Container vulnerability scans
Container security is critical for maintaining a hardened runtime environment. While IBM provides security fixes as part of the release process, customers should also proactively assess and mitigate vulnerabilities identified by their security tools. Container scans often report vulnerabilities, particularly at the base operating system (OS) and library levels. However, not all reported CVEs are exploitable or applicable in a specific deployment context. The scan tools are intentionally broad in detection to highlight possible risks, not confirmed exposures. There may even be false positives.
While assessing a container scan report, security professionals responsible for AEW deployments
should consider the following factors:
- Applicability
- Is the vulnerable package used or reachable within the container runtime?
- Exploitability
- Is there a realistic attack vector in your architecture that might trigger the vulnerability?
- Environmental CVSS Rescoring
- Adjust the CVSS score based on your risk tolerance, network segmentation, and available compensating controls.
- Scan ticket escalation
- When escalating a support ticket related to container image scans, your security team must provide their analysis and justify urgency by providing details or applicability and exploitability to your environment. Having this justification helps AEW support to expedite security fixes.
- Use runtime security tools to limit container capabilities.
- Monitor use attempts by using intrusion detection systems (IDS) or behavioral anomaly tools.
- Perform a risk assessment.
- Deploy additional security controls if warranted by the reported vulnerabilities considering assessed risk to your deployment.