Developers are constantly building new microservices or native cloud applications using containers, which provide increased agility, flexibility, and portability. However, the creation of large numbers of new images brings new potential security risks and creates the need to ensure that these artifacts are sourced from trusted registries and have not been tampered with in any way.
At the same time, supply chain attacks have become a preferred attack vectors for attackers. These can take many forms, such as compromising an open-source library (log4j), modifying a package (Solarwinds), compromising a signature key (codecov), or gaining access to secrets that expose the supply chain itself (Hell's Keychain). Organizations need to consider the security of the supply chain at every stage of the software development cycle.
For container images, two processes need to be put into place: artifacts must be signed and then verified before deployment. While open-source solutions are available, they must be manually integrated and maintained, which can be very inefficient and time-consuming for capacity-constrained teams.
Wiz is proud to announce the general availability of image integrity validation using the Wiz admission controller, becoming the first CNAPP solution to provide these supply chain security capabilities. Customers can now extend Wiz Guardrails into their software supply chain to ensure that only signed or trusted images can be deployed. This prevents teams from unintentionally deploying vulnerabilities or malware from malicious actors that have modified container images to further reduce the cloud attack surface.
These new Image integrity features enable customers with:
Image tampering protection: Validate container image signatures and use the Wiz admission controller to prevent images from being modified after creation for example to inject malware, and also to validate an image’s origin to protect the supply chain of your containers.
Enforcement of trusted sources: Centrally define which trusted developers and teams are authorized to deploy containerized images so you can know and trust your pipelines.
Complete visibility for Kubernetes pipelines: Review all change attempts, both pass and fail, centralized view of all admisson controller events across all your Kubernetes clusters to quickly identify potential threats and usage patterns.
Threat detection automation : Get alerted in real-time to unauthorized or abnormal activity in your environments and use the context of the Wiz Security Graph to rapidly contain an unfolding threat.
How does it work?
Customers who have already set up container image signing processes using Cosign or Notary, or who would like to implement them, can now use Wiz to enforce container image verification. With just a few clicks, integrity validators can be defined, and associated policies established to block unverified images. This will ensure that maliciously modified images (for example, those that incorporate vulnerabilities or malware) or images from invalid sources cannot be deployed on Kubernetes environments.
Additionally, customers can now detect unwanted image deployment attempts with full context of events taking place in their Kubernetes environment. By correlating these failure events coming from the Wiz Admission Controller with other cloud, container, and Kubernetes contexts, it becomes simpler to generate a high-fidelity alert and investigate a potential threat. In seconds, cloud defenders can see which user tried to deploy an unverified image and where, dramatically reducing mean time to detect (MTTD) and mean time to respond (MTTR) on supply chain risks.
With these new features, Wiz offers complete protection of the container supply chain, from code creation and build via the Wiz CLI, to image storage via scanning of container registries, to deployment via the admission controller, and in runtime via our agentless risk-assessment and runtime sensor. This is just the first phase in the validation of container images by Wiz admission controller and more enhancements will be coming soon. You can learn more by visiting our Wiz docs (login required). If you prefer a live demo, we would love to connect with you.