What is our primary use case?
We're using it for the Image Vulnerability Scanning. We have an on-premise solution, so for us, vulnerability scanning is most important. Part of our platform spins up Docker containers and uses Docker internally. We're not a SaaS company, so it's not in the cloud and, therefore, it's very important for us to deploy at the customer's environment. It's very important that we deploy Docker images, that we see the vulnerabilities because we deploy in the customer's environment.
How has it helped my organization?
Until now, we didn't have vulnerability management for our Docker images. We tried to use Docker Hub for the vulnerability, but it wasn't suitable, and I'm not sure if it is even supported today. We needed a way to understand which images are vulnerable and which are not, and to do so automatically. Aqua gives us the ability to automatically scan those images, to schedule jobs to trigger scans, and get the vulnerabilities for the Docker images so we can track them, and understand what we need to patch and where to patch.
It definitely saves us time. We didn't really have a way to do it before. It's basically impossible to do it manually when you have a fleet of Docker images. You have to have some third-party service for scanning.
Aqua improved our application security. It has given us visibility into the vulnerability of those images.
What is most valuable?
- The ability to connect it to our Docker Hub where our images are stored
- Good integration with Slack, which we haven't yet enabled yet, but we're going to do so in the next month; that's very important for us
- The connection to the CVE, to easily see which CVs are on each image
- The Tags
Overall, it gives us good vulnerability management.
What needs improvement?
Something we would like to see is a better way to automatically fetch old Tags from an image. That might be something they have improved. We're not sure if they have added that feature or not yet. It's something that would be a nice-to-have.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
The stability is good. I do remember that we had emails about some maintenance or a failure, maybe once or twice, during the year. But they didn't really impact us because it's a job that runs for us in a scheduled manner, once a week. For our needs, the SLA is not critical because it's a scheduled job. We don't need a very high SLA.
What do I think about the scalability of the solution?
It works for our scale. We don't push it to extraordinary extremes, but for our scale, it has worked fine.
How are customer service and technical support?
Tech support is good and fast. We haven't needed tech support much, maybe two or three times a year. We used it most initially, during the setup. And we needed it to renew our license.
Which solution did I use previously and why did I switch?
We didn't have a previous solution. We went with Aqua because it seemed to be an enterprise company in terms of security, one of the leaders in the field, so we tried them first. It gave us the value that we needed. They made a very good impression with their knowledge of security around containers. It seemed to be a company focused on that, security first for containers, unlike Docker. That was an advantage to us.
How was the initial setup?
The initial setup was straightforward. Not much configuration was needed. It didn't take us a long time to set it up and we got support from them for specific questions. It was done in about half a day.
Since ours is not a complex use case, we didn't have a particular strategy for the setup. We don't have a complex environment. We did it ourselves. It's very easy to implement.
What was our ROI?
As I said, manually checking vulnerability is not really feasible. We had to have some kind of solution. The ROI is clear. We could not live without it. Now we are getting back a picture of the vulnerability and we are able to fix severe security/vulnerability bugs.
Which other solutions did I evaluate?
I know there are some open-source solutions, and we haven't tried those, but I believe that Aqua Enterprise is superior to open-source. We looked at the Docker Hub option. It seemed like it was half-baked at the time. There is also Twistlock, but I haven't tried it out. We found what we needed with Aqua and we didn't have a need to compare it with other solutions.
What other advice do I have?
They gave us access to their executive team, specifically, the CTO. I had met him long ago at a Docker conference. He gave us full support and technical support. He was very technically oriented. He helped us with the setups, technically, and we're still in touch today. When I need help he is there.
In terms of the number of users of the solution, for us, it's just the people who maintain the Docker images, two or three people: the head of DevOps and the Director of Engineering. It's just vulnerability management, we don't need many people to access the platform. Once we integrate it with Slack, we'll have visibility for all the users. But day-to-day, they don't need to access the platform, they'll just want to consume the reports. In terms of maintenance, it's very low. One person will get along fine. In our company, it is done by DevOps.
Usage is going up automatically because we're increasing Docker images all the time, so the usage is increasing by default.
Regarding the extent to which we are using all the capabilities of the solution, the parts which are not relevant for vulnerability scanning are not relevant for us. We haven't explored what else Aqua can do. It's not part of our scope. I'm sure other companies are using the vast amount of features it has but we only need the vulnerability management.
I rate it at ten out of ten. For our needs, it's a complete solution.