Guidelines for Handling CVEs in Knovvu Applications

Standards and Definitions

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to publicly known cybersecurity vulnerabilities and exposures. It provides a standardized reference for identifying, sharing, and addressing security issues across software and systems, enabling organizations to efficiently coordinate responses and implement fixes.

The Common Vulnerability Scoring System (CVSS) is an industry-standard framework used to assess the severity of security vulnerabilities, assigning a numerical score (0.0 to 10.0) and corresponding severity categories: Critical, High, Medium, and Low. CVSS scoring helps standardize how vulnerabilities are measured and prioritized across systems.

There are several key vulnerability databases providing comprehensive information on CVEs, including NVD (National Vulnerability Database), Red Hat, and GitHub Advisories.

Knovvu Vulnerability Management Process

Policy

To ensure the highest level of security, we adopt the most severe score among the results provided by different vulnerability databases. For instance, if a vulnerability is rated as "Medium" in NVD but "High" by Red Hat, we prioritize it as High for remediation. This approach ensures a conservative stance on threat management.

Our approach to vulnerability management is rooted in a risk-based methodology, ensuring we focus on addressing vulnerabilities that pose the greatest threat to the security and integrity of systems and data. We prioritize the remediation of Critical and High severity CVEs, as these represent the most significant risks. Lower-severity vulnerabilities, while monitored, are less likely to be exploited or have a minimal impact, making them less critical to address.

Automated Patch Management

Our patch management process ensures robust security by automatically scanning base images and third-party tools three times daily for vulnerabilities. If a CVE is detected, a patch operation is immediately triggered. Releases are blocked from progressing until the patch is applied, ensuring that no vulnerable components are deployed.

On-premises deployments

When deploying on-premises to a customer's Kubernetes registry, we provide a comprehensive list of container images along with their CVE status. Our integration testing environment automatically builds the system, performs automated testing, and conducts CVE scans. This process generates a detailed report of images and their vulnerabilities, which we share with the customer prior to deployment, ensuring transparency and security.

Remarks and Considerations

Open CVEs

Open CVEs are vulnerabilities and exposures that remain unresolved by package maintainers. As these CVEs pertain to third-party packages, we do not have direct control over their resolution, as the responsibility lies with the maintainers of the respective packages.

To minimize the impact of open CVEs, we proactively manage our dependencies. This includes continuously evaluating and updating our third-party and base images to use versions that are actively maintained and exhibit fewer vulnerabilities. By selecting well-maintained components, we reduce the likelihood of persistent CVEs and ensure that our overall system remains as secure as possible.

A moving target

Even under ideal conditions, there is always a time gap between when we deliver images to a customer and when the customer scans them. During this time, new CVEs can emerge, turning previously clean images into ones flagged with vulnerabilities. If customers request the resolution of these newly identified CVEs, the process repeats itself, creating a loop with no resolution. This is a "moving target" scenario, where the goalpost continuously shifts. To address this, we encourage customers to perform their scans as quickly as possible. If they are unable to do so, we recommend focusing specifically on Critical and High CVEs that were identified prior to the time we submitted the scan results along with the images. This ensures a shared understanding of the context and reduces unnecessary cycles of re-evaluation.