We know that identifying and patching vulnerabilities is crucial to the overall infrastructure security strategy. However, organizations often overlook the various places where vulnerabilities reside. One of which is the building blocks of modern infrastructure: system images. Images (such as AMIs for Amazon EC2, virtual machines, Docker containers, and more) lay the foundation for infrastructure, and most would be surprised to hear that upwards of 87% of container images in production have been found to possess critical vulnerabilities, with the average age of a vulnerability being 277 days.
This post will explain why organizations must modernize their image practices to meet the security demands of cloud environments. A key part of this process is vulnerability and patch management, i.e. the mitigation, identification, and prioritization of vulnerabilities and the operational process of removing them. Without proper tooling and processes, vulnerability and patch processes can become increasingly complex and tedious. Legacy workflows are insufficient for keeping up with the quantity of changes organizations face when scaling their cloud footprints.
»
»Protect your organization from vulnerable images with HCP Terraform and HCP Packer
At HashiCorp, we have the opportunity to work with some of the world’s largest organizations to tackle challenges like these and help others do cloud right. We have found that one way to address vulnerabilities in infrastructure is to implement an industrialized, immutable approach to patching your system images. According to a recent study, 32 days is the mean time to exploit a vulnerability. Considering this, our suggested workflow is a continuous 30-day repave cycle for all system images.
So how exactly do we achieve this efficiently? You may have heard of Terraform, HashiCorp’s infrastructure as code solution that helps organizations provision and manage infrastructure. HCP Terraform is a managed offering hosted on the HashiCorp Cloud Platform that helps organizations run Terraform consistently in a stable, remote environment and add integrations directly into infrastructure workflows. In the same way HCP Terraform helps codify and manage infrastructure, HCP Packer helps codify and manage system images. When integrated, they can form a comprehensive workflow to reduce vulnerabilities in infrastructure through* preventative risk management.*
In this workflow, initial images are built with security and compliance baked into their configurations, and metadata is published to a centralized artifact registry in HCP Packer. From here, images can then be discovered and validated in HCP Terraform. If any changes to these underlying images take place over time, they are flagged by HCP Terraform’s drift detection. The two products then work together to provide an easy way to revoke outdated images and update all downstream dependencies. To see this workflow in action, watch the demo video below:
While implementing reactive security methods such as vulnerability scanning tools that check existing infrastructure is an important last line of defense in cloud security, you can think of our approach as proactive, like locking your door before you leave your house. By working to better secure infrastructure before deployment you also alleviate the burden on reactive methods, as there will be fewer vulnerabilities overall for security teams to deal with.
By continuously repaving with our vulnerability and patch management workflow, organizations can:
- Prevent vulnerabilities from getting out into their infrastructure in the first place
- Reduce the window for exploitation, continuously updating images before they reach the mean time to exploit
»
HashiCorp Validated Pattern for vulnerability and patch management or recorded webinar Address vulnerabilities with preventative risk management.
Sign up for free on the HashiCorp Cloud Platform to start using HCP Packer and HCP Terraform to address vulnerabilities in your infrastructure today.
To learn more about how vulnerability and patch management with HCP Terraform and HCP Packer fit into a larger unified platform approach for reducing risk, read our solution brief: Securing and governing hybrid and multi-cloud at scale with The Infrastructure Cloud.
