Reachability: A Focus on Prioritization

Nnenna Ndukwe
← Slim Blog

Reachability Analysis: A Focus on Prioritization

The Slim Platform and CLI tool have a slew of features available to teams for vulnerability management and container optimization. One of them is the concept of reachability and how a deeper understanding of this can play an integral part in reducing the attack surface of your team’s software. In this post, we will break down:

  • The reachability challenges for DevOps / DevSecOps teams
  • The importance of reachability in software supply chain security
  • Slim features that enable efficient vulnerability prioritization & mitigation

The Problem with Vulnerability Triage

A key challenge to any vulnerability remediation program is the lack of a definitive, opinionated, and actionable signal that a given vulnerability is even worth pursuing. Once you become aware of potential vulnerabilities, you or someone on your team might be tasked with triaging the vulnerabilities to address. During the triage process, there are expectations of:

  • understanding the vulnerabilities
  • analyzing the potential impact, if any
  • finding a fix, if available
  • assigning tickets to engineering teams

Despite the use of vulnerability scanners, many of these tasks are manual and time-consuming, which results in onerous triage processes that negatively impacts Service Level Objectives (SLOs) for vulnerability remediation. Moving too slowly to respond to the right vulnerabilities can leave you open to exploits and jeopardize relationships with customers.

At Slim, we believe that our combination of features, which include reachability analysis, can improve your triage velocity by helping you focus on the threats that matter.

Let’s dive more into what reachability is all about.

What is Reachability?

In software supply chain security, the concept of reachability refers to whether a given component — say, an open-source package — can be accessed by a malicious actor. If so, the package is deemed "reachable" in that it loads in a critical path in a container.

It’s imperative to be aware of the severity level of a vulnerability and whether or not external parties can exploit it in order to access data and software systems. This assessment is one of the many factors for determining the attack surface of your software.

“Reachability analysis is of immeasurable value," says Louis Parkin, Compliance and Security Lead at Stackstate, one of Slim.AI's design partners. "Without it, our team would be working on nothing but vulnerability analysis for the next six months.”

While some of the aforementioned reachability factors are dependent upon how your team writes code, which includes deciding which packages you add to your software systems, Slim manages the security aspects of what comes with building, running, and shipping your code to production.

We scan your containers, bring awareness to their security risk factors, and provide solutions so you’re not left with a heap of challenges that seem unsolvable.

The Slim Solution

Slim provides reachability analysis for containers through a combination of dynamic and static analysis of your container images. We run the images to understand the code paths and libraries called by the kernel — a process we call container profiling.

With a complete profile, we can then provide information on reachability and exploitability that can be used for prioritization.

When addressing risk factors in your code, it is important to consider:

  • Who can access your code from the outside?
  • Which parts of your code are most susceptible to exploitation?
  • Are these vulnerabilities exploitable?
  • Which packages are actually running in the code that include any potentially exploitable vulnerabilities?

Through container profiling, we provide these insights to accelerate your team’s vulnerability management and take it a step further: vulnerability prioritization.

Container Profiling for Vulnerability Prioritization

We’ll break down exactly how Slim enables your teams to capture the reachability factors that keep your teams aware and effective in reducing vulnerability counts and shipping more secure code, faster.

On the Slim Platform and through the Slim CLI, you can profile your container images by connecting your registries through the platform. Profiling happens via a CLI command, when viewing an image in the UI, or automatically during daily scans for Watched images.

During the scanning process, a "creport.json" is generated. That information is mapped to package data in order to determine which packages are actually running in your container. Reachable packages are combined with our CVE data to sort vulnerabilities for triage prioritization. You can filter by vulnerability or package lists in the UI and add new attributes to downloadable artifacts.

Learn more about all of the robust features available to you by reading our docs on Container Profiles, Vulnerability Scanning, and Slim CLI.

Profiling extends our inventory capabilities to help teams assess and prioritize image security issues and is a dependency to the next generation of the Slim container hardening feature.

Dynamic container image scanning provides teams with:

  • Packages that we observe running and the vulnerabilities associated with each package (Reachable Packages)
  • Packages we observe not running and the vulnerabilities associated with each package

When peering into a specific container image that is scanned, you will find a list of vulnerabilities and packages that include reachability information when determining prioritization.

The inclusion of this information into your vulnerability and packages data will help your teams cut through noise and speed up prioritization and remediation work.

Mapping the Slim Solution to Reachability Factors

Ultimately, container profiling leverages reachability analysis so you know which vulnerabilities to prioritize for your triage process.

Access and Connectivity

When you connect your registry, we can observe the components of your containers and bring vulnerabilities to the surface for you.

Risk Assessment

We utilize multiple scanners to capture data on vulnerabilities that span across packages in your containers. Providing insight on the reachability of these CVEs helps you manage vulnerability prioritization and remediation more effectively, so you spend less time analyzing vulnerabilities and less time triaging them.

Continuous Monitoring

Our continuous vulnerability scanning viewable on the Dashboard keeps you informed on your repo images based on tags, image size, and high severity vulnerabilities. Your reachability analysis in the vulnerability summary will be updated to reflect these ongoing changes.

Dependency Management

A deeper breakdown of the components of your container are accessible to you on our platform by peering into individual container profiles, across packages and files.

Incident Response

Our Slack integration allows for your teams to remain informed on vulnerability diffs that could impact the security of your systems. Checking the reachability statuses can assist in addressing these high and critical vulnerabilities.

Resources & References

Slim Docs

Make security collaboration easier today

Join the waitlist to try out Slim's shared workspace for communicating and coordinating vulnerability fixes with your software vendors.
Responsive HubSpot Form

Join our Beta

Take the complexity and frustration out of coordinating vulnerability fixes with your vendors.

  • Communicate directly in the platform to assign owners, due dates and negotiate fixes
  • Get a view into the status of each vulnerability
  • Receive notifications the moment vulnerabilities are fixed

Additionally, our Beta users get access to:

  • Multiple vulnerability scanners
  • SBOM generation
  • Reachability analysis
  • Enhanced container intelligence software
  • Dedicated Support

Join our Beta

Take the frustration out of vulnerability fixes with software vendors directly on our platform.

  • Assign owners, set due dates, track vulnerability statuses, and get instant fix notifications.
  • Beta users gain access to multiple scanners, SBOM generation, reachability analysis, enhanced container intelligence, and dedicated support.