Vulnerability Management Pilot

Like any software, Onesait Platform has multiple dependencies on third-party software, from libraries used at development time, to operating systems used in containers when deploying, and it is vital to analyze and update these dependencies as security threats are detected.

This is why we are in the Onesait Platform secure development model applied to the resolution of threats detected in third-party software used by Onesait Platform.

For Platform version 5.0.0-Renegade, we have carried out a manual vulnerability management pilot, with the intention of automating the process in the next version.

Let’s see what it consists of.

Operation

The following activities have been carried out in this pilot:

• Vulnerability obtaining: with a DataFlowm we have downloaded all the vulnerabilities in JSON of the Platform’s images (those with a certain label) from the Platform’s GCP Registry.

• Vulnerability analysis: we have filtered by criticality (keeping those that are CRITICAL or HIGH) and we have grouped them by modules that have the same incidence, in order to facilitate the analysis. We have generated a base Dashboard to display these vulnerabilities:

• Issue creation: issues have been created automatically from the analysis in the Platform’s GitLab. These issues includes affected images with a link to the Google Registry and a link to the issue description where the library and versions to improve are specified.

We are currently working to implement this functionality automatically, something that we will surely see in the next release of Onesait Platform.

If you are interested in learning more about this new functionality, leave us a comment or contact us via the support channels, and we will be happy to show you how it works.

Header image: Yancy Min at Unsplash.

✍🏻 Author(s)

Fco. Javier López Acevedo

See author's posts