 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
All software (and even hardware) contains security vulnerabilities, and the number of publicly reported CVEs (common vulnerabilities and exposures) continues to grow every day. All software depends on other software, which can include a vulnerability at each level, further exacerbating the risk and reinforcing the urgency for organizations to detect and patch vulnerabilities. Let’s take a look at how to detect CVEs and best practices for reducing them in your container applications through prevention and detection.
There are three common sources of CVEs.
All of these sources open up your environment to potential CVEs and increase your attack surface.
The work of detecting CVEs is usually carried out by vulnerability scanners, of which there are many free and paid versions. Vulnerability scanners identify everything your software consists of (base image, code, language, etc.) in order to build a list of software components or a software bill of materials (SBOM). This information is checked against the scanner’s own database to identify which of the libraries have vulnerabilities.
There can be variability in scan results from different vulnerability scanners. There are a few reasons for this. First, some scanners might only use CVEs from the national standard databases, such as the U.S. National Vulnerability Database (NVD), while others use additional third-party databases. Second, how a vulnerability scanner goes about identifying libraries within code can differ in the way they detect software binaries and match known vulnerabilities with those software binaries. Third, how scanners handle transitive dependencies (dependencies of dependencies that you import into your code) varies in depth and granularity. All of these considerations can make a difference in the outcome/results of a scan.
All this is to say that vulnerability scanners are not perfect; they can miss things or not get the whole picture. They might not find all sources (everything your software is built of) and might return varying results. Let’s look at some best practices for both prevention and detection that can help guard against these deficits.
It’s important to detect and patch CVEs in a timely manner to ensure the security of your environment/product. The sheer number of reported CVEs combined with multiple potential sources of CVEs can make this a difficult task. Here are five best practices for reducing CVEs in your container applications.
Lastly, make sure you have a good relationship with the development team in your organization, as you’ll both need to be on the same page in terms of understanding the importance of security in your environment/product. This is done via security education and training, establishing security guidelines and creating a process that considers the unique processes and needs of your engineering organization.
You’ve scanned your environment to identify CVEs and are now staring at a list of 200 things to fix. What next? There’s no way you can analyze them all before the next batch of CVEs comes out, so start by identifying and patching the high-priority CVEs first, and then if you have time, work your way down the list in terms of priority. For a more detailed discussion of patching CVEs, stay tuned for our next article, “Vulnerability Management: Best Practices for Patching CVEs.”
Read our guide to learn more about Kubernetes vulnerability scanning.
