We know many development teams these days are taking advantage of containerized software applications that may contain all of the necessary code, runtime, system tools, and libraries needed to run an application. Containers are easy to spin up and down, experiment with, and get things done quickly.
Despite the benefits of efficiency from a development standpoint, containers may present risks that are often difficult for security teams to identify. This can be attributed to multiple factors, including how fast things change in containerized environments and the types of packages found within these environments.
The security risks of Java and open source software (OSS) packages
Java is an enormous software platform leveraged in containers. Given that containers can and are often deployed at scale, Java represents a unique opportunity to grow an organization’s risk exposure greatly. This allows for a much larger attack surface for bad actors to target.
It is common for container images to utilize open source software (OSS) packages like Java, which can have vulnerabilities that are not easy for security teams to identify. Why? Think about this example. A container built with Java often also leverage the Spring framework. While Java itself presents the opportunity to expose organizations of risk, Spring may also import additional vulnerabilities. Modern software development presents unique risk challenges, especially given the use of frameworks and libraries.
Enter: InsightVM’s new integration with Snyk
Here’s where the new integration between Rapid7’s vulnerability risk management solution, InsightVM, and a leading provider of SCA in containerized applications, Snyk, comes into play. Snyk provides deep visibility into Java vulnerabilities. InsightVM can now consume this content from Snyk Intel to build OSS vulnerability checks, and deliver these checks within the Container Security feature in InsightVM.
When it comes to Java, a developer may choose to use Spring to build the Java application. In this case, Snyk Intel in InsightVM will provide vulnerability checks for both Java and Spring, which will provide you a deeper understanding of the risks that your containerized application poses.
Moreover, as Rapid7 and Snyk deepen this integration, InsightVM will be able to provide a deeper understanding of risk into an increased number of OSS packages.
If your organization utilizes containers in your environment, this integration will certainly benefit you. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.
When it comes to leveraging this new integration in InsightVM, no action is needed from InsightVM customers. Java vulnerability checks are automatically available within the Container Security feature in InsightVM. Additionally, future checks for other OSS packages will not require action from InsightVM customers.
To see the power of InsightVM and Snyk Intel for yourself, start a free 30-day InsightVM trial.