The Slim Platform and CLI tool have a slew of features available to teams for vulnerability management and container optimization. One of them is the concept of reachability and how a deeper understanding of this can play an integral part in reducing the attack surface of your team’s software. In this post, we will break down:
A key challenge to any vulnerability remediation program is the lack of a definitive, opinionated, and actionable signal that a given vulnerability is even worth pursuing. Once you become aware of potential vulnerabilities, you or someone on your team might be tasked with triaging the vulnerabilities to address. During the triage process, there are expectations of:
Despite the use of vulnerability scanners, many of these tasks are manual and time-consuming, which results in onerous triage processes that negatively impacts Service Level Objectives (SLOs) for vulnerability remediation. Moving too slowly to respond to the right vulnerabilities can leave you open to exploits and jeopardize relationships with customers.
At Slim, we believe that our combination of features, which include reachability analysis, can improve your triage velocity by helping you focus on the threats that matter.
Let’s dive more into what reachability is all about.
In software supply chain security, the concept of reachability refers to whether a given component — say, an open-source package — can be accessed by a malicious actor. If so, the package is deemed "reachable" in that it loads in a critical path in a container.
It’s imperative to be aware of the severity level of a vulnerability and whether or not external parties can exploit it in order to access data and software systems. This assessment is one of the many factors for determining the attack surface of your software.
“Reachability analysis is of immeasurable value," says Louis Parkin, Compliance and Security Lead at Stackstate, one of Slim.AI's design partners. "Without it, our team would be working on nothing but vulnerability analysis for the next six months.”
While some of the aforementioned reachability factors are dependent upon how your team writes code, which includes deciding which packages you add to your software systems, Slim manages the security aspects of what comes with building, running, and shipping your code to production.
We scan your containers, bring awareness to their security risk factors, and provide solutions so you’re not left with a heap of challenges that seem unsolvable.
Slim provides reachability analysis for containers through a combination of dynamic and static analysis of your container images. We run the images to understand the code paths and libraries called by the kernel — a process we call container profiling.
With a complete profile, we can then provide information on reachability and exploitability that can be used for prioritization.
When addressing risk factors in your code, it is important to consider:
Through container profiling, we provide these insights to accelerate your team’s vulnerability management and take it a step further: vulnerability prioritization.
We’ll break down exactly how Slim enables your teams to capture the reachability factors that keep your teams aware and effective in reducing vulnerability counts and shipping more secure code, faster.
On the Slim Platform and through the Slim CLI, you can profile your container images by connecting your registries through the platform. Profiling happens via a CLI command, when viewing an image in the UI, or automatically during daily scans for Watched images.
During the scanning process, a "creport.json" is generated. That information is mapped to package data in order to determine which packages are actually running in your container. Reachable packages are combined with our CVE data to sort vulnerabilities for triage prioritization. You can filter by vulnerability or package lists in the UI and add new attributes to downloadable artifacts.
Profiling extends our inventory capabilities to help teams assess and prioritize image security issues and is a dependency to the next generation of the Slim container hardening feature.
Dynamic container image scanning provides teams with:
When peering into a specific container image that is scanned, you will find a list of vulnerabilities and packages that include reachability information when determining prioritization.
The inclusion of this information into your vulnerability and packages data will help your teams cut through noise and speed up prioritization and remediation work.
Ultimately, container profiling leverages reachability analysis so you know which vulnerabilities to prioritize for your triage process.
Access and Connectivity
When you connect your registry, we can observe the components of your containers and bring vulnerabilities to the surface for you.
We utilize multiple scanners to capture data on vulnerabilities that span across packages in your containers. Providing insight on the reachability of these CVEs helps you manage vulnerability prioritization and remediation more effectively, so you spend less time analyzing vulnerabilities and less time triaging them.
Our continuous vulnerability scanning viewable on the Dashboard keeps you informed on your repo images based on tags, image size, and high severity vulnerabilities. Your reachability analysis in the vulnerability summary will be updated to reflect these ongoing changes.
A deeper breakdown of the components of your container are accessible to you on our platform by peering into individual container profiles, across packages and files.
Our Slack integration allows for your teams to remain informed on vulnerability diffs that could impact the security of your systems. Checking the reachability statuses can assist in addressing these high and critical vulnerabilities.