Abstract

A vulnerability in packages and libraries included in the underlying cloud container can adversely impact the applications and services running within that container. Current tools to automate discovery and patching of vulnerabilities emphasize detection over proactive automated remediation, operate at cluster-level, and are limited to static analyses. This disclosure describes techniques for automatically detecting and patching vulnerabilities in the software supply chain for applications and services deployed in individual cloud-based containers. Continuous inspection of runtime activity of the containers is performed by embedding security mechanisms directly into the data plane to gain deep visibility. Data obtained from artifact analysis can be leveraged to identify vulnerabilities in the static operating system as well as at runtime. In addition, the obtained data can serve as a detailed log of package and library usage for the container, enabling forensic auditing in case vulnerabilities are discovered in the future. A dashboard with prioritized insights regarding vulnerabilities affecting their containers is provided to cloud customers. Customers can choose appropriate automated remediation approaches via customizable policies. Moreover, the activity logs can enable customers to conduct retroactive audits to examine any adverse impact in the past whenever new vulnerabilities are discovered.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS