Sysdig today made available a Risk Spotlight tool as part of its cloud service for securing and monitoring container environments that makes it easier to prioritize the vulnerabilities that need to be addressed based on the risks that stem from software packages that have actually been deployed.
Pawan Shankar, director of product marketing for Sysdig, said Risk Spotlight leverages the open source Falco threat detection engine that developers add to runtimes to provide a more accurate assessment of the risks to the application based on the software packages that Sysdig is able to monitor. That approach also reduces fatigue by reducing the overall volume of alerts that today drown most application developers, he added.
Risk Spotlight surfaces vulnerability details such as the Common Vulnerability Scoring Systems (CVSS) scoring vector, the version of a software package that fixes the issue and links to public examples of exploits that take advantage of that vulnerability. The goal over time is to increase the level of cybersecurity expertise developers have by providing additional context via a user interface that provides a package-centric view of vulnerabilities, said Shankar.
The Risk Spotlight report also eliminates the need for cybersecurity teams to track vulnerabilities using spreadsheets, added Shankar. Many cybersecurity teams routinely aggregate thousands of potential vulnerabilities that need to be fixed in spreadsheets that are then shared with development teams. The issue that subsequently gets created is that developers are not provided with enough perspective to determine which vulnerabilities to remediate first based on the actual level of risk to the application environment.
That issue is especially problematic in container environments where code is often ripped and replaced using open source software packages. It’s not uncommon for developers to either use a version of that software that contains a known vulnerability or for a new vulnerability to be discovered after a software package has been encapsulated in a container. The highly dynamic nature of container application environments makes it difficult to use spreadsheets to track vulnerabilities that may have already been fixed by the time they are reported by a cybersecurity team. The Risk Spotlight tool gives development teams a much shorter list of vulnerabilities to work through, said Shankar.
In general, container applications should be more secure than legacy monolithic applications because it’s easier to swap out a container than it is to patch a monolithic application. However, it doesn’t take much time for cybercriminals to discover vulnerable software packages with an application environment. Individual containers are also now starting to run longer, which increases the likelihood those software packages will be discovered and compromised. Once infected, it then becomes possible for malware to start moving laterally across the application environment.
In the wake of a series of high-profile application security breaches, more scrutiny is being applied to software supply chains than ever. The challenge, and the opportunity, is to provide development teams with a more actionable feedback loop that enables them to proactively address most vulnerabilities before they ever become a major issue. That shifting left of responsibility for application security within the context of a DevSecOps workflow doesn’t eliminate every security issue, but it does go a long way in reducing the level of stress for all concerned.