Living in a container-native world is not easy. Containers have a reputation for being the point of security vulnerabilities for many organizations. In 2015, over 40 percent of Docker images distributed through Docker Hub had high-risk vulnerabilities; this was when there were over 95,000 container images hosted on Docker Hub. Today, there are over 3.5 million container images on Docker, and container security is a greater concern. In a more recent 2020 study by a team of researchers at the Norwegian University of Science and Technology found container image vulnerabilities in certified and popular packages.
This is one example of many kinds of security vulnerabilities. This blog post will share an introduction to security vulnerabilities and the role of vulnerability management for containers and other artifacts in a CI/CD pipeline.
A vulnerability is a weakness or flaw present in software. Security vulnerabilities can be present in application dependencies or Operating System (OS) packages. Common vulnerabilities include missing data encryption, buffer overflows, missing authentication for critical functions, and insecure interactions between software components.
There are different risks associated with vulnerabilities. With critical or high-risk vulnerabilities, someone who exploits your software has the potential to impact your organization severely. Risks can involve data breaches that impact not only an organization but also users and customers.
Vulnerability practices and tools exist to make detecting vulnerabilities simple, accurate, and fast. Some of these practices include:
These practices help build vulnerability management techniques across your security and delivery teams. One way to scale these security practices is through security automation. Security automation is the use of technology that performs tasks with reduced manual assistance. It ultimately enables users to apply security decisions and secure processes to deliver applications and infrastructure.
Security automation is a core tenant of DevSecOps. DevSecOps is short for development, security, and operations, and it is how organizations deliver and make security decisions and actions within their valued deliverables.
DevSecOps is a way of continuously integrating security in the software development lifecycle. It’s a way of working and thinking so that security is at the forefront of how our teams deliver business value.
One way to enable DevSecOps is through your Continuous Integration and Continuous Delivery (CI/CD) pipeline. We've discussed how to use the Harness platform to accelerate better software delivery, with this freedom and empowerment it's even more important to enable security to avoid incidents. Vulnerability scanning improves software security while giving individuals across engineering and product teams accountability for each of the processes these teams own.
In this blog post, we shared an introduction to security vulnerabilities and how they have different risks for your organization. There are practices and tools for detecting and reducing security vulnerabilities, and finding ways to incorporate those processes into a CI/CD pipeline is a great way to accelerate your DevSecOps. If you'd like to know more about how Harness helps teams deliver secure software in the cloud, click here to schedule a free demo of Harness, the enterprise-ready CI/CD platform.
Enjoyed reading this blog post or have questions or feedback?
Share your thoughts by creating a new topic in the Harness community forum.