Alauda Container Security

Vulnerability Management Process

TOC

Overview

Vulnerability management is a continuous process to identify and remediate vulnerabilities. Alauda Container Security helps you facilitate an effective vulnerability management process.

Key Steps in Vulnerability Management

A successful vulnerability management program typically includes the following key tasks:

  • Asset assessment
  • Vulnerability prioritization
  • Exposure assessment
  • Taking action
  • Continuous reassessment

Alauda Container Security enables organizations to continuously assess their Alauda Container Platform and Kubernetes clusters, providing the contextual information needed to prioritize and address vulnerabilities more effectively.

Asset Assessment

To assess your organization's assets, follow these steps:

  • Identify assets in your environment
  • Scan these assets to detect known vulnerabilities
  • Report vulnerabilities to relevant stakeholders

When you install Alauda Container Security on your Kubernetes or Alauda Container Platform cluster, it aggregates the assets running inside your cluster to help you identify them. Alauda Container Security allows organizations to perform ongoing assessments and provides the context required to prioritize and remediate vulnerabilities efficiently.

Key Assets to Monitor

Key assets to monitor in your vulnerability management process using Alauda Container Security include:

  • Components: Software packages used as part of an image or running on a node. Components are the lowest level where vulnerabilities exist. Organizations must upgrade, modify, or remove software components to remediate vulnerabilities.
  • Images: Collections of software components and code that create an environment to run executable code. Images are where you upgrade components to fix vulnerabilities.
  • Nodes: Servers used to manage and run applications using Alauda Container Platform or Kubernetes, including the components that make up the platform or service.

Alauda Container Security organizes these assets into the following structures:

  • Deployment: A definition of an application in Kubernetes that may run pods with containers based on one or more images.
  • Namespace: A grouping of resources, such as Deployments, that support and isolate an application.
  • Cluster: A group of nodes used to run applications using Alauda Container Platform or Kubernetes.

Vulnerability Scanning and Assessment

Alauda Container Security scans assets for known vulnerabilities and uses Common Vulnerabilities and Exposures (CVE) data to assess their impact.

Prioritizing Vulnerabilities

To prioritize vulnerabilities for action and investigation, consider the following questions:

  • How important is the affected asset to your organization?
  • How severe must a vulnerability be to warrant investigation?
  • Can the vulnerability be fixed by patching the affected software component?
  • Does the vulnerability violate any of your organization's security policies?

The answers to these questions help security and development teams determine the exposure and necessary response to a vulnerability.

Alauda Container Security provides tools to facilitate the prioritization of vulnerabilities in your applications and components. You can use data reported by Alauda Container Security to decide which vulnerabilities are critical to address. For example, when reviewing vulnerability findings by CVE, consider the following data provided by Alauda Container Security to sort and prioritize vulnerabilities:

  • CVE severity: Number of images affected by the CVE and its severity rating (e.g., low, moderate, important, or critical).
  • Top CVSS: The highest Common Vulnerability Scoring System (CVSS) score, from vendor sources, for this CVE across images.
  • Top NVD CVSS: The highest CVSS score from the National Vulnerability Database for this CVE across images. Scanner V4 must be enabled to view this data.
  • EPSS probability: The likelihood that the vulnerability will be exploited, according to the Exploit Prediction Scoring System (EPSS). This provides a percentage estimate of the probability that exploitation will be observed in the next 30 days. EPSS data should be used alongside other information, such as the age of the CVE, to help prioritize vulnerabilities.

Exposure Assessment

To assess your exposure to a vulnerability, ask:

  • Is your application impacted by the vulnerability?
  • Is the vulnerability mitigated by other factors?
  • Are there known threats that could lead to exploitation?
  • Are you using the vulnerable software package?
  • Is it worthwhile to spend time addressing this specific vulnerability and package?

Taking Action

Based on your assessment, you may take the following actions:

  • Mark the vulnerability as a false positive if there is no exposure or it does not apply in your environment.
  • Decide whether to remediate, mitigate, or accept the risk if you are exposed.
  • Remove or change the software package to reduce your attack surface.

Once you decide to act on a vulnerability, you can:

  • Remediate the vulnerability
  • Mitigate and accept the risk
  • Accept the risk
  • Mark the vulnerability as a false positive

Remediation Methods

To remediate vulnerabilities, you can:

  • Remove a software package
  • Update a software package to a non-vulnerable version