Modern cloud native applications are complex and have a lot of dependencies on external libraries including open source components with many known vulnerabilities. Managing and fixing a large number of vulnerabilities in multiple components is a tedious job. Adoption of containers, Kubernetes, and CI/CD based deployment models have further exacerbated the vulnerability management problem due to their rapid development and deployment cycles. Thousands of vulnerabilities are disclosed every month and it is not possible for the developers to fix all the vulnerabilities in highly dynamic cloud environment in a short span of time. To address this problem, we need a way to prioritize the most important vulnerabilities and focus on remediating them first. In this article, we describe the approach Deepfence ThreatMapper takes to solve this problem.
Understanding the differences between vulnerability and exploitability can help us in prioritizing vulnerabilities. Vulnerability means a weakness in deployed software which can possibly be exploited by attackers. However, presence of a vulnerability does not mean it is always possible for the attackers to use it for any unauthorized activity. Exploitability means availability of an actual attack design or code (exploit) which uses the vulnerability to violate system integrity. The availability of a real exploit means an attacker has a practical way to attack vulnerable targets. While it is not possible to fix all the vulnerabilities in deployed cloud native workloads, on the brighter side it is perhaps not even necessary to fix all of them as many them may not be exploitable by a real attacker.
Many of the disclosed vulnerabilities are not easily exploitable by external attackers due to various reasons like the affected container images may not be running, or it may require local access privileges, specific system configuration settings, or user interactions.
Let us explain the concept of exploitability in more detail using two different real vulnerabilities mentioned below.
The latest Common Vulnerability Scoring System (CVSS) mentions some important features of the vulnerabilities that can affect the ease of exploitability. We describe these important characteristics below:
In addition to CVSS metrics, the following additional characteristics can impact the exploitability of a vulnerability:
While both the vulnerabilities in our example are serious flaws, developers can focus on fixing the first vulnerability as its features make it much more exploitable in the wild. Based on the exploitability characteristics of vulnerabilities, Deepfence helps developers and security analysts to prioritize and focus on the set of most important vulnerabilities which can be easily exploited by attackers and can cause severe damage to the system’s integrity.
We use various important features of vulnerabilities to rank them based on the ease of exploitation. First, we use the CVSS scores, severity, attack vector, attack complexity, and how long the containers or VMs are running without being patched to compute a score indicating how easily the vulnerabilities can be exploited. If the containers have been running for a long time without being patched or upgraded, then the attackers may have more information about the vulnerabilities and may have better exploits increasing the likelihood of successful exploitation. We take into account to update the initial vulnerability score accordingly and then finally normalize the score between 0 and 10 (with 0 indicating no apparent vulnerability and 10 indicating highly vulnerable). We rank the vulnerabilities based on this final score and display them on the UI.
Additionally, we also assign an overall vulnerability score between 0–10 for all the VMs and images by using a formula to compute a weighted average of the individual vulnerability scores as shown in the following picture. This gives a high level summary for developers to focus on the most vulnerable VMs and container images in their cloud infrastructure.
Detecting and mitigating vulnerabilities is the first step towards protecting your system from critical threats. Our free ThreatMapper offering helps you measure and reduce your attack surface. ThreatStryker, our Enterprise offering, considers exploitability as one of the keys signals while detecting and protecting from attacks in addition to many other runtime signals.
If you’re interested in learning more about ThreatMapper or ThreatStryker, reach out. We’d love to show you how we can help you protect against vulnerabilities and increase the security of your applications across the entire CI/CD pipeline.