Hands-On Vulnerability Managers and Champions
What's the Rationale Behind This Best Practice?
In the dynamic landscape of vulnerability remediation, the ingestion of thousands of scanned images into the Vulcan Platform, or any other Vulnerability Orchestration platform for that matter, poses a challenge for users. Vulcan has been guiding customers, hand in hand, through effective remediation strategies, particularly when dealing with vulnerabilities found in images. This best practice is born upon the collective experiences of our customers and ourselves.
It focuses explicitly on approaching image assets and considers the intricacies in prioritizing remediating vulnerabilities found within them, focusing on differentiating between Base and Deployed (Non-Base) images.
What's the Goal of This Best Practice?
The primary goal is to streamline and enhance the process of addressing vulnerabilities within the Vulcan Platform. To improve security, it's important to first focus on fixing problems in the base images. This stops the same issues from coming back when you deploy new things. Also, monitor any problems in the images you've already deployed. This helps you understand the real risks you're facing right now. By doing this, you can decide what to fix first and what to deploy next while not worrying about images you're not using that aren't a risk at the moment. This best practice offers clarity, reduces confusion, and optimizes time and resource utilization.
Why Differentiate Between Base and Non-Base Images when it comes to vulnerability remediation?
In software development, a Base Image is the foundational version used to create Deployed (or other non-base) Images for production and non-production environments. The decision on which vulnerabilities to address first depends on several factors, mainly the organization's preferred remediation process and approach.
Due to the lack of information coming from the scanners, the distinction between Base and Deployed Images when ingested into the Vulcan Platform might be challenging. It can lead to potential confusion and time-consuming searches.
To address this challenge, we offer the following recommendations:
Leveraging Tags for Efficient Filtering
Consider implementing an automated tagging system on the Scanner's side to recognize Base vs. Non-Base Images, including version/revision information. This automated approach simplifies identification within the Vulcan Platform once the assets are ingested.
Once images are tagged, users can leverage Vulcan's filtering capabilities to quickly and easily identify base vs non-base images within the Vulcan Platform UI and streamline remediation efforts. Filtering by Base Images allows for focused remediation, optimizing the process, and reducing the workload. Learn all about Filters here.
You can also use Vulcan's Tagging system to tag assets after ingestion is complete. Learn all about Taggin here.
Differentiating Images Without Tags
There are two different types of tags in the Vulcan Platform:
(a) Imported Tags: Asset tags imported from the vendor through the connector.
(b) Vulcan Tags: Asset tags the user manually creates in the Vulcan Platform
You can learn more about Asset Tags here.
Every imported image asset is tagged, and these tags can vary, but they typically fall into three common categories, following the format
linux:mytag. The three standard types of tags are:
Version Tag: This uses the version number, like
Latest Tag: This is a very common tag where the tag is simply 'latest', as in
image_name:latest. Most images use this convention.
Hash Tag: This uses a unique hash value; for example,
Without clear predefined tags, consider the following methods to differentiate between Base and Deployed Images in the Vulcan Platform.
Examples and Notes
By Naming Conventions
Organizations often employ naming conventions to indicate the purpose of an image.
The name of the image should reflect its purpose and contents. For example,
Maintain a Consistent Naming Convention
Use a consistent naming convention across your organization. This could be based on the project name, team, or environment.
By Tags for Versioning
Tags are crucial for version control. Tags are used to specify versions of the application or the base image.
By Popular Operating Systems, Software, and Frameworks
Organizations maintain base images in various ways. While some dedicate specific base images for each application (e.g.,
Key considerations include:
Use Specific Tags for Base Images
When specifying base images, use specific tags rather than general ones.
Technical Identification of Base Images
Additional tips for identifying base images involve collaboration with engineers (often DevOps teams) who can assist in reviewing scanned images.
If direct answers are unavailable, there are various effective methods:
Include Registry Name for Public Images
If you are pulling images from public registries, include the registry's name in the tag.
Use Hierarchical Names for Organization
If you have multiple related images, use a hierarchical naming structure.
Utilize Official Images for Base Layers
When possible, use official base images as they are more likely to be up-to-date and secure.
The decision to prioritize remediating Base or Deployment images is intricately linked to the business context and cybersecurity strategy. Moreover, the timing of remediation plays a crucial role in this decision-making process.
In managing vulnerabilities, it's important to strike a balance between immediate action and strategic long-term fixes. For critical vulnerabilities, especially in externally accessible applications, promptly addressing issues in deployed images can be a vital and quick solution. This approach allows for immediate risk mitigation without the need to wait for extensive testing and coordination with other teams, which might be necessary for less critical applications.
Simultaneously, it's crucial to focus on resolving the root causes of vulnerabilities in the base images. While daily updates to deployed images may not always rectify underlying issues, prioritizing base image remediation ensures a more robust and enduring security posture. This dual approach of immediate risk management and long-term vulnerability resolution is key to maintaining both the immediate and ongoing security of applications.
This dynamic decision-making process underscores the delicate balance between immediate security needs and the longer-term strategic imperative of fortifying the foundational elements. It reflects a nuanced approach that recognizes the business's operational realities and the imperative to maintain a robust and secure IT environment.
Rationale and Prioritization Approach
Ticket Assignment Best Practice
Base Images serve as the foundational versions upon which other images are built. Addressing vulnerabilities in Base Images ensures that all subsequently deployed images inherit the fixes.
This approach saves time and effort compared to individually fixing each deployed image.
DevOps teams typically have a deep understanding of the infrastructure and the core components of Base Images. Assigning remediation tasks to DevOps ensures comprehensive fixes from the core, eliminating vulnerabilities at the source.
Non-Base / Deployment
Non-Base Images are the deployed instances running in production environments. Addressing vulnerabilities in Deployment images focuses on remediating the immediate application environment. This allows for targeted fixes, addressing vulnerabilities that directly impact the deployed instances without considering the broader infrastructure.
Engineering teams often have a detailed understanding of the specific applications and code deployed in production. Assigning non-Base Image remediation to engineering ensures that vulnerabilities related to application-specific code are addressed effectively.
Collaboration and Communication
While there is usually a division in ticket assignments, effective communication between DevOps and engineering teams is crucial. DevOps teams can provide insights into foundational fixes, and engineers can communicate application-specific nuances. This collaborative approach ensures a holistic and efficient remediation of vulnerabilities found on asset type Image.
Taking Remediation Action
Learn all about creating, tracking, and managing remediation campaigns.
Engineer Communication: Instruct engineers to use the latest fixed Base Images to reduce the risk of using outdated versions in their code. To further enhance this process, consider adopting a standard cadence for updating base images with the latest operating system and product versions. This approach will help minimize the issues caused by lengthy patching cycles, ensuring a smoother and more secure development workflow.
Version Reference: When addressing vulnerabilities in Base Images, always refer to the image with the latest fixed version.
Time Frame Consideration: Understand that the impact of fixed Base Images on vulnerability identification may take time, depending on your organization's deployment process.