I was curious how different organizations are approaching vulnerability management, specifically container vulnerabilities. When my organization was going into its initial audit 2 years ago we had a massive effort to transition all of our container images off of Ubuntu based containers. This was due to our vulnerability scanning tool detecting many CVEs that were high or critical but marked low by Ubuntu and stated they would not be fixed. Our assessor explained we had to have 0 criticals and highs and could only carry 30 total vulnerabilities. This made even risk reducing these vulns not an option.

Since then we’ve dedicated quite a bit of engineering effort maintaining in house compilations and docker builds of many open source and public offerings. Examples include having to completely rebuild confluent Kafka’s public image, and the public Apache airflow image.

When updating our container hardening for Rev5 we spoke with a 3PAO who said using a hardened base image is the best way to meet container image hardening and the best way to do that is to use iron bank. When looking at the iron bank offerings I noticed the RedHat UBI has >380 detected vulnerabilities but is still considered compliant. This goes directly against the guidance we were given on allotment of vulnerabilities. Was curious how other organizations are managing issues like this.