Living in a container-native world is not easy. Containers have a reputation for being the point of security vulnerabilities for many organizations. In 2015, over 40 percent of Docker images distributed through Docker Hub had high-risk vulnerabilities; this was when there were over 95,000 container images hosted on Docker Hub. Today, there are over 3.5 million container images on Docker, and container security is a greater concern. In a more recent 2020 study by a team of researchers at the Norwegian University of Science and Technology found container image vulnerabilities in certified and popular packages.
This is one example of many kinds of security vulnerabilities. This blog post will share an introduction to security vulnerabilities and the role of vulnerability management for containers and other artifacts in a CI/CD pipeline.
What is a Security Vulnerability?
A vulnerability is a weakness or flaw present in software. Security vulnerabilities can be present in application dependencies or Operating System (OS) packages. Common vulnerabilities include missing data encryption, buffer overflows, missing authentication for critical functions, and insecure interactions between software components.
There are different risks associated with vulnerabilities. With critical or high-risk vulnerabilities, someone who exploits your software has the potential to impact your organization severely. Risks can involve data breaches that impact not only an organization but also users and customers.
Vulnerability Management Techniques
Vulnerability practices and tools exist to make detecting vulnerabilities simple, accurate, and fast. Some of these practices include:
- Penetration Testing– Penetration Testing or Pen testing allows you to identify security vulnerabilities by attempting to break or steal your data through software service.
- Configuration management– Configuration management involves managing infrastructure configurations and missing patches that leave your software service vulnerability to errors and risks. There are tools that provide infrastructure scanning as a service to help detect outdated or misconfigured instances.
- Container and Application Scanning– Allows you to detect vulnerabilities in deployable artifacts and running applications. Some tools for container scanning include Twistlock, Clair, and Trivy.
These practices help build vulnerability management techniques across your security and delivery teams. One way to scale these security practices is through security automation. Security automation is the use of technology that performs tasks with reduced manual assistance. It ultimately enables users to apply security decisions and secure processes to deliver applications and infrastructure.
Security Practices in your CI/CD process
Security automation is a core tenant of DevSecOps. DevSecOps is short for development, security, and operations, and it is how organizations deliver and make security decisions and actions within their valued deliverables.
DevSecOps is a way of continuously integrating security in the software development lifecycle. It’s a way of working and thinking so that security is at the forefront of how our teams deliver business value.
One way to enable DevSecOps is through your Continuous Integration and Continuous Delivery (CI/CD) pipeline. We’ve discussed how to use the Harness platform to accelerate better software delivery, with this freedom and empowerment it’s even more important to enable security to avoid incidents. Vulnerability scanning improves software security while giving individuals across engineering and product teams accountability for each of the processes these teams own.
Don’t let Security Vulnerabilities Ruin your DevSecOps
In this blog post, we shared an introduction to security vulnerabilities and how they have different risks for your organization. There are practices and tools for detecting and reducing security vulnerabilities, and finding ways to incorporate those processes into a CI/CD pipeline is a great way to accelerate your DevSecOps.