CEO and Co-founder of container security firm Twistlock, Ben Bernstein, spoke exclusively with DevOps Online Journalist, Leah Alger, about major developments in the container security field, his testing experiences, and how he mastered the kernel, a computer programme that is the core of a computer’s operating system.
With over 16 years of experience, Ben has experienced a mixture of emotions in enterprise security and operating systems, whilst working on several products at Microsoft, including Windows 2008, Windows 2012 and Multiple “Forefront”, the old Microsoft enterprise security brand. Bernstein said: “I was in my third semester in Technion (the Israel Institute of Technology) when I was recruited into the kernel team for a security product Microsoft was developing that was called “ISA Server”. I had no kernel experience, and until today, I have no clue how I passed the tests to get there. Back in 2001, it was quite difficult to get into the Microsoft cult.”
“Since the first time I checked in code and tested it internally, it made our product crash, with the entire sites internet access going down as a result. But, I learnt quickly, and a few years later, became a decent member of the kernel team,” he added.
Understanding operating systems
According to Bernstein, programming in kernel makes you understand operating systems very well; although it helped that in his spare time he enjoyed exploring how malware interacts with the kernel, to help him learn and meet like-minded people from the cyber security eco-system. “My Co-founder Dima Stopel and I were enterprise security nerds who realised that although developers loved containers, IT security experts would not feel comfortable with them if they didn’t support some of the standard controls and checks that enterprise software requires. So we thought, let’s start digging into that, and see what happens,” revealed Bernstein.
Together, they noticed three big blind spots in the container space:
- Maintaining hygiene of delivery of software to the cloud (for example, whether container images are vulnerable)
- Supporting compliance for both delivery and execution of software in the cloud (for example, running containers for customers who work with/store credit card data in accordance to the Payment Card Industry Data Security Standard (PCI-DSS))
- Active threat protection (for example, does the admin get any indication when his containerised applications are being hacked)
“We realised that as more enterprises started using containers for mission-critical applications, this gap would become more pronounced. With the ever growing pain-point in mind, we set out to make containers more secure so that developers could focus on what they do best without worrying about security,” noted Bernstein.
He now has his first end-to-solution for container security field, which was launched and released in May 2015. “While we were the only cloud native ‘pure play’ company at the time, other folks like International Business Machine Corporation (IBM), Redhat and others were working with docker on platform security too; they just weren’t ‘pure play’. Venture Capital Firms (VCs) used to ask: ‘How come you are the only company in this space?’ quite a bit back then,” he added.
Twistlock has contributed many security capabilities to docker and OpenShift in the open source community, as well as to the Centre for Internet Security’s Kubernetes Benchmark guide. Bernstein said: “Twistlock has been actively contributing to the body of knowledge around best practices for container security. The company is developing a companion guide for National Institute of Standards and Technology (NIST) Special Publication on Container Security Best Practices (SP-800-190), and has similar companion guides for Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA), both of which support technical and compliance teams who work with containers.”
‘DevOps presents several opportunities’
From Bernstein’s perspective, DevOps presents several opportunities, as well as challenges. “The benefits of DevOps include shorter cycle times, faster testing times, more automation and ideally, better code. Done right, it can catch security flaws earlier in the delivery cycle and enable organisations to respond faster to incidents,” said Bernstein.
According to Bernstein, DevOps can leave some leaders nervous about quality and consistent security measures. While DevOps teams want to rapidly develop and deploy software, cyber security personnel strive to mitigate and manage risk by thoroughly checking for any potential breachable point in the software.
He concluded that Twistlock has leapt to the leadership of container security by delivering rapid innovation and customer growth and is spearheading new ways to secure applications, which address persistent flaws in old security solutions that have haunted customers for years.
Written by Leah Alger