Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

3/10/2020
10:40 AM
Edge Editors
Edge Editors
Ask the Experts
100%
0%

What Should I Do About Vulnerabilities Without Fixes?

With better tools that identify potential threats even before developers address them, a new problem has arisen.

Question: What should I do about vulnerabilities without fixes?

Tsvi Korren, field CTO at Aqua Security: Security vendors are getting better at identifying vulnerabilities and making the results available earlier in the software development cycle. Shifting left by providing vulnerability data to application developers and making them an active part of risk remediation is a good thing. However, this introduces a new challenge for security practitioners: what to do about vulnerabilities in open source components where a fix is not available or when a fixed version cannot be used due to software dependencies?

When vulnerabilities were only examined after deployment, you may have been potentially at risk, but the fact that you didn't know about them earlier at least meant you were not being negligent introducing risk into production. Now you face a few difficult options when presented with a vulnerability for which no fix exists or when a fix cannot be used:

  1. Stop the pipeline and potentially delay rollout of the application until a fix is available (or even bring down a deployed application).
  2. Task your own development team with creating a fix (assuming you have the code and the expertise) or finding a workaround.
  3. Move ahead accepting the risk, clearing it with appropriate compliance people, which certainly is not ideal.

Another option is to run the application in a cloud-native environment and closely control its runtime behavior. Since containers and functions are deterministic, it is possible to identify and stop execution of code that is not aligned with the workload’s intended purpose. By blocking access to specific users, commands, files, ports, or system calls, security can defang a vulnerability so that any attempt to exploit it is stopped or at least clearly identified. This ability bridges the gap, allowing application rollout to proceed, until a permanent code fix to become available.

Related Content:

 

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
   OVER THE EDGE
Post-Pandemic Presentation Plans

Source: J4vv4D

We'd love to hear your ideas, too! Add them the Comments section, below.

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Name That Toon: The Lights Are On ...
Flash Poll