Security teams can now automatically track and enforce the usage of Chainguard’s low-to-zero known CVE container images through the RAD Security platform. This feature is important because it enables teams to verify improvements to their vulnerability management systems.
The vulnerability management problem
Vulnerability management is expensive, in terms of the time it takes away from innovation and development, as well as the high risk faced by organizations in the case of failures. Vulnerabilities are the single top security concern in container and Kubernetes environments, compared to other factors like misconfigurations, attacks, and failing compliance audits. Teams spend an average of 130 hours per week to monitor and track threats, and it takes more than 20 minutes of manual effort to detect, prioritize, and remediate one vulnerability.
And yet, at the end of the effort, 19% of the software scanned in 2022 still had high or critical severity vulnerabilities, which are usually the ones tackled first and prioritized above the rest.
In terms of container images and vulnerabilities, the problem of container image bloat makes vulnerability management even more difficult, as it is impossible to prioritize and fix everything, but hard to know where to prioritize.
It is for this very reason that CVE Exploitability is a popular feature for many cloud-native security solutions (including RAD Security), that shows vulnerabilities that are exploitable in production. When you know what is happening in runtime, you are better able to prioritize vulnerability management in shift left.
Chainguard Images supercharge vulnerability management programs
Chainguard provides low-to-zero known CVE container images that are secure by default, saving teams hours of work patching vulnerabilities and all the risk that goes with any patches that can’t be made immediately. The following scenarios can be drastically simplified and improved with secure, minimal container images:
- CI/CD security gates: Security teams set up image vulnerability requirements at specific gates in the CI/CD process. If the image has too many vulnerabilities, it will be stuck in a security review, slowing down development
- Golden images programs: Many mature development teams will create golden image programs, where they work to create a vulnerability-free, ‘golden’ image that can be reused over and over
- Zero CVE mandates: Many highly regulated institutions, like banks, are creating top-down zero-CVE mandates to reduce the overall risk of vulnerability exploitation
- Compute efficiency: Reducing the bloat of container images can improve compute efficiency, with lowered memory requirements
- FedRAMP requirements: Many companies trying to meet FedRAMP requirements need a broad swoop effort to bring down overall vulnerability risk, and demonstrate the effectiveness of their programs
RAD Security: Real-time verification and enforcement of Chainguard Images
As any team trying to meet any of the challenges above can vouch, a significant part of the challenge of any vulnerability management system is in affirming, enforcing and reporting on the results of the security measure. This is where RAD Security’s new integration with Chainguard Images can help, because RAD’s real-time Kubernetes Security Posture Management (KSPM) capability can both track and enforce the usage of Chainguard Images:
Search your asset inventory for Chainguard Images
A quick search can show Chainguard Images in your asset inventory.
And when there is a Chainguard Image available, but it’s not being used, that is also clear. Below you can see that the Chainguard Registry is not being used, but there is a Chainguard Image available.
List of images in asset inventory, with Chainguard availability
You can also enforce the usage of Chainguard Images with an admission control rule. This includes policies set to ‘would block’ mode where the policy is not blocking but shows all the places where it would be triggered if it was set to enforce. See here the admission control policy, specifying that containers must use images from Chainguard’s Registry:
And here is the error notice I get when I violate the policy:
RAD is a verified scanner, and will take you directly to the Chainguard Image Directory:
Conclusion
The RAD Security platform takes a custom, behavioral approach to cloud-native detection and response that can counter evolving threats while sharpening inputs into shift-left and posture management.
If vulnerability management is a top priority for your organization, RAD Security’s new integration with Chainguard can help track the uptake of clean images over time, and even enforce their usage with admission control. Ensure your programs are progressing as intended today, with RAD + Chainguard! Reach out today for a demo.