Vulnerabilities are discovered in images each day. Since 2016, new vulnerabilities reported each year have nearly tripled, so timely finding and fixing vulnerabilities are critical to prevent breaches. However, it’s not practical to fix every single one when you’re maintaining multiple workloads at scale.
Fixing all vulnerabilities in containers has become an unrealistic scenario and in most cases, unnecessary. Containers are loaded with packages that are never used. Even though they are not used, their vulnerabilities are still reported!
IBM Security and Compliance Center (SCC) Workload Protection vulnerability management provides security teams prioritization of their vulnerabilities based on the actual risk.
There are a number of inputs available in SCC Workload Protection that can be used to prioritize:
-
CVSS: (Common Vulnerability Scoring System) base score of the vulnerability.
-
Fix availability: there is a more recent package version where the vulnerability has been fixed.
-
Exploitable: there is a known path for exploiting the vulnerability such as a code example or script.
-
In-use: filter by only vulnerabilities tied to packages used at runtime. Multiple times, containers are loaded with packages that are never used so focus only on those that are an actual risk.
Scan your Images in Runtime, Registry and Pipeline
SCC Workload Protection pulls together the scan results from your runtime, pipeline and container registries to have an accurate view of your vulnerability risks.
Runtime
Images scanned during runtime include runtime context (cluster, namespace, workload) and all details on packages loaded in runtime for a better prioritization.
As soon as you start scanning your runtime containers, all vulnerabilities are readily available in a detailed Runtime view:
Get more detailed information for each image by accessing its report. Review vulnerable in-use packages and high risk vulnerabilities against all vulnerabilities to prioritize necessary fixes. Reduce the vulnerabilities you need to fix!
Pipeline
To reduce the risk of vulnerabilities in runtime for new workloads, scan container images as soon as they are built.
By using sysdig-cli-scanner binary, scan the container images in your CI/CD and stop the pipeline execution in case the new image doesn’t follow your scanning policy.
All results from scanned images with this method can be found on the Pipeline view:
Registry
Registry scanning provides an extra layer of defense between pipeline and runtime. The Container Registry Scanner(s) allows you to integrate SCC Workload Protection with image registries from a range of vendors such as IBM Container Registry (ICR), Nexus, Harbor, JFrog Artifactory or AWS ECR.
Registry scans occur as scheduled, by default once a week and can be configured more frequently or to a desired schedule.
All results from scanned images with this method can be found on the Registry view:
Don’t forget to scan your Hosts
Scanning your container images may not be enough in your environment. If you are responsible for managing the operating systems of your container platforms and/or you are deploying some workloads on Virtual Servers on Cloud, VMware or on-premise, you need to control the vulnerabilities associated with the packages of your hosts.
The same Runtime view includes filters to focus only on the Hosts.
Schedule Reports
Use asynchronous SCC Workload Protection reports to receive, in your desired schedule, all the vulnerability information of your environment in your favorite notification channel such as email, Slack or custom webhooks. All types of scanning (runtime, pipeline, registry and hosts) support schedule reports.
Many conditions can be used for filtering which information you want to receive in your schedule reports:
-
Define the scope of the report by choosing the clusters, namespaces, workloads, hosts, image registry or repository.
-
Narrow down the list by defining the minimum severity, if it’s exploitable, if it’s from a package in-use or has a fix available.
Conclusion
Security Compliance Center Workload Protection vulnerability management capabilities simplify and improve the efficiency of defining the vulnerabilities that need to be fixed by focusing on those packages in-use in runtime, providing plenty of vulnerability details and configuration flexibility.
SCC Workload Protection out-of-the-box Scanning Policies such as NIST SP 800-53, NIST SP 800-190 or PCI DSS translates these Compliance standards controls into Vulnerability rules for you to use as a reference.
If you want to learn more about how SCC Workload Protection can help with your vulnerability management, visit the IBM Cloud catalog and start your 30-days free instance. You will be up and running in minutes!