developers get actionable data to remediate vulnerabilities.

  • Configure policies for preventing vulnerable images from entering the repositories. Set policies based on criteria such as vulnerability severity, and specific QIDs.

  • Review from within the plug-in a summary of the build with its vulnerabilities, information on patchable software and fixed versions, and image layers where it is present.

Detect and block drifting runtimes

Container infrastructure is immutable in nature, which means containers need to be identical to the images they are baked from. With Qualys CS, you can detect containers that break this immutable behavior, and understand if there are unapproved executions and malicious events happening in the running containers.

  • Detect drifting containers by vulnerabilities, software packages and configuration.

  • Get a complete understanding of the anomaly via a granular classification of rogue vulnerabilities and software packages.

  • Prevent vulnerable images from being spun up in Kubernetes clusters through policy based orchestration (coming soon).

New Qualys 'Container Sensor'

Qualys has developed a native sensor available as an image for Docker-based containers. It’s deployed as a ‘side-car’ unprivileged container on docker hosts.

  • Container Sensor supports Docker containers running on Linux, and deployable across Kubernetes, Docker Swarm and other orchestration environments.

  • You can generate daemon sets for Kubernetes, and download sample templates for Docker Swarm and other orchestration environments.

  • Container Sensor is self-updating and can be configured to communicate over proxies.

REST APIs and Integrations

Qualys CS’s complete features are available as REST APIs. These are clearly documented with examples and easy test options in Swagger, enabling DevSecOps teams to integrate security across their CI/CD tool chain. You can further automate the aggregation of security data into SIEMs and ticketing processes with purpose-built connectors for Splunk and ServiceNow (coming soon).

Powered by the Qualys Cloud Platform

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all of their IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption & strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, no software to install, and no databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.

See for yourself. Try Qualys for free.

Start your free trial today. No software to download or install. Contact us or call us at +1 800 745 4355.