Collecting Vulnerabilities
Why It’s Important to Understand Full Stack Vulnerabilities
AlphaBravo is in the process of building a new security aggregation tool called ABScan. The concept for this tool was born during our time assisting a branch of the U.S. Armed Forces with implementing security in software systems.
During this period, interesting patterns emerged when it came to managing software vulnerabilities, and more specifically how vulnerabilities were discovered in software stacks. After spending time understanding the pain points this caused, the team at AlphaBravo believed it was possible to solve this problem.
What is a Software Stack?
A software stack is a collection of independent components which work together to support the execution of an overall application. For example, assume an organization requires a blog for marketing purposes. The engineering team can deploy a service, such as Wordpress, to accomplish this requirement for the marketing department. However, it’s not as simple as just deploying the Wordpress application. Instead, this service has a significant number of dependencies which must be resolved in order for it to function.
Suppose that the Bitnami Wordpress Helm chart is being deployed to a Kubernetes cluster as a container. First and foremost, the Wordpress stack requires the Wordpress application container. This is the primary requirement in the software stack. This will deploy Wordpress and all of the software used to build the Wordpress application, such as PHP and Apache. However, Wordpress still needs additional components outside of this container in order to function.
In addition to the Wordpress container, the software stack also makes use of MariaDB as a SQL database, Memcached for caching database queries, the Apache Exporter for capturing metrics in Apache, and the Bitnami Shell to perform helper tasks to bring containers online. Each of these containers have their own software dependencies, which could lead to possible vulnerabilities and security issues within the Wordpress software stack.
Vulnerabilities in Software Stacks
One of the biggest challenges AlphaBravo has observed with vulnerability tools is the inability to group like items to help engineers recognize associated vulnerabilities. This leaves out critical details for understanding the attack surface of an application, and may lead to unexpected exposure as critical components may be overlooked. This led to the creation of Collections within ABScan, as seen in Example 1 below.
Example 1 - The Collection interface in ABScan
Using the Wordpress example mentioned earlier, one or more containers, Git repositories, and/or Dockerfiles can be added to the ABScan platform and then grouped together in a collection. The total number of vulnerabilities and other issues discovered in that collection would then be combined to help engineers better understand the possible attack surface of a given software stack. In Example 2, shown below, the total number of vulnerabilities and other issues which currently exist in the Wordpress stack are shown.
Example 2 - Total number of vulnerabilities and the severity level of the Wordpress stack
From here, a further breakdown of each component in the software stack can be shown. In the example, not only are vulnerabilities of each container being scanned, but also vulnerabilities for Git repository and configuration issues in Dockerfiles used to create a container image. By having all of these items in a single collection, a very clear picture of the security posture of this application is made available. More importantly, a team can work to ensure these vulnerabilities are solved quickly. In Example 3, shown below, a list of the containers in the collection, as well as tabs for Git and Dockerfile scans, is shown.
Example 3 - The total sum of containers, Git repositories, and Dockerfiles in the collection
What makes the collection even more valuable is the ability to break down different components into more manageable insights. As an example, the Wordpress software stack makes use of multiple databases, MariaDB and Memcached. If an organization has a dedicated database team whose members are responsible for managing database resources, a specific collection for databases can be created for the team, as seen in Examples 4 and 5 below. With this collection, the database team can easily monitor assigned services, reduce noise, and concentrate on resolving issues the group cares about.
Example 4 - The database collection details
Example 5 - the total sum of containers, Git repositories, and Dockerfiles for databases
Reduction of Noise
The biggest feedback AlphaBravo has received to date is the problem of false positives and noise in vulnerability results. The problem stems from how vulnerability scans provide a base severity number, or CVSS base score, which in turn most users assume directly applies to their environments. This may not be the case at all, which may lead to unnecessary maintenance. Or worse, due to the total number of vulnerabilities reported, the workload may overwhelm the team. This brings up a much larger issue to solve: how can a vulnerability score be generated and applied to an environment so users understand which vulnerabilities should be prioritized?
The current development cycle for ABScan is working to resolve this problem. A new tool is in development which will help users identify unique variables for one or more environments. Once identified, the tool will generate a filter which can then be applied to one or more collections. When applied, the filter will remove any false positives and other noise. As a result, engineers will be able to clearly understand if a vulnerability is impactful for their software stack. Teams can then work towards the resolution of the exact vulnerabilities plaguing the software stack in their specific environment.
The goal of ABScan is to provide insight into the security posture of an organization at a glance, meaning informed decisions can be made within a few seconds of reviewing the metrics provided. Think of it like walking through an airport and looking at an arrival and departure display. Within seconds, a user understands everything needed to make an informed decision: the flight number, destination, arrival time, gate, and status. ABScan Collections will provide similar informative details for vulnerabilities across multiple scanning tools: software stacks, environments, and actual vulnerabilities to resolve.
In Conclusion
Managing vulnerabilities in software stacks is a complex and daunting task, as there may be many dependencies which increase the attack surface of an application. Being able to understand all associated vulnerabilities in the stack is critical to resolving the problem. Additionally, being able to reduce the noise of vulnerability data to focus on real problems is just as important.
Using a tool like ABScan, an organization will be able to easily view one or more collections across multiple teams to understand the security posture of a software stack at a glance via a simple-to-use web interface. The results will allow greater levels of trust, transparency, and understanding of the actual work required to secure an application.
