Threat Mapping for Windows Containers

Threat Mapping for Windows Containers
July 23, 2020

In the last few posts, we described how to install the Deepfence community edition i.e., ThreatMapper, and use it for run-time threat mapping for containers and hosts. In this article, we will use ThreatMapper to scan Windows container images hosted on public or private container registries for vulnerabilities. Let’s get started with an introduction to Windows containers.

Windows Containers

Windows containers are of two types — Windows Server Containers and Hyper-V Containers. Hyper-V containers provide great isolation and control which is usually well suited for limited trusted environments such as running containerized applications on shared multi-tenant infrastructure. On the other hand, Windows Server Containers maximize density and performance for a wide variety of development scenarios.

Windows Container types

Windows platforms still host a significant percentage of applications, particularly in the enterprise environments. Thus, a .NET application, when deployed as a container on a Windows platform, can now take complete advantage of the rapid build, deploy and scale models that hitherto existed only in the Linux environments. The .NET application can also package all its required dependencies as a Windows container, so that it can work across all flavors of Windows platforms.

Kubernetes on Windows

Organizations with large-scale deployments of Windows server platforms that host their applications, prefer to use the same platforms when they convert those applications to Windows containers. This will ensure minimum disruption to their operating environments, and a smooth migration of their existing applications as Windows containers.

Kubernetes has steadily emerged as the de-facto container orchestration platform. Thus, it was only a matter of time before Kubernetes introduced support for orchestration of Windows containers, completely supported by Microsoft. Enterprises can now deploy their production-ready applications as Windows containers on Kubernetes 1.14 and later releases.

Container Registries

With the proliferation of Windows containers, almost all container repositories, both private on-premise, and on public cloud environments, can now store Windows container images. Thus, it is now easy to develop a Windows .NET application, build it using CI/CD tools like Jenkins or Github, and save it into any of the Azure, Google, Amazon container repositories, in a completely automated manner. This helps to securely store and distribute these Windows containers to large scale Windows environments.

Securing Windows Container Images

Deepfence is pleased to announce the immediate availability of ThreatMapper, to analyze the vulnerabilities in Windows container images stored in container registries.

While most container registry providers could analyze the stored images for vulnerabilities, they were hitherto limited to Linux images only. ThreatMapper now provides an ability to scan Windows container images for vulnerabilities, for free. Enterprises now have a way to ensure that their images are secure from attacks that may attempt to exploit those vulnerabilities.

In our previous posts, we described the necessary steps to install the Deepfence ThreatMapper and add container registries. We will follow those steps to add a container registry that has Windows container images. Once that is done, we will be able to view a list of Windows container images.

We can now choose some images to start a vulnerability scans in parallel, on those images.

Choose the images to scan

Once we choose the desired images, we are presented with the same set of options that are available for Linux container images in ThreatMapper.

Choose the type of scan

We can start any number of simultaneous scans, and once a scan completes, we can view the results.

Results of the vulnerability scan

ThreatMapper is able to detect recent vulnerabilities for Windows container images. The figure below show a sample vulnerability.

Note that these scans also be done in a completely automated manner using a set of powerful Deepfence API’s.

What’s Next ?

Now that ThreatMapper can scan Windows Containers from registries, stay tuned as we work on making threat mapping available for running Windows containers and hosts, and also secure your CI/CD pipelines.