A Docker image contains an application and all its dependencies. As it also contains the numerous binaries and libraries of an OS, it’s important to make sure no vulnerabilities exist in its root filesystem, or at least no critical or major ones. Scanning an image within a CI/CD pipeline can ensure this additional level of security.

Many organizations have DevOps on their mind going into 2019. This is a global movement. In fact, Puppet and Splunk received responses for their 2018 State of DevOps Report from organizations on every continent except Antarctica. Those organizations varied in their industry, size and level of DevOps maturity, but they were all interested in learning how they could advance their DevOps evolution going forward.

Who else had as much fun as we did at re:Invent 2018? I hope everyone is now home, rested, and going through everything they’ve learned while at the show – I know I learned a ton! The best part of being at a conference like re:Invent is hearing firsthand from practitioners how they are using technology to solve their business challenges.

If you are embracing DevOps, cloud and containers, you may be at risk if you’re not keeping your security methodologies up to date with these new technologies. New security techniques are required in order to keep up with current technology trends, and the Center for Internet Security (CIS) provides free cybersecurity best practices for many newer platforms.

We are working hard adding features to our new Tripwire for DevOps service, initially announced at BlackHat 2018. If you are a loyal State of Security follower, last you read we added Auditing for Amazon Machine Images (aka AMIs). Today, we are introducing CIS policy compliance auditing for Docker images. Tripwire for DevOps allows you to evaluate your Docker Images to check for policy compliance at build time.

Tripwire for DevOps continues to add new features and capabilities. The newest of these is the ability to perform vulnerability scans against Amazon Machine Images (AMIs) in the same Tripwire for DevOps workflow used for your Docker containers. This blog will discuss the creation of AMIs and how to audit them for vulnerabilities within Tripwire for DevOps.

Although many organizations are shifting security to the left and embracing the integration of security tools into their continuous integration / continuous delivery pipelines, there are others who have different wants and needs.

DevOps is redefining the way organizations handle software development. But it’s also challenging security professionals in their efforts to manage digital risk. With that said, there are security teams need to be strategic about how they approach DevOps security. Here are some expert recommendations on what to do and what to avoid when implementing security in the DevOps lifecycle.