The Slim Platform and CLI tool have a slew of features available to teams for vulnerability management and container optimization. One of them is the concept of reachability and how a deeper understanding of this can play an integral part in reducing the attack surface of your team’s software. In this post, we will break down:
A key challenge to any vulnerability remediation program is the lack of a definitive, opinionated, and actionable signal that a given vulnerability is even worth pursuing. Once you become aware of potential vulnerabilities, you or someone on your team might be tasked with triaging the vulnerabilities to address. During the triage process, there are expectations of:
Despite the use of vulnerability scanners, many of these tasks are manual and time-consuming, which results in onerous triage processes that negatively impacts Service Level Objectives (SLOs) for vulnerability remediation. Moving too slowly to respond to the right vulnerabilities can leave you open to exploits and jeopardize relationships with customers.
At Slim, we believe that our combination of features, which include reachability analysis, can improve your triage velocity by helping you focus on the threats that matter.
Let’s dive more into what reachability is all about.
In software supply chain security, the concept of reachability refers to whether a given component — say, an open-source package — can be accessed by a malicious actor. If so, the package is deemed "reachable" in that it loads in a critical path in a container.
It’s imperative to be aware of the severity level of a vulnerability and whether or not external parties can exploit it in order to access data and software systems. This assessment is one of the many factors for determining the attack surface of your software.
“Reachability analysis is of immeasurable value," says Louis Parkin, Compliance and Security Lead at Stackstate, one of Slim.AI's design partners. "Without it, our team would be working on nothing but vulnerability analysis for the next six months.”
While some of the aforementioned reachability factors are dependent upon how your team writes code, which includes deciding which packages you add to your software systems, Slim manages the security aspects of what comes with building, running, and shipping your code to production.
We scan your containers, bring awareness to their security risk factors, and provide solutions so you’re not left with a heap of challenges that seem unsolvable.
Slim provides reachability analysis for containers through a combination of dynamic and static analysis of your container images. We run the images to understand the code paths and libraries called by the kernel — a process we call container profiling.
With a complete profile, we can then provide information on reachability and exploitability that can be used for prioritization.
When addressing risk factors in your code, it is important to consider:
Through container profiling, we provide these insights to accelerate your team’s vulnerability management and take it a step further: vulnerability prioritization.
We’ll break down exactly how Slim enables your teams to capture the reachability factors that keep your teams aware and effective in reducing vulnerability counts and shipping more secure code, faster.
On the Slim Platform and through the Slim CLI, you can profile your container images by connecting your registries through the platform. Profiling happens via a CLI command, when viewing an image in the UI, or automatically during daily scans for Watched images.
During the scanning process, a "creport.json" is generated. That information is mapped to package data in order to determine which packages are actually running in your container. Reachable packages are combined with our CVE data to sort vulnerabilities for triage prioritization. You can filter by vulnerability or package lists in the UI and add new attributes to downloadable artifacts.
Learn more about all of the robust features available to you by reading our docs on Container Profiles, Vulnerability Scanning, and Slim CLI.
Profiling extends our inventory capabilities to help teams assess and prioritize image security issues and is a dependency to the next generation of the Slim container hardening feature.
Dynamic container image scanning provides teams with:
When peering into a specific container image that is scanned, you will find a list of vulnerabilities and packages that include reachability information when determining prioritization.
The inclusion of this information into your vulnerability and packages data will help your teams cut through noise and speed up prioritization and remediation work.
Ultimately, container profiling leverages reachability analysis so you know which vulnerabilities to prioritize for your triage process.
Access and Connectivity
When you connect your registry, we can observe the components of your containers and bring vulnerabilities to the surface for you.
Risk Assessment
We utilize multiple scanners to capture data on vulnerabilities that span across packages in your containers. Providing insight on the reachability of these CVEs helps you manage vulnerability prioritization and remediation more effectively, so you spend less time analyzing vulnerabilities and less time triaging them.
Continuous Monitoring
Our continuous vulnerability scanning viewable on the Dashboard keeps you informed on your repo images based on tags, image size, and high severity vulnerabilities. Your reachability analysis in the vulnerability summary will be updated to reflect these ongoing changes.
Dependency Management
A deeper breakdown of the components of your container are accessible to you on our platform by peering into individual container profiles, across packages and files.
Incident Response
Our Slack integration allows for your teams to remain informed on vulnerability diffs that could impact the security of your systems. Checking the reachability statuses can assist in addressing these high and critical vulnerabilities.
We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.
When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.
This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.
We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.
When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.
This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.
