Twistlock announced the general availability of version 2.1 of their container security product. Highlights of the release include an integrated firewall that understands application traffic, vulnerability detection, secrets management via integration with third party tools, and compliance alerting and enforcement.

The integrated firewall, called Cloud Native Application Firewall (CNAF) can understand application traffic (Layer 7) and protect against known vulnerabilities like SQL Injection. However, ports and traffic content will differ based on the applications that are running, so how does Twistlock support this feature? InfoQ got in touch with John Morello, CTO of Twistlock, to know more:

We have deep knowledge of a set of common apps like Apache, WordPress, nginx, and others that covers a wide range of behavioral characteristics. However, even for an app we’ve never seen before we provide core security capabilities like protecting against SQLi and XSS type attacks and filtering ingress traffic based on a real time dataset of malicious endpoints.

For "well known" application stacks, the ports are known beforehand. For others, CNAF can "automatically determine what ports it listens on and dynamically reroute traffic through the Twistlock Defender to protect it", says Morello.

Twistlock was released a few years ago with an integration with Google Container Engine (GKE), followed by a partnership with Amazon Web Services. Both of these cloud providers do have their own configurable firewalls. Twistlock adds to this security layer at the application level by understanding the kind of traffic that flows in and out from them. "Nothing we do is tied to any specific cloud provider", says Morello.

Twistlock also offers vulnerability detection. The vulnerability data is pulled directly from over 30 vendors and commercial threat feeds. This information is analyzed and aggregated into the product’s intelligence stream. Since the data is sourced directly from a range of providers Twistlock can ensure a lower false positive rate than other tools, according to Morello. There are other vulnerability detection tools like vuls and Clair. To a question about how Twistlock compares to such tools, Morello responded with some points:

Twistlock’s sources for Common Vulnerabilities and Exposures (CVE) data are more robust than what's supported by either vuls or Clair currently. Twistlock generates fewer false positives than either of those tools.

Twistlock’s scanning has native plugins to CI/CD tooling. It does not just look at images in a registry, but can also actively block builds based on CVE findings. Twistlock can also identify and isolate running containers impacted by newly discovered CVEs.

Every CVE detected is given an automatically-generated risk score - based on Twistlock’s view into the environment and applications, so that the right issues can be prioritized. In contrast, Clair/vuls and others simply report detected CVEs.

Twistlock can create control gates throughout the CI/CD process to require baselines for vulnerability and compliance state before images leave development and before they’re run in production. For example, with Twistlock one can define a policy like "prevent deploying any containers into the production environment that have a medium severity or higher Java vulnerability."

Twistlock’s latest release integrates with secrets management software like Hashicorp’s Vault and CyberArk Enterprise Password Vault to store passwords and other secure tokens. This is also part of an open source effort to make Docker Swarm’s secret management pluggable, to which Twistlock has contributed code.

Some other features of this release include compliance alerting via the Jenkins plugin, a "Collections" abstraction to create reusable regex-based text filters for matching containers and images across projects and organizational hierarchies, and a revamped dashboard.