While containers have revolutionized modern software development, the complexity of dependencies in containerized environments and the expanded attack surface they present are still significant hurdles for security professionals. The initial step in securing these environments involves identifying vulnerabilities within container images. Yet, the most time-consuming task can often be identifying the right development team to address these vulnerabilities, particularly the mission-critical ones.
Microsoft Defender for Cloud addresses this critical need with its container mapping feature. This blog post explores how Defender for Cloud streamlines the process of tracing vulnerabilities in container images back to their origins in CI/CD pipelines, specifically within Azure DevOps and GitHub environments. This functionality is key to facilitating effective developer remediation workflows, thereby enhancing the security posture of cloud-native applications.
The Power of Container Mapping in Defender for Cloud
Microsoft Defender for Cloud's container mapping feature offers a holistic view of the container landscape, linking container images in registries or Kubernetes clusters back to their source in the CI/CD pipelines. This feature is crucial for several reasons, including quick identification of vulnerability origins, streamlined collaboration between developers and security teams, and continuous visibility of the software development lifecycle.
Quick Identification of Vulnerability Origins
Defender for Cloud bridges the gap between cloud deployments and code. It enables security teams to pinpoint critical vulnerabilities in active containers, directly associating them with the CI/CD pipeline that built the container image. This connection facilitates rapid identification of the source of risks, diminishing the time to remediation and reducing the potential attack surface. The cloud-to-code feature of Defender for Cloud provides direct metadata from the CI/CD pipeline, creating a direct link between issues in the cloud and their source code. This level of traceability is crucial for comprehending how vulnerabilities are introduced.
Enhanced Security Response
Defender for Cloud provides contextual visibility into Kubernetes assets and security posture that empowers security teams to prioritize remediation based on actual risk through agentless discovery for Kubernetes. This lets security teams prioritize vulnerabilities in running containers based on factors such as whether the container is privileged or running on a pod that is exposed to the internet. After cutting through the noise to focus on the vulnerable containers with the highest business impact, security teams can then find the precise origin of a vulnerability to accelerate the remediation process. With agentless container posture and container mapping in Defender CSPM, security teams can more seamlessly communicate with the relevant development teams to initiate the patching process.
Continuous Visibility into the Software Development Lifecycle
With container mapping, security teams gain comprehensive visibility across the entire lifecycle of container images, from their creation to deployment. This continuous oversight allows organizations to make data-driven decisions to enhance their security strategies. The capability ensures that cloud-native applications are traced from code to cloud and safeguarded throughout their lifecycle.
The Cloud Security Explorer in Defender for Cloud offers a built-in template to find “Container images running in production pushed by repositories with high severity vulnerabilities”. This allows you to quickly view the code origin of all running containers with vulnerabilities.
Figure 1. Cloud Security Explorer Template for Container Mapping
Selecting the template will populate the query for you so you can quickly get results of the vulnerable containers that were pushed by code repositories.
Figure 2. Cloud Security Explorer Query
You can select any result to get the DevOps pipeline details that were responsible for building and pushing the specific container image.
Figure 3. Container Mapping Results in Cloud Security Explorer
Figure 4. Cloud Security Explorer Query for Internet Exposed Pods
The integration of container mapping in Microsoft Defender for Cloud is a significant improvement in the management of cloud native applications. It addresses a critical need in container security: the ability to identify the origin of vulnerabilities quickly and accurately. This capability accelerates the remediation process and enhances the overall security posture of an organization by providing clear visibility into the container lifecycle and fostering collaboration between development and security teams.
Code to Cloud mapping doesn’t stop with containers, Defender for Cloud also provides mapping for Infrastructure-as-Code. Click here to learn more about Infrastructure-as-Code mapping.