| |

Twistlock

ByJoe

This one is going to be a very quick one… So… First off, I’d like to start by saying that personally, I love twistlock, it’s such a powerful tool, honestly, I find it fascinating how powerful it is, as an application developer, I use it to scan the OS that the application will be running on in my teams AKS cluster & of course the dependencies that the application utilises.

As an example of just how powerful it is, initially it noticed ~210 vulnerabilities in one of our containerised applications, within 3 hours I was able to reduce that down to a mere 32. I mean some of these vulnerabilities included technologies that in our use case are somewhat irrelevant, but of course, working in a financial institution, the more security the better. I mean for me personally, it’s been an immense tool in teaching me more about levels related to our architecture that I wouldn’t normally think about. Such as ensuring that the OS layer is as secure & stable as possible, even if it’s updating or removing dependencies that we wouldn’t normally use; a prime example being python, my team currently focuses on Java & in our applications we have nothing to do with Python. However, to reduce the number of vulnerabilities with our images, why not simply update or remove such dependencies?

One feature that I love about Twistlock is that we’re able to integrate it into our build pipeline, so even without continuous monitoring of the Twistlock dashboard, if a high vulnerability is discovered, the build will fail, which also ensures that we’d never release/deploy insecure code into our cloud ecosystem. With Twistlock, it’s really teaching me to analyse everything possible, even things as detailed as the dependencies that our application servers use. It’s really forcing me to consider whether or not our application server even needs these dependencies, if so, could it be replaced with a newer version?

I’m still far from being a security specialist, very far from it, but it’s most certainly something that I think about more often. However, I have reached scenarios where I’m a little stuck, such as Twistlock finding known vulnerabilities where there’s no known fix, or where there’s something that’s so low level that changing it could cause for breaking changes, etc.

Similar Posts

  • | | |

    Node Containers

    ByJoe

    I feel somewhat ashamed of myself that I’m only now learning about this problem(s) with process shut down with Node & Docker. After finding Bret Fisher’s talk(s) about Node & Docker best practices, I couldn’t believe that there’s a bit of an issue with process signal making it all the way through to the application….

  • |

    Defensive Programming

    ByJoe

    Defensive programming, what is it? – It’s quite simple really, defensive programming is the practice of engineering your code in such a way where you handle all potential states. This includes unexpected states, this includes invalid states, valid states, totally unexpected states & everything in between. However, if you were to quickly Google “defensive programming“,…

  • DevOps R&D

    ByJoe

    So, as a large number of you tech enthusiasts know by now, DevOps is becoming increasingly common, I’d argue so common that it’s practically standard practice. I mean it doesn’t make much sense to not embrace DevOps to some extent or another, that doesn’t mean to say that you have to go full on agile…

Leave a Reply

Your email address will not be published. Required fields are marked *