Co-authored by: @Gerrit Huizenga and @SARA COHEN
Now more than ever, applying best practices for container software security is a task that should not be taken lightly. One key to success is to insert security early in the software development lifecycle to catch vulnerabilities as they arise, rather than at the end of a build, as an afterthought. There are many open source and enterprise software scanners available today, but how do you decide which is best for your company?
To help answer this question, the IBM Power Development team recently conducted a thorough security analysis of a large containerized software product scheduled to GA on IBM Power with Red Hat OpenShift. The analysis specifically focused on the benefits of Aqua Trivy versus other open source and enterprise scanner tools. Keep reading to learn more.
Intro to Aqua Trivy
Aqua Trivy is a leading open source vulnerability and risk scanner for DevOps and security teams. It offers reliability, speed, and ease of use, with no database dependencies or middleware required. Integration into CI/CD pipelines is seamless through simple binary installation. Trivy serves as the default scanner for GitLab’s Container Scanning functionality, Artifact Hub, and Harbor. It detects vulnerabilities from various operating systems and programming languages across different versions and vulnerability sources. Use it to detection, IaC misconfigurations, SBOM discovery, cloud scanning, Kubernetes security risks, and more.
Unique to Trivy is its ability to conduct both source code and container scanning, a feature not common in other products. It pulls SBOMs, licenses, and CVEs from source code, offering comprehensive security coverage. The following table details the 17 sources in 13 languages supported by Trivy.
|
Language
|
Source
|
Commercial Use
|
Delay1
|
|
PHP
|
PHP Security Advisories Database
|
 |
|
|
GitHub
|
Advisory Database (Composer)
|
|
|
|
Python
|
GitHub Advisory Database (pip)
|
|
|
|
Open Source Vulnerabilities (PyPI)
|
|
|
|
Ruby
|
Ruby Advisory Database
|
|
|
|
GitHub Advisory Database (RubyGems)
|
|
|
|
Node.js
|
Ecosystem Security Working Group
|
|
|
|
GitHub Advisory Database (npm)
|
|
|
|
Java
|
GitLab Advisories Community
|
|
1 month
|
|
GitHub Advisory Database (Maven)
|
|
|
|
Go
|
GitHub Advisory Database (Go)
|
|
|
|
Rust
|
Open Source Vulnerabilities (crates.io)
|
|
|
|
.NET
|
GitHub Advisory Database (NuGet)
|
|
|
|
C/C++
|
GitLab Advisories Community
|
|
1 month
|
|
Dart
|
GitHub Advisory Database (Pub)
|
|
|
|
Elixir
|
GitHub Advisory Database (Erlang)
|
|
|
|
Swift
|
GitHub Advisory Database (Swift)
|
|
|
1 Intentional delay between vulnerability disclosure and registration in the DB.
Source: https://github.com/aquasecurity/trivy/blob/26b4959541b8fb10adb5f454ad930c6e2b68a0a8/docs/docs/scanner/vulnerability.md - data-sources-1
The Aqua Platform is Red Hat certified, offering a robust commercial product to improve security for Red Hat OpenShift cloud-native applications running on IBM Power. For enterprises leveraging OpenShift on IBM Power, Aqua's open source portfolio, including kube-bench, kube-hunter, Starboard, and Trivy, can help DevOps teams establish consistent Kubernetes-native security toolkits.
Industry standards and cybersecurity imperatives
The digital landscape is constantly evolving, and with it, so are the threats companies face. From sophisticated cyberattacks to vulnerabilities in software supply chains, companies are under increasing pressure to prioritize cybersecurity. This push for enhanced security isn't solely driven by market forces; recent government initiatives underscore the critical nature of robust cybersecurity measures.
On May 12, 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity, aimed at further protecting federal government networks. This order compelled agencies to adopt zero-trust cybersecurity principles and adjust their network architectures accordingly. Zero trust is an approach to cybersecurity that treats all networks and traffic as potential threats.
On September 12, 2023, the Biden-Harris administration secured voluntary commitments from eight additional artificial intelligence (AI) companies, including IBM, to drive the safe, secure, and trustworthy development of AI technology. These commitments were an immediate step and an important bridge to government action.
On October 30, 2023, President Biden signed the landmark Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. This order ensures that America leads the way in seizing the promise and managing the risks of AI by providing a legal and regulatory framework for the largely unregulated world of AI. The wide-reaching order signals a shift in how federal agencies will operate in the future, directing them to promulgate rules, form task forces, and provide guidance on the risks of AI to national security, biological research, data privacy, civil rights, consumer protections, and the ability of workers to bargain collectively.
Secure by design: IBM's approach to secure software development
IBM recognizes the importance of embedding security early in the software development lifecycle. This secure by design, proactive approach enables teams to identify and address vulnerabilities swiftly, mitigating potential risks throughout the build process. By adopting a security-first mindset, IBM has witnessed a notable reduction in overhead maintenance, ensuring that performance deadlines are met without compromise.
