In part 1 of our container security terminology guide, we introduced everyone to our shift left lexicon to help you gain a clear understanding of the key phrases and common phrases used in DevSecOps. Today, we’re sharing part 2 of our guide where we’ll broaden our focus to include additional key security language is routinely used across DevSecOps teams and organizations.
We know not everyone in an organization is a security expert; this lexicon is intended to help organizations clearly understand DevSecOps terminology.
Container Security Terminology Guide
An audit is a periodic exercise to review and judge the state of a software project. Audits can be performed against internal policies or external standards and may be conducted by internal security teams or by outside specialists.
Center for International Security (CIS)
The CIS is a nonprofit organization with a mission is to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense.” CIS publishes a collection of benchmarks and controls that form the basis for many industry-standard security policies.
Common Vulnerabilities and Exposures (CVE)
The CVE is a system for standardizing documentation and reference to security issues. Many devs might gather feedback from a security tool that finds CVE’s attached to packages or libraries related to their application(s). Not every CVE needs to be remediated. In fact, there will always be some false positives that slip through the cracks. Track the false positives, remediate applicable high/critical vulnerabilities, and try to burn down vulnerabilities that are older.
Common Vulnerability Scoring System (CVSS)
The CVSS is an industry-standard method for evaluating vulnerabilities and assigning severity scores to them. These scores are often included in vulnerability feeds and can be used by security teams to control thresholds for approving software. For example, organizations could create a benchmark where they only approve containers that contain no vulnerabilities that violate a CVSS impact and exploitability score of a 7.5. CVSS scoring is also a good compass to guide which CVE’s are more critical than others and can be used by teams to prioritize what needs fixing first within their builds.
Open-source software projects use a variety of different software licenses with different conditions for use and distribution of derivative software. Some licenses may be incompatible with each other or may have conditions that are incompatible with corporate policies.
NIST (National Institute of Standards and Technology)
NIST publishes widely-regarded security standards such as NIST 800-180 and maintains the National Vulnerability Database.
NVD (National Vulnerability Database)
NVD is a database of known vulnerabilities, mitigations, and vendor comments, maintained by NIST and freely distributed via a collection of feeds.
Policy is a set of rules that are used to perform an evaluation of a container image. Rules can, in theory, examine any aspect of the examined images. Commonly rules look at known CVEs contained in the image, ports exposed by the image, packages installed in the image, or even metadata such as the on-disk size of the image.
Scanning is the process of examining container images, inventorying the contents, and applying policy/rules. The output of the scanning process is a judgment on whether the image complies with the selected policies or not, and that judgment can be used to provide feedback to developers, make decisions about the promotion of an image from a lower environment to a higher one, or even to prevent deployment of an image into a cluster.
A central practice in DevSecOps, shift left is essentially the complete integration of security and development. The result is a more robust testing, more efficient use of manpower and computing resources, faster delivery and fewer unplanned delays. It’s important to use a competent security tool that provides developers with fidelity and granularity of security issues related to their builds so that they can fix and ultimately deploy much faster.
Vulnerability feeds deliver information about vulnerabilities via machine-readable format (often JSON, RSS, or other industry-standard formats) suitable for automatic consumption by security tools. Feeds serve as the backbone when identifying vulnerabilities. This allows scanning tools like Anchore to decompose images, analyze the packages that compose an image, and perform matching against packages to the CVE’s published against said packages. Being able to loop this into a Gitlab or Jenkins job is critical for teams focusing on building quickly. Integrate vulnerability scanning with your SCM so scanning is done regularly against code in your source repository.
Combined with the topics discussed in part 1 of our container security lexicon, you now have a clear understanding of core security terminology and you’re ready to begin your DevSecOps journey.