The evolution of vulnerability scanning

Dorothy, we’re not on-prem anymore
By Michael Scholl - NOVEMBER 25, 2024

SHARE:

Facebook logo LinkedIn logo X (formerly Twitter) logo

As application development and deployment evolve, traditional tools alone can no longer handle the dynamic, ephemeral nature of cloud and cloud-native environments. This article explores how cloud-native application protection platforms (CNAPPs) are addressing these challenges to enhance coverage and streamline prioritization. We’ll share best practices, emphasize the importance of context, and demonstrate how to manage the speed and scalability of modern cloud environments with an effective vulnerability scanning and management program.

In traditional environments, agents are installed on every machine to collect and transmit a software bill of materials (SBOM) or vulnerability data to a centralized location for analysis. Alternatively, network-based scanners connect to machines via SSH or similar protocols, adding significant operational overhead and requiring extensive permissions to maximize coverage. These methods often leave security teams with an overwhelming number of reports highlighting what’s wrong but failing to provide actionable insights on how to fix or prioritize issues.

This gives rise to two key challenges:

  1. Ephemeral and expanding environments: How can you maximize coverage to minimize risk?
  2. Information overload: How do you prioritize the issues that matter most?

Checklist: Container Security From Code To Runtime

Best practices for securing your containers.


5 best practices for vulnerability scanning at the speed of the cloud

In cloud environments, true security requires strategies that keep pace with modern infrastructure. This section outlines five essential practices to help organizations scan, secure, and manage their cloud environments effectively—without sacrificing speed or innovation.

Understanding the risks to your business

Defining a robust risk framework is essential for identifying the most critical issues for your business. A well-developed framework helps provide the context necessary for making informed decisions and implementing effective tooling and remediation strategies.

When developing a risk framework, consider the following:

  • Compliance Requirements: Understanding your business’s compliance obligations can reveal your most critical infrastructure and its protection needs.
  • Context and Nuance: While some steps may seem straightforward, deeper nuances—such as varying risk levels in different environments—can heavily influence prioritization and strategy.

Embrace automation and shift left

With the rise of container and serverless technologies, it’s crucial for developers to address issues early in the development lifecycle. Fixing vulnerabilities at this stage prevents critical risks from reaching runtime environments while fostering a proactive, security-first mindset. Automation and shifting security left create feedback loops that empower developers to make informed, secure decisions from the outset.

Choose the right tooling for the right use case

Agent-based tools excel in persistent infrastructure by offering comprehensive runtime insights into critical applications. These insights help isolate risks in real time, whether across a single node or an entire cloud environment.

However, the ephemeral nature of containers and serverless environments often requires agentless vulnerability scanning. Agentless solutions provide fast, low-overhead coverage, making them ideal for environments where speed and simplicity are priorities.

While there’s no one-size-fits-all solution, combining agent-based and agentless tools delivers the most complete coverage for modern cloud ecosystems.

Establish good remediation and mitigation practices

Mitigation and remediation are different in cloud environments – this is where context matters

In a traditional environment, there are usually teams in control of the supporting infrastructure. A host with a critical CVE located on an internal network is likely not to be exploited if the CVE is only exploitable with local machine access or if it’s only exploitable with elevated privileges.

Detection methods and enforcement models through technologies like Kubernetes admission controllers and cloud configuration or Infrastructure as Code (IaC) checks provide a better methodology to understand and efficiently enforce environmental best practices.

Additional strategies like standard base images in your container infrastructure allow you to mitigate risk at your base image level as much as possible. This ensures your developers can focus on the things that matter most to them and the business.

Define a clear ownership pattern

In traditional environments, defining ownership of resources and findings is relatively easy. However with cloud environments comes cloud sprawl, making ownership identification difficult.

Some organizations handle cloud sprawl with tagging and labeling strategies. Their aim is to help define ownership of resources by applying repeatable metadata across a large set of cloud or cloud native infrastructure. This helps create levels of segmentation within a cloud boundary and can be enforced usually at the provider level.

Other organizations opt for account management strategies, such as AWS Organizations, where each account can belong to an individual team, application or even business unit. However, this has heavy operational costs in the form of centralized networking and can often add unneeded complexity for organizations that do not require specific account segmentation for compliance reasons.

Some CNAPP offerings go as far as to integrate at your VSC layer to help determine owners through cs. Both are valid strategies –  but ultimately defining an ownership pattern is what will help most when trying to operate at the speed of the cloud.


Data vs. information: Context is key

Vulnerability data alone is insufficient for prioritizing remediation efforts effectively. Additional context—such as cloud configurations, network exposure, sensitive data, and permissions—can be derived from cloud APIs without the need for agents.

This enriched context creates a holistic view of your environment, enabling the development of a prioritization framework that aligns with business-critical goals and reduces noise for your teams.

Conclusion: The cloud is different — keep up

It’s easy to feel overwhelmed when every vulnerability scanner claims to find “critical” issues. Effective risk prioritization is the antidote. Solutions that integrate threat intelligence, asset criticality, and real-time exploitability empower you to focus on what truly matters. With this additional context a prioritization framework becomes possible to build with all the contextual data received from a modern CNAPP.

The transition to cloud-native architectures isn’t just an evolution:  it’s a revolution. Keeping up requires rethinking your vulnerability management strategy, embracing speed, and leveraging tools that prioritize context and integration. Adaptation isn’t optional — it’s essential in driving the success of your security organization and business as a whole.

Checklist: Container Security From Code To Runtime

Best practices for securing your containers.

Subscribe and get the latest updates