Software Vulnerability Management
Agile innovation begins with the development teams. Identifying software vulnerabilities early is important for 2 reasons, risk and cost. After all, it is cheaper to solve software security gaps in development than in production. Yet competitive pressures and KPIs prioritize pushing product to production, sometimes with known software vulnerabilities and sometimes with latent software supply chain risk from the use of 3rd party libraries. Using only trusted 3rd party image repositories is recommended, though not always practical; the flexibility for exception management is often desirable for scrum teams on the innovation treadmill.
To mitigate this risk, image scanning and software composition analysis (SCA) solutions surface these vulnerabilities. This is good practice, though not without its own limitations. Image scanning can only identify known software vulnerabilities; it cannot solve for the unknown, for zero days and runtime threats. Software vulnerability scanning is a recommended first step, but is only a single point-in-time control. And by itself is insufficient to secure the enterprise’s multi-cloud footprint. Were it sufficient, then it is highly unlikely that 3 of 4 workload images in production would still contain critical or high severity vulnerabilities. And so we press on with additional security controls.