Contrary to conventional practices where security is often an afterthought, integrated into later stages of development, IBM advocates for a paradigm shift. Conducting security scans at the end of the build cycle poses significant challenges, often requiring extensive rearchitecting to troubleshoot vulnerabilities. It's imperative to transition towards a model where cybersecurity is ingrained into the fabric of technology products from their inception.
Embracing Secure by Design and Agile development practices, IBM champions the integration of product security as a fundamental prerequisite. By introducing rigorous security checks during the early development phases, companies are ensured a high standard of software security while minimizing the effort required for maintenance. This proactive stance strengthens resilience against emerging threats and encourages a security-conscious culture throughout the organization.
Procedure for container security analysis
Adhering to the highest standards of software security, the IBM Power Development team routinely runs multiple scanners on IBM Power with Red Hat OpenShift to scan containerized software for vulnerabilities. They follow a set of widely accepted security design principles to improve the security of the networks and technologies running on IBM infrastructure. Referencing the industry best practices recorded in the OWASP Top 10 API Security Risks, the team proactively aligns network defenses to accurately evaluate the threat or risks to the product during the threat modeling process.
With the prerequisites firmly established, the team conducted a thorough analysis by testing the output of several scanners, including Trivy, on both Intel and Power infrastructures. Evaluating various scanners on alternate platforms meant the team had to scan hundreds of containers and scrutinize millions of lines of source code. This level of meticulousness is necessary to ensure a thorough comparison
The security analysis generated a source bill of materials (SBOM), a list of components along with a complete license inventory, and a spreadsheet that included potential common vulnerabilities and exposures (CVEs) within the software. Scanning for CVEs and SBOMs was necessary to comply with the White House Security Decree governing the software supply chain.
Furthermore, scanning the output of both open source and enterprise scanners allowed the team to examine and validate the security of the software product they were analyzing.
Results and validation of Aqua Trivy
The team generated CVE scans with Trivy and another open source scanner (herein referred to as, Open Source Scanner A) on IBM Power across various scenarios. Comparing the outputs revealed that Trivy consistently outperformed Open Source Scanner A, identifying a higher number of CVEs across all instances. Trivy's performance remained competitive and dependable, demonstrating its prowess in identifying CVEs across various scenarios. Conversely, Open Source Scanner A, exhibited variable efficiency, with fluctuating performance levels across different scenarios. Despite excelling in specific instances, its overall efficiency average was comparatively lower.
Red Hat Security Advisories (RHSA) document vulnerabilities in Red Hat products, aiding in remediation efforts. While vulnerability scanners often utilize RHSA data, imperfections can arise. To validate the findings further, the team compared Trivy and Open Source Scanner A's output on Power against the output of Aqua Enterprise (sometimes referred to as Aquasec) and another enterprise scanner (herein referred to as Enterprise Scanner A) on Intel. Remarkably, parity was observed with minor differences across the scenarios, if any.
Moreover, the team leveraged several scenarios to generate SBOMs, conducting scans with Trivy and Open Source Scanner A on both IBM Power and Intel. The consistency of Trivy and Open Source Scanner A's output across platforms underscores their reliability and effectiveness.
Overall, these findings validated the security of the containerized software product and affirms Trivy's suitability for container scanning. As a result, Trivy emerges as a fitting component in any IBM Power client’s DevSecOps pipeline, fulfilling their container security requirements with unparalleled efficacy.
Aqua Trivy versus Aqua Enterprise: Choose the right solution
For clients just beginning their container security journey, leveraging Trivy early in the process provides invaluable support. For clients already progressing down the path of container security, Trivy serves as an excellent tool to preview the capabilities offered by the enterprise version.
Aqua has created a checklist that compares vulnerability scanning with Aqua Trivy and Aqua Enterprise, to help customers choose the best option. While Trivy focuses primarily on vulnerability scanning, Aqua Enterprise offers a holistic cloud-native security solution. In addition to vulnerability scanning, Aqua Enterprise offers enterprise-grade features like reduced management overhead for complex environments, extensive security coverage, tailored support for enterprise requirements, continuous protection into runtime, and more.
Ultimately, the choice between Trivy and Aqua Enterprise depends on a customer’s specific requirements and the desired level of security sophistication. If they only need licenses, SBOMs, and CVEs, Trivy can provide them. If they require expanded capabilities or are looking for a commercial version, Aqua Enterprise can meet those needs.
Conclusion
In conclusion, after conducting a thorough security analysis of a large, containerized software product on IBM Power with Red Hat OpenShift, the IBM Power development team found that Trivy is as effective as other open source scanners in detecting vulnerabilities. Not only does Trivy prove to be suitable for container security in IBM Power clients' DevSecOps pipelines, but the scanning process is simple. IBM Power's support for Aqua Trivy underscores its industry recognition for its efficacy as an open source scanner.
Trivy is available on Docker Hub as an open source tool, with additional paid-for support options available through IBM and Aqua security partners. Organizations interested in deploying Aqua Trivy on Power can reach out to a representative at bd@aquasec.com for further assistance.
To learn more about Aqua Trivy on IBM Power, check out the following resources: