Cloudsmith is introducing new security functions for enterprise container management. They will be welcomed by many, as the proliferation of containerized applications makes it more difficult than ever to maintain oversight.
For those not yet in the know, Cloudsmith is a cloud-native artifact management platform, as it describes itself. The company has announced a series of new container-oriented upgrades during KubeCon Europe, which starts today. The new functionalities strengthen the security of the software supply chain by guaranteeing artifact integrity, automating policy and improving container management on a large scale.
Increasing containerization brings challenges
The containerization of applications has become commonplace in the enterprise world. However, this creates new challenges for organizations, especially in the area of security. Containers generally only have a short lifespan, with many layers of external code bundled together with their own applications. This combination of constant change and external components makes it difficult to keep a close eye on artifacts.
This problem is exacerbated by the increasing complexity of the supply chain, with all the associated risks. The changing nature of containerized environments – with multiple services spread across multi-cloud and on-premise infrastructures – poses a serious challenge for visibility, compliance and security.
New security features
Cloudsmith recognizes these problems and has therefore introduced a number of crucial upgrades:
The Enterprise Policy Manager (EPM) has been expanded to include integration of the Exploit Prediction Scoring System (EPSS). This allows security teams to prioritize vulnerabilities based on actual exploitability instead of just a general risk score.
The platform ensures that container images comply with security baselines such as NIST, CIS, ISO 27001 and Software Bills of Materials (SBOMs). This is done through automated SBOM generation, faster rescanning times and improved security insights.
An important addition is the real-time vulnerability scan that ensures security leaks in containerized applications are detected before they go into production. The platform also now automatically performs Cosign signing for container images as soon as they are cached in Cloudsmith for the first time, which eliminates manual key management headaches.
Container visibility has been improved through UI enhancements for Docker image hierarchy and tag management, simplifying the checking and management of artifacts.
Security as a standard part of the development process
Alison Sickelka, Vice President of Product at Cloudsmith, emphasizes the importance of security early in the development cycle: “Security needs to be built early into the container lifecycle, not bolted at the end. Containers have become the standard for building and deploying applications, but often introduce blindspots that traditional security tools fail to catch.”
The new functionality makes it possible to automate security at the artifact level, so that threats are identified before they go into production. This is aimed at “letting developers focus on what they do best – building – instead of firefighting security issues,” said Sickelka.
This announcement comes shortly after the recent Series B financing round that yielded $23 million for Cloudsmith. The company also reports that it grew by 150 percent in the past year. Cloudsmith will now use the funds for further innovation in software supply chain security for enterprise customers.
Also read: SUSE Rancher helps organizations say goodbye to VMware