The article has more numbers than the shock-value one:
87% of container images running in production have critical or high-severity vulnerabilities
15% of those unpatched critical and high-severity vulnerabilities are in packages in use at runtime when patches are available
2% of the vulnerabilities are exploitable
That about lines up with my experience. I keep my dependencies up to date pretty aggressively, and I generally read release notes. It’s exceedingly rare that I’ll come across a security patch that fixes a problem that was relevant to my application. Not never, but close to never.
Barely anyone gets paid for CVEs if we’re looking at a whole ecosystem. This is both untrue and a weird dig at people who care about security and bother to actually assign identifiers to their issues.
“Paid” is more a metaphorical term here – read it as saying that the pressure on researchers to define their career/skills/worth in terms of number and severity of vulnerabilities found (which mostly means CVEs with high CVSS scores), and on vendors to define their products’ value in terms of number and severity of vulnerabilities identified/mitigated, causes, effectively, inflation of vulnerabilities (and isn’t helped by the general uselessness of CVSS, which is inflationary in additional ways).
See this post and discussion from a couple months ago for an even better summary/critique. It also jives with my experience as a longtime member of the security team for a large-ish open-source project (the Django web framework) – the deluge of low-quality reports from people who are desperate to get a CVE to their name is a strong indictment of the state of the industry.
If you’re wondering why this starts with numbers about container vulnerabilities, followed by a veer into zero-trust architectures, then by something about NIST, while Sysdig keeps popping up, I’m guessing that’s because Sysdig sells a solution for monitoring containerised services. This is… well, okay, I guess IT journalism at its finest cynically applies nowadays.
But the headline and the numbers themselves are not entirely devoid of meaning. As @ubernostrumpointed out this is indicative of a certain, erm, problem in our industry. But, beyond that, this game of numbers has long gained commercial value. If your job is to demonstrate compliance with various regulatory requirements, or to meet the expectations of customers – who are, by definition, entirely removed from the security landscape, otherwise they probably wouldn’t be your customers – these vanity metrics are actually valuable, and being able to produce them is a useful skill for a security team.
Right, it’s a game of numbers that, at best, don’t tell the whole story, and at worst are entirely meaningless, played among people who, despite being extremely confident about it, haven’t the faintest clue what they mean. But it’s the only language that’s spoken in some circles.
The article has more numbers than the shock-value one:
That about lines up with my experience. I keep my dependencies up to date pretty aggressively, and I generally read release notes. It’s exceedingly rare that I’ll come across a security patch that fixes a problem that was relevant to my application. Not never, but close to never.
I hate clickbait “security” headlines like this.
No, you don’t have an exploitable-container problem. We have a too-many-security-researchers-paid-per-CVE problem.
Barely anyone gets paid for CVEs if we’re looking at a whole ecosystem. This is both untrue and a weird dig at people who care about security and bother to actually assign identifiers to their issues.
“Paid” is more a metaphorical term here – read it as saying that the pressure on researchers to define their career/skills/worth in terms of number and severity of vulnerabilities found (which mostly means CVEs with high CVSS scores), and on vendors to define their products’ value in terms of number and severity of vulnerabilities identified/mitigated, causes, effectively, inflation of vulnerabilities (and isn’t helped by the general uselessness of CVSS, which is inflationary in additional ways).
See this post and discussion from a couple months ago for an even better summary/critique. It also jives with my experience as a longtime member of the security team for a large-ish open-source project (the Django web framework) – the deluge of low-quality reports from people who are desperate to get a CVE to their name is a strong indictment of the state of the industry.
If you’re wondering why this starts with numbers about container vulnerabilities, followed by a veer into zero-trust architectures, then by something about NIST, while Sysdig keeps popping up, I’m guessing that’s because Sysdig sells a solution for monitoring containerised services. This is… well, okay, I guess IT journalism at its finest cynically applies nowadays.
But the headline and the numbers themselves are not entirely devoid of meaning. As @ubernostrum pointed out this is indicative of a certain, erm, problem in our industry. But, beyond that, this game of numbers has long gained commercial value. If your job is to demonstrate compliance with various regulatory requirements, or to meet the expectations of customers – who are, by definition, entirely removed from the security landscape, otherwise they probably wouldn’t be your customers – these vanity metrics are actually valuable, and being able to produce them is a useful skill for a security team.
Right, it’s a game of numbers that, at best, don’t tell the whole story, and at worst are entirely meaningless, played among people who, despite being extremely confident about it, haven’t the faintest clue what they mean. But it’s the only language that’s spoken in some circles.
I always had the feeling that most CVEs are nothingburgers, but I recently came across this gem which confirmed it: https://www.sqlite.org/cves.html