Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
With better tools that identify potential threats even before developers address them, a new problem has arisen.
2 Min Read
(Image: <a href="https://stock.adobe.com/contributor/201457013/vectormine?load_type=author&prev_url=detail">VectorMine</a>/Adobe Stock)
Question: What should I do about vulnerabilities without fixes?
Tsvi Korren, field CTO at Aqua Security: Security vendors are getting better at identifying vulnerabilities and making the results available earlier in the software development cycle. Shifting left by providing vulnerability data to application developers and making them an active part of risk remediation is a good thing. However, this introduces a new challenge for security practitioners: what to do about vulnerabilities in open source components where a fix is not available or when a fixed version cannot be used due to software dependencies?
When vulnerabilities were only examined after deployment, you may have been potentially at risk, but the fact that you didn't know about them earlier at least meant you were not being negligent introducing risk into production. Now you face a few difficult options when presented with a vulnerability for which no fix exists or when a fix cannot be used:
Stop the pipeline and potentially delay rollout of the application until a fix is available (or even bring down a deployed application).
Task your own development team with creating a fix (assuming you have the code and the expertise) or finding a workaround.
Move ahead accepting the risk, clearing it with appropriate compliance people, which certainly is not ideal.
Another option is to run the application in a cloud-native environment and closely control its runtime behavior. Since containers and functions are deterministic, it is possible to identify and stop execution of code that is not aligned with the workload’s intended purpose. By blocking access to specific users, commands, files, ports, or system calls, security can defang a vulnerability so that any attempt to exploit it is stopped or at least clearly identified. This ability bridges the gap, allowing application rollout to proceed, until a permanent code fix to become available.
Related Content:
About the Author(s)
You May Also Like
More Insights
Webinars
Defending Against Today's Threat Landscape with MDR
April 18, 2024The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024