Module 2: Vulnerability Management

Sysdig Secure provides a comprehensive suite of tools to enhance security and compliance across your application ecosystem. One critical part of CNAPP / CWPP platforms is vulnerability management.

Vulnerability management tools scan hosts and container images to identify common vulnerabilities and exposures (CVEs) across OS packages and third-party libraries, as well as identify misconfigurations and other bad security practices. This gives you the information you need to understand and address risk before running workloads in production.

Sysdig Secure supports image scanning at multiple points along the software development lifecycle. In relation to services running on AWS, there are several approaches to automated image vulnerability scanning:

• Pipeline
  • Image scanning within CI/CD tools (e.g., Jenkins, AWS CodePipeline, GitLab)
  • Amazon EKS admission-controller image scanning
• Runtime
  • Continuous scanning of Amazon EKS runtime container images
• Registry
  • Amazon ECR automated image scanning
  • Image scanning with Docker v2 registries like JFrog Artifactory
• Developer workstation with a sysdig-cli-scanner

In all cases, the contents of your containers will never leave your infrastructure. This protects your privacy and prevents credentials for repositories from leaking. It may also be a requirement when security concerns require an air-gapped environment.

An image scanner inspects a container’s content to detect potential threats such as unencrypted passwords, known vulnerabilities, exposed ports, etc. You can implement scanning best practices on several phases of your DevOps pipeline, blocking threats before they are deployed into production, and without adding extra overhead. It you want to learn more about about this process, visit the Vulnerablity Management document.

Sysdig Secure manages every aspect of the container scan. With Sysdig you can define image scanning policies to validate a container’s content against vulnerability databases, and search for misconfigurations like running as a privileged user, unnecessary open ports, or leaked credentials.

In-Use prioritization powered by Runtime Insights

Every application is built with a determined number of libraries and dependencies but only a subset of these packages are loaded at runtime. Knowing which items are actually in use is a powerful prioritization advantage.

Sysdig Secure image scanning for Amazon EKS provides a special prioritization context called “In Use.” It helps reduce noise by using Runtime Insights to flag the vulnerable packages that are loaded and running and therefore pose real risk in production. (Sysdig agents analyze the behavior of EKS workloads under execution).

With the “In Use” flag you can filter and reduce effective vulnerabilities by up to 95%. When combined with other flags like “Exploit”, this prioritization approach reduces vulnerability noise dramatically, saving time and resources by prioritizing what matters.

The Runtime Insights algorithm bootstrap process requires several hours to populate the “In Use” details when a new cluster is onboarded. This makes it not possible to show this feature in action during the three-hour workshop. Feel free to use the 30-day Free Trial to try it with your own EKS cluster.

Image Scanning Policies

Not only can you create multiple policies that determine what the scan is looking for, but also where to implement it. For example, in your CI/CD pipeline you may wish to use the test site https://sandbox.payment-engine.com/ during your automated QA tests, but when building containers for production this must be the live https://live.payment-engine.com. Or, you may wish to scan specifically for PSI or NIST compliance in a production site.

Further, you may wish to scan existing running containers for zero day vulnerabilities that have recently been detected.

Image Scanning Reporting

In either case, the output of the scan will be sent back to Sysdig from where you can browse the results or run reports.