Skip to main content
All CollectionsBest PracticesVulnerability Manager User
Managing and Remediating Base and Deployment Image Assets - Best Practice
Managing and Remediating Base and Deployment Image Assets - Best Practice

Learn how to distinguish between base vs. non-base/deployed images in the Vulcan Platform to prioritize remediation.

Updated over 11 months ago

Target Audience

Hands-On Vulnerability Managers and Champions

About

What's the Rationale Behind This Best Practice?

In the dynamic landscape of vulnerability remediation, the ingestion of thousands of scanned images into the Vulcan Platform, or any other Vulnerability Orchestration platform for that matter, poses a challenge for users. Vulcan has been guiding customers, hand in hand, through effective remediation strategies, particularly when dealing with vulnerabilities found in images. This best practice is born upon the collective experiences of our customers and ourselves.

It focuses explicitly on approaching image assets and considers the intricacies in prioritizing remediating vulnerabilities found within them, focusing on differentiating between Base and Deployed (Non-Base) images.

What's the Goal of This Best Practice?

The primary goal is to streamline and enhance the process of addressing vulnerabilities within the Vulcan Platform. To improve security, it's important to first focus on fixing problems in the base images. This stops the same issues from coming back when you deploy new things. Also, monitor any problems in the images you've already deployed. This helps you understand the real risks you're facing right now. By doing this, you can decide what to fix first and what to deploy next while not worrying about images you're not using that aren't a risk at the moment. This best practice offers clarity, reduces confusion, and optimizes time and resource utilization.

Why Differentiate Between Base and Non-Base Images when it comes to vulnerability remediation?

In software development, a Base Image is the foundational version used to create Deployed (or other non-base) Images for production and non-production environments. The decision on which vulnerabilities to address first depends on several factors, mainly the organization's preferred remediation process and approach.

Best Practice

Identification Strategies

Due to the lack of information coming from the scanners, the distinction between Base and Deployed Images when ingested into the Vulcan Platform might be challenging. It can lead to potential confusion and time-consuming searches.

To address this challenge, we offer the following recommendations:

Leveraging Tags for Efficient Filtering

Consider implementing an automated tagging system on the Scanner's side to recognize Base vs. Non-Base Images, including version/revision information. This automated approach simplifies identification within the Vulcan Platform once the assets are ingested.

Once images are tagged, users can leverage Vulcan's filtering capabilities to quickly and easily identify base vs non-base images within the Vulcan Platform UI and streamline remediation efforts. Filtering by Base Images allows for focused remediation, optimizing the process, and reducing the workload. Learn all about Filters here.

You can also use Vulcan's Tagging system to tag assets after ingestion is complete. Learn all about Taggin here.

Differentiating Images Without Tags

There are two different types of tags in the Vulcan Platform:
(a) Imported Tags: Asset tags imported from the vendor through the connector.
(b) Vulcan Tags: Asset tags the user manually creates in the Vulcan Platform
You can learn more about Asset Tags here.

Every imported image asset is tagged, and these tags can vary, but they typically fall into three common categories, following the format image_name:tag.

For example, linux:mytag. The three standard types of tags are:

  1. Version Tag: This uses the version number, like image_name:1.2.3.

  2. Latest Tag: This is a very common tag where the tag is simply 'latest', as in image_name:latest. Most images use this convention.

  3. Hash Tag: This uses a unique hash value; for example, image_name:fc3ff98e8c6a0d3087d515c0473f8677.

Without clear predefined tags, consider the following methods to differentiate between Base and Deployed Images in the Vulcan Platform.

To recognize the elements in the image asset, click on the asset and review its details. See the Asset Page and Asset Details for more information.

Method

Description

Examples and Notes

By Naming Conventions

Organizations often employ naming conventions to indicate the purpose of an image.

The name of the image should reflect its purpose and contents. For example, node-web-app it is more descriptive than just web-app.

  • Prefixes or suffixes are added to names, making it easier to understand the image's role.

  • Example: If a deployed image is named vulcan_app, its corresponding base image could be named vulcan_base or vulcan_app_base.

  • Images with exclusive or niche names, lacking indications of being a base for another image, are unlikely to serve as base images.

Maintain a Consistent Naming Convention

Use a consistent naming convention across your organization. This could be based on the project name, team, or environment.

  • For example, team1/nginx-custom, projectx/backend-service.

By Tags for Versioning

Tags are crucial for version control. Tags are used to specify versions of the application or the base image.

  • For example, myapp:1.2.3. It's a good practice to use semantic versioning.

By Popular Operating Systems, Software, and Frameworks

Organizations maintain base images in various ways. While some dedicate specific base images for each application (e.g., vulcan_app and vulcan_base), others reuse a base image for multiple purposes.

