Hacker News new | past | comments | ask | show | jobs | submit login

If I may: > I'm describing a process by which you figure out the actual risk of vulnerabilities before treating them further.

The problem here is that your assessment of how a vulnerability might be leveraged or accessed is bound by your own teams limited knowledge. The reality is, the attackers knowledge and creativity is more or less unbounded (and unknown). So making that judgment call of what is a real risk, vs having zero tolerance is a huge gamble IMHO, especially if your teams are not red team wizards.

No security team can defend against unknown or any degree of unbounded controllers. Everybody has a risk tolerance of some degree.

Moreover, it seems you're stating that "no tolerance" should focus on having no CVEs in container images. Does the CVE database really have that level of authority for people? It seems like the wrong thing to focus on even in these hypothetical no tolerance situations, I'm really not sure what to tell you there.

I mostly agree that it’s nearly impossible to end up with a container image with zero CVEs listed unless you are some sort of wizard. However I think images being built and deployed when there is an available patch is foolish (CVEs without patches are different story).

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact