NeuVector Inc. today is adding new vulnerability management and protection features to its container security platform, making it easier for DevOps and security teams to investigate, prioritize and then mitigate any potential vulnerabilities in production environments.

NeuVector, which debuted in 2018, sells a security platform for companies that use the open-source Kubernetes software to manage their container deployments.

Kubernetes is a container orchestrator that has become the de facto tool for managing such deployments. The containers themselves are a way to package software applications so they can run inside any information technology environment and on any hardware.

The company’s platform uses three tricks to secure containers. First, it comes with a firewall that can detect abnormal connections within the network. Second, it provides runtime vulnerability scanning to spot threats as they appear. Third, it comes with threat protection capabilities that can shut down any compromised software container as soon as it’s spotted.

Today’s updates include a new Vulnerability and Compliance Explorer that can assess the state of their container security, prioritize which images, hosts or containers need attention, and then mitigate any issues that might lead to security or compliance risks, the company said.

One of the most useful capabilities of the Vulnerability and Compliance Explorer is its “virtual patching” response mechanism. DevOps teams can virtually patch any container vulnerabilities they discover without needing to create a proper fix in the actual code. The virtual patch works by whitelisting authorized container behavior such as network connections, processes and file activity.

Should the container attempt to do anything that isn’t authorized, this behavior is automatically detected, alerted and then blocked, mitigating any potential security breaches. That enables DevOps teams to avoid shutting down any potentially compromised containers that are currently running in production workloads.

“Once a workload or host is put into a Monitor or Protect mode, all vulnerabilities become virtually patched,” said NeuVector Chief Technology Officer Gary Duan. “Any attempted exploit will create an unauthorized network connection, process, or file access, but those exploit attempts will now be detected and alerted in Monitor mode, and blocked in Protect mode. The virtual patching capability in NeuVector gives DevOps teams more time and breathing room to patch critical vulnerabilities.”

Another interesting new capability in NeuVector’s platform is its high performance scanning tool for images in large registries. It means DevOps teams can quickly scan large registries containing thousands of images.

Finally, NeuVector said it’s adding new host protection capabilities to its platform. Now, just as NeuVector automatically baselines and whitelists container processes to detect suspicious activity, the container hosts’ processes are also baselined, and can be put into an alert-or-block mode if anything suspicious shows up.

Image: typographyimages/Pixabay