Qualys Container Security (CS), an integral part of TotalCloud 2.0, provides a comprehensive view of the security posture of containerized applications.
Operationalizing a new technology tool in an enterprise often presents its own challenges. This blog seeks to help the operations team familiarize themselves with a few important processes and configure key parameters early in the rollout. Please note this is not a definitive guide; instead, it highlights a few points to consider. Here are some of the best practices to follow when using Qualys Container Security.
It's always recommended that the Qualys CS sensor be updated to the newer version to take advantage of new features, bug fixes and to remediate sensor vulnerabilities. When a newer sensor version is available than the one deployed, you’ll see “Update Available” next to the sensor name.
It's always advised to use the latest Qualys CS sensor and review the release notes for every update.
For a medium to large size deployment, Qualys recommends using Qualys qcs-sensor Helm Chart for deployment. A few organizations even use Helm Charts and GitOps together for an efficient roll-out and upgrade process.
Qualys will retain the Qualys CS data for months by default, which can be useful for Container Security Forensics. Sometimes, this can cause information overload or infobesity for the operations team. There are data retention settings that can be enforced based on requirements. This feature can be used to delete the data and records of Sensors, Images, and running containers based on state.
The purge rule of these records can be from 1 Day to 1 Year. The advice is to gradually reduce retention to avoid infobesity and be comfortable with the approach. Example: Start with 6 months and gradually change it to 1 Month, 1 Week, or even 1 Day.
Qualys CS Sensor runs in an always ON mode to help continuous risk mitigations. There is no option to manually trigger any scan job. A new asset scan is launched when any of the following events occur:
The Container Scanning Interval can be selected for how often sensors should re-scan containers. 48 hours is recommended for optimum performance. The General Sensor Profile can be configured to re-scan containers as frequently as 12 hours for critical workloads. These settings can change over time since Qualys keeps adding granular scan settings and enhancing the functionalities based on fast-paced technology innovations.
However, there are use cases where the Ops team (Cloud/Dev/Sec) would like to pause sensors during the maintenance window or business hours. And the other use case might be to run sensors during a specific window. Such scenarios can be covered by using sensor inactive windows.
The purpose of an inactive window is to prevent the sensor from generating data during specific times, such as when routine maintenance is being performed on the system.
Qualys Unified Dashboard (UD) provides an extensive and ever-expanding library of dashboards related to all teams in an IT and security organization. Unified Dashboard brings information from all Qualys applications into a single place for visualization. The dashboard library helps create custom dashboards using existing widget templates, customize existing widgets, or create your own widgets. Qualys Query Language (QQL) is used to build search queries to fetch information from Qualys databases.
Scheduled reports for container vulnerabilities, image vulnerabilities, secrets, and malware could be very useful.
For Day 2 operations, it's a good idea to invest some time and effort in creating custom integrations or scheduled tasks. Qualys’ Container Security API guide can help you develop the scripts and workflows.
All features of Container Security are available through REST APIs. An equivalent Rest API request for each tab is provided in the user interface. (Marked with a circle on the figure below).
User Guide| Deployment Guide| Helm Chart
Connector for Jenkins| Connector for Bamboo| Connector for Azure DevOps
QScanner| Video libraries| CS Certified Courses (Free)
API Guide| Qualys Git Repo| Documentation
Docker Hub QCS Sensor| |
Container Security Troubleshooting | How to collaborate with Qualys Support