Key considerations include:

  • Recognizing popular names of operating systems (e.g., Alpine, Debian) and common software/frameworks (e.g., Python, Node, PHP, Postgres, Redis) based on organizational needs.

  • Maintaining image repositories, like one for Python, that serves as a foundational layer for various Python-based applications. This centralized approach by DevOps teams influences multiple applications, streamlining maintenance efforts.

  • Identifying such images aids in locating potential base images within the organization.

Use Specific Tags for Base Images

When specifying base images, use specific tags rather than general ones.

  • For example, latest. For instance, python:3.8-slim is preferable over python:latest.

Technical Identification of Base Images

Additional tips for identifying base images involve collaboration with engineers (often DevOps teams) who can assist in reviewing scanned images.

If direct answers are unavailable, there are various effective methods:

  • Reviewing Pipelines: Analyzing build pipelines to identify images used in the build process. Base images are typically foundational elements in these processes.

  • Inspecting Dockerfiles in Code Repositories: Extracting base images using the FROM instruction in Dockerfiles within code repositories. This provides insights into the dependencies and hierarchy of images.

  • Examining Kubernetes Clusters: Inspecting deployed images in Kubernetes clusters. Base images are rarely deployed directly, especially in production environments

Include Registry Name for Public Images

If you are pulling images from public registries, include the registry's name in the tag.

  • For example, docker.io/library/nginx

Use Hierarchical Names for Organization

If you have multiple related images, use a hierarchical naming structure.

  • For instance, myapp/backend, myapp/frontend.

Utilize Official Images for Base Layers

When possible, use official base images as they are more likely to be up-to-date and secure.

Remediation Strategies

The decision to prioritize remediating Base or Deployment images is intricately linked to the business context and cybersecurity strategy. Moreover, the timing of remediation plays a crucial role in this decision-making process.

In managing vulnerabilities, it's important to strike a balance between immediate action and strategic long-term fixes. For critical vulnerabilities, especially in externally accessible applications, promptly addressing issues in deployed images can be a vital and quick solution. This approach allows for immediate risk mitigation without the need to wait for extensive testing and coordination with other teams, which might be necessary for less critical applications.

Simultaneously, it's crucial to focus on resolving the root causes of vulnerabilities in the base images. While daily updates to deployed images may not always rectify underlying issues, prioritizing base image remediation ensures a more robust and enduring security posture. This dual approach of immediate risk management and long-term vulnerability resolution is key to maintaining both the immediate and ongoing security of applications.

This dynamic decision-making process underscores the delicate balance between immediate security needs and the longer-term strategic imperative of fortifying the foundational elements. It reflects a nuanced approach that recognizes the business's operational realities and the imperative to maintain a robust and secure IT environment.

Image Type

Rationale and Prioritization Approach

Ticket Assignment Best Practice

Base

Base Images serve as the foundational versions upon which other images are built. Addressing vulnerabilities in Base Images ensures that all subsequently deployed images inherit the fixes.

This approach saves time and effort compared to individually fixing each deployed image.

DevOps teams typically have a deep understanding of the infrastructure and the core components of Base Images. Assigning remediation tasks to DevOps ensures comprehensive fixes from the core, eliminating vulnerabilities at the source.

Non-Base / Deployment

Non-Base Images are the deployed instances running in production environments. Addressing vulnerabilities in Deployment images focuses on remediating the immediate application environment. This allows for targeted fixes, addressing vulnerabilities that directly impact the deployed instances without considering the broader infrastructure.

Engineering teams often have a detailed understanding of the specific applications and code deployed in production. Assigning non-Base Image remediation to engineering ensures that vulnerabilities related to application-specific code are addressed effectively.

Collaboration and Communication

While there is usually a division in ticket assignments, effective communication between DevOps and engineering teams is crucial. DevOps teams can provide insights into foundational fixes, and engineers can communicate application-specific nuances. This collaborative approach ensures a holistic and efficient remediation of vulnerabilities found on asset type Image.

Taking Remediation Action

More Tips

Engineer Communication: Instruct engineers to use the latest fixed Base Images to reduce the risk of using outdated versions in their code. To further enhance this process, consider adopting a standard cadence for updating base images with the latest operating system and product versions. This approach will help minimize the issues caused by lengthy patching cycles, ensuring a smoother and more secure development workflow.

Version Reference: When addressing vulnerabilities in Base Images, always refer to the image with the latest fixed version.

Time Frame Consideration: Understand that the impact of fixed Base Images on vulnerability identification may take time, depending on your organization's deployment process.

Did this answer your question?