Vulnerability scanning — a decade ago it was a novel and indispensible tool for discovering any vulnerabilities in your fleet. Today, more often than not, these scanners are seen as a necessary evil and more a source of aggravation than actually beneficial. According to CVE.org, in 2015 there were under 6500 CVEs assigned. In 2024 that number was over 40000, a 515% increase in under ten years. With the proliferation of containers, a single CVE can “affect” one entity once or tens of thousands of times. Given the volume and ever-growing compute landscape, are vulnerability scanners still our best path forward? Have they adapted to the more complex software landscape and increasing numbers of discovered vulnerabilities? Vincent Danen and Christopher Lusk sit down to discuss.
References:
- FedRAMP Marketplace: Red Hat OpenShift Service on AWS (ROSA)
- How I Identified False Positives in the Vulnerability Report and What are the Common Reasons For False Positives?
- CVE-2016-10228: Red Hat
- CVE-2016-10228: Oracle
- The Open Source Paradox: Unpacking Risk, Equity, and Acceptance
- Mozilla Foundation Security Advisory 2023-40