- Amazon's Big Spring Sale is live: The 110+ best tech deals to shop (featuring some of the lowest prices ever)
- 회의에도 참여하는 음성 비서··· 오터.ai, 음성 인식 AI 에이전트 출시
- Active Roles Wins 2025 Cybersecurity Excellence Award for Hybrid Active Directory Protection
- McAfee Wins AV-TEST Awards for Best Advanced Protection and Best Performance | McAfee Blog
- Microsoft 365 Copilot's two new AI agents can speed up your workflow
Enhance security posture: 4 key approaches to manage vulnerabilities
Cloud native application development is surging across businesses, along with the adoption of public cloud infrastructure and services. This progress has led to a growing set of challenges for security: as organizations expand their use of cloud native technologies, the complexity of these environments continues to grow, significantly increasing the attack surface. This added risk has not stopped the adoption but is making scaling and maintenance increasingly difficult, especially as teams have been moving more quickly to meet business demands — all while navigating a diverse and often fragmented cloud security landscape. Among the leading risk factors, vulnerabilities in open source components remain a top concern and demand a comprehensive strategy to minimize the risk, if not eliminate it altogether.
To gain control of the problem, security teams are tasked with maintaining an accurate asset inventory for vulnerability scanning, providing accurate scan results with actionable advice, and tracking remediation efforts for overall risk reduction. These tasks are difficult enough in a stable ecosystem, and they are especially challenging in the current reality of increasing findings and security advisories. The year 2024 broke the record, with more than 40,000 CVEs reported, highlighting this key issue. This surge in vulnerabilities is likely a result of several factors: the widespread use of open source, greater awareness and reporting, complexity of systems and regulatory requirements.
While mitigating every single vulnerability is the ultimate goal, it is often unrealistic given the volume of findings in a modern set of container images, the limited development resources, and the time required to patch and fix them. In 2024, the National Vulnerability Database (NVD) struggled to analyze about half of the vulnerabilities published. This suggests that a significant portion of CVEs are still considered zero-day, meaning that they can be exploited in attacks while their risk is still studied and no fix is published.
Even with these challenges, organizations can still gain control over their vulnerability posture, with the right strategy and tools in place. Effective vulnerability management can help enhance security posture and significantly reduce risk. It’s all about choosing the right approach for the organization and building a robust vulnerability management program based on specific organizational needs and overall risk profile.
Structural and organizational constraints
No matter how skilled the security team is, efforts to manage vulnerabilities are often met with barriers that limit efficacy and increase risk. These roadblocks could include scalability of workloads to monitor, an increasing number of development teams that introduce vulnerabilities faster than they can be fixed, rapid deployment of updates and new features that can make timely patching and complexity in managing hybrid and multi-cloud environments.
Additionally, the division between development and security teams creates significant management challenges. Critical security information remains siloed within security departments, hindering developers who are under pressure to deliver features quickly. All of these factors make it difficult to efficiently address vulnerabilities accumulated over time and new ones that are being constantly introduced to the application stacks.
The thought of a simple process that includes scanning, handing over a list of vulnerabilities to be fixed, and waiting for developers to fix them is not working in today’s reality.
Four key approaches to handling vulnerabilities
While fixing a vulnerability by updating a component to a non-vulnerable version remains the main path to remediation, it is not the only approach. Waiting for a patch to be available, then waiting for developers to apply it, along with the testing required to release the application, could leave the exposure in place for too long. Organizations should consider expanding the toolbox to include removing non-essential components from container images, employing runtime defenses and accepting the risk associated with less critical vulnerabilities. When a vulnerability arises, it’s important to consider each approach so that the risk is effectively and quickly dealt with.
1. Remove it
This approach involves eliminating the component affected by the vulnerability. Completely removing the vulnerable component, though ideal for eliminating risk, is often not considered the first approach due to its impact on the application and its dependencies. But short of removing components from an image, there is also the option of removing older images, ones where vulnerabilities still exist, from the registry. Cleaning up old images removes the risk of an outdated image finding its way to a production cluster, along with the added benefits of reduced storage. Removing old images is also the fastest way to reduce the overall vulnerability counts.
2. Fix it
Patching and updating vulnerable software brings the benefit of improved security and up-to-date components. However, the availability and nature of fixes can vary significantly depending on whether the software is sourced directly from an open source repository or through a downstream package. Security practitioners need to be aware of the work required to apply a fix, especially when it is packaged in a larger component requiring functionality retesting.
3. Mitigate it
This method involves implementing measures to reduce the impact or likelihood of exploitation. It can be a practical approach when immediate fixes aren’t possible or when the work to apply them is balanced against other priorities. Runtime security controls can be used to monitor and limit processes, files and network activity. These controls can target the underlying mechanisms of how vulnerabilities are exploited, effectively mitigating their risk. Common controls include preventing vulnerable processes from executing and implementing security measures such as drift prevention and blocking fileless execution, to prevent attackers from establishing a foothold in a vulnerable workload.
4. Accept the risk
With the understanding that vulnerabilities cannot be fully eliminated, acknowledging a vulnerability and accepting the associated risk could be a valid approach in cases where the vulnerability is low risk or other compensating controls are in place. This requires organizations to understand the cost/benefit of assuming the risk, document the reason for the exception, and limit its duration. It is also common to see a short grace period for fixing vulnerabilities, especially newly found ones.
Choosing the best approach to vulnerability management
Choosing the most optimal way to address a vulnerability requires evaluating a range of factors. While severity and score (measured as critical, high, or low, and often using CVSSv2, v3, or v4) are important, they are only a part of the picture, and more data points are needed to have a more holistic view. A thorough assessment should also consider the vulnerability’s context — its specific environment, including the nature of the application, the affected component, how it entered the environment, and its exploitation potential, including whether it’s remotely exploitable and if known exploits exist.
To gain these deeper insights, organizations can leverage tools that provide comprehensive information about each vulnerability within its context, including maintainer score, temporal score, exploit details, and whether it exists in running workloads. Given the large volume of vulnerability findings, these tools are essential for prioritization and efficient management.
For example, a vulnerability scan returns results showing that CVE-2016-7098 is present. This is an older vulnerability associated with older versions of wget, but because it is present, the risk should be evaluated. In addition to its CVSS score of 8.3 (high risk), some factors that make this vulnerability dangerous are:
- It allows for remote execution.
- Code to exploit this vulnerability is widely available on the internet.
- The number of workloads running with this vulnerability.
Although the maintainer of the package has reclassified this as a minor issue, the other factors, along with the fact that a fix is readily available, indicate that the best approach in this scenario is to fix the vulnerability as soon as possible to the next minor version. Additionally, Dev teams might contemplate updating the resource or entire underlying operating system to the most recent major version for comprehensive security improvements, which might catch and remediate a number of other vulnerabilities.
As organizations increasingly rely on cloud-native technologies, they must take the security challenges of these complex environments into consideration. Effectively managing vulnerabilities is crucial for maintaining a strong security posture and mitigating risk. While the sheer volume of vulnerabilities can be daunting, a strategic approach to managing them is key. This involves understanding methods of handling vulnerabilities and carefully evaluating which approach is most appropriate for each specific instance. Moving beyond a simple focus on severity and score, organizations must consider the context of the vulnerability, its potential for exploitation, and leverage available tools to gain deeper insights. With a well-informed, comprehensive strategy, organizations can effectively navigate cloud-native security and reduce their vulnerability risk.
