Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How does Compliant Kubernetes do vulnerability management of itself? #614

Open
cristiklein opened this issue Jun 9, 2023 · 0 comments
Open

How does Compliant Kubernetes do vulnerability management of itself? #614

cristiklein opened this issue Jun 9, 2023 · 0 comments
Labels
documentation Improvements or additions to documentation enhancement New feature or request

Comments

@cristiklein
Copy link
Collaborator

Is your feature request related to a problem? Please describe.

Many data protection and critical infrastructures regulations ask for vulnerability management to be taken seriously. We are doing a lot when it comes to vulnerability management, however, this is hidden in internal docs. Let's make them public to gain exposure.

Describe the solution you'd like

Something along the lines of:

Elastisys makes commercially reasonable efforts to ensure that Compliant Kubernetes and Additional Services are free from security vulnerabilities which are either publicly known or known to Elastisys, inter alia:

  • Prepare:
    • control what software components are added to software used by Elastisys (link to ADR page);
    • ensure software components are provisioned from vendors which have demonstrated good vulnerability management;
    • ensure the Software Bill of Materials (SBOM) is up-to-date;
    • subscribe to security announcements issued by vendors of software components used by Elastisys (link to security-lists);
    • setup Elastisys vulnerability disclosure channels;
    • ensure via its CNCF membership that open-source projects are sufficiently funded for good vulnerability management;
  • Detect:
    • regularly review the output of container scanning tools, such as Trivy; however, they are super-noisy, so we don't aim for "zero vulnerability" to avoid malicious compliance;
    • monitor security announcements issued by vendors of software components used by Elastisys;
    • monitor Elastisys vulnerability disclosure channels and timely fix reported vulnerabilities;
  • Respond:
    • we discuss security announcements during our daily stand-up;
    • immediately release security patches for Elastisys software;
    • immediately apply security patches for Elastisys software;
  • Recover:
    • identify opportunities to reduce the likelihood or impact of future vulnerabilities.

Additional context
@cristiklein cristiklein added documentation Improvements or additions to documentation enhancement New feature or request labels Jun 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cristiklein