Using Aqua to Secure Applications on Pivotal Cloud Foundry
Many organizations use Pivotal Cloud FoundryⓇ (PCF), one of the world’s most powerful cloud native platforms. PCF enables developers and operators to iterate rapidly, and help expand and launch new businesses fast, as well as deliver extraordinary user experiences to their customers.
A little background on PCF vernacular
Before we dive into the Aqua Security for PCF solution, we’ve put together a short glossary to help those who may not be as familiar with some key terms specific to the Cloud Foundry world (mostly based on CF documentation):
- Droplet – An archive that contains the application ready to run on Diego (the container management system in Cloud Foundry). A droplet is created as a result of the application staging process. It has a similar status to images in a production Docker registry.
- Buildpack – The buildpack is the mechanism used to define which language dependencies to download. They provide structure and runtime support for apps as well as defining how to configure the apps to communicate with bound services resulting in ready to deploy applications.
- Decorator buildpack – A decorator is a unique buildpack, where, unlike a "real" or language based buildpack, it doesn't produce a droplet from source but rather "decorates" an already produced droplet to implement some type of add-on feature, such as droplet scanning.
- cf push – The command used to upload a new app/sync changes to an existing app to Cloud Foundry.
- Blobstore – repository for large binary files.
Integration? Tell me more.
As a first step, Aqua has integrated the Aqua Continuous Assurance policy and Vulnerability Scanning capabilities with Pivotal Cloud Foundry. The solution enables PCF customers to automatically scan droplets utilizing an Aqua Decorator buildpack. These scans are performed based on the Aqua Continuous Assurance policy which allows you to apply granular checks (e.g. Disallow droplets by CVSS severity, found malware, leftover RSA keys, etc) on a droplet during staging.
Aqua’s deep vulnerability scanning empowers developers by providing an automated decision as to whether an app should be allowed or disallowed during development and as it’s being promoted to production. These decisions are derived from the organization’s corporate GRC policies so the developers themselves do not have to spend precious time researching their codebase vulnerabilities.
Today we are announcing the availability of Aqua Security for PCF as a public beta release where registered Pivotal customers can join and use the solution free of charge for 30 days, by downloading the Aqua tile directly from the Pivotal Network.
What’s in it for you?
Aqua Security for PCF allows developers and operators to automatically detect and stop vulnerable droplets from being deployed.
Aqua Security for PCF features the following capabilities:
- Scan droplets for known vulnerabilities, based on an updated feed from multiple resources (public CVEs, vendor-issued, proprietary vulnerability data streams and malware lists)
- Block unauthorized droplets from being uploaded to stores and ran based on droplets assurance policies, for example:
- Stop unauthorized droplets
- Stop droplets by CVEs and score
- Detect and stop droplets with hardcoded secrets
- Detect and stop droplets with malware
- Add custom compliance checks
- View actionable mitigation information on how to mitigate detected vulnerabilities
- Gain visibility into droplet vulnerabilities directly from CI/CD tools and Aqua dashboard
Integration in Action
If you’re already using PCF, you can get started in a matter of minutes by joining our beta program - click here to join. You need to be logged into your PCF account to be able to select it. As this is a beta release, no charges apply.
It’s an easy 5-step process from upload to actionable results.
Step 1: Download and install the Aqua Security tile to deploy the Aqua Command Center in your PCF environment and complete the Aqua online form to obtain a license key. The license will be valid for 30-days.
Step 2: Provision Droplet Assurance Policies in the Aqua Command Center to ensure only authorized droplets are deployed into the runtime environment. In this case, we defined a default policy that will not pass droplets that have high-severity CVEs or container embedded sensitive data (e.g.secrets).
Step 3: Perform security scanning of droplets at build time to view vulnerabilities and open sources licenses in the code. Once droplets are scanned, you will see a visual summary of the issues found.
Step 4: Click on the droplet to view a summary of all risks and why this droplet was disallowed. From this example, you can see that the droplet was disallowed because of secrets found in the code and some high severity vulnerabilities.
Note that recommended actions are listed at the bottom of the page, suggesting remediation steps to make the droplet more secure.
Step 5: Click on the vulnerability tab to view the list of CVEs detected and their severities. You can also click on any CVE to view additional information about the specific CVE and recommended remediation actions.
You can also click on the Sensitive Data tab to reveal that there is a private key embedded in the code.
The Aqua solution is easy to operate, providing you with the most advanced scanning capabilities on the market today. It supports more than 40 languages, including Java, Go, C++, Python, Ruby, NodeJS, and more, as well as static binaries. In addition, you can use our set of APIs to integrate Aqua with your preferred CI/CD tools for security testing as part of the build, with Active Directory/LDAP for user authentication and with SIEM/analytics to output audit and alert data.
Stay tuned for more on this and other cool enhancements to the Aqua integration with Pivotal Cloud Foundry.
The Aqua Security for PCF beta tile is available on the Pivotal Network.