The Benefits of Full Stack Vulnerability Management
- Nov 22, 2022
- Adrienne Juett
Full stack vulnerability management utilizes a variety of vulnerability scanner types to identify and remediate software and configuration issues in order to secure an enterprise across the Software Development Life Cycle (SDLC).
Different types of vulnerability scanners target different stages within the SDLC and even different types of code. A full stack program utilizes the appropriate scanners to fully track the different sources of vulnerabilities across an enterprise. This may include scanning for vulnerabilities in:
Assume that we have a simple web application that was developed in-house. That application utilizes open source packages as well as proprietary code. The application is packaged within a Docker file which is then deployed to a Kubernetes (k8s) cluster on a cloud platform.
Even with this simple setup, there are a wide variety of ways that software vulnerabilities can be introduced into the system (see figure below). Bad coding practices can introduce vulnerabilities into the source code. Common Vulnerabilities and Exposures (CVEs) can come from the open source dependencies or the Operating System and packages included in the Docker file. In addition, configuration issues within the Docker file or k8s and cloud setups can lead to vulnerabilities in the overall system. All of these issues are then passed on to the resulting web application.
A full stack vulnerability management program will utilize vulnerability scanners at each stage of the process. Some of these results will find the same issues as they propagate through the system. For example, CVEs introduced by the open source dependencies would be picked up when scanning the dependencies, the Docker image and the cloud infrastructure on which the image is deployed. But not all vulnerabilities will be as easy to catch. Some vulnerabilities will only show up in specific scanners, like code related vulnerabilities and configuration issues. That does not mean that these vulnerabilities are not an issue at the final web application, just that a single scanner can not identify all the issues in the system. By combining data from multiple scanner types, which target different stages in the development and deployment process, a fuller picture of the risk to the overall system can be obtained.
Furthermore, by scanning across the SDLC, vulnerabilities can be identified and remediated earlier in the process and by the teams that are best suited to the task. Take for example a security team that finds a CVE from an open-source package on the infrastructure. The open-source package is a dependency of the in-house software which a separate development team is responsible for. If the security team applies an update on the infrastructure without the input from the development team, they could introduce performance issues into the application due to package incompatibility. In addition, the vulnerability may be reintroduced on subsequent updates to the application since the development team will continue to use the vulnerable package. However, if the development team is given responsibility for securing their part of the Enterprise, the vulnerable package can be identified and remediated before deployment. Incorporating security practices across the SDLC allows for more timely remediation of vulnerabilities and decreases the overall risk of the Enterprise.
By utilizing full stack vulnerability management tools and processes, enterprises can better secure their systems from source code to deployed applications. At Nopsec, we provide users the ability to consolidate vulnerability information across the full stack in order to better track vulnerability management compliance and provide process tracking and analysis. This allows users to better identify the process issues and streamline their Full Stack Vulnerability Management Program.
Full stack vulnerability management utilizes a variety of vulnerability scanner types to identify and remediate software and configuration issues in order to secure an enterprise across your entire technology stack and full Software Development Life Cycle (SDLC).
By combining data from multiple scanner types, which target different stages in the development and deployment process, a fuller picture of the risk to the overall system can be obtained.