Supporting continuous vulnerability compliance through automated identity provisioning

Resumo

Most applications will exhibit vulnerabilities that impact their availability, integrity, or confidentiality during their life cycle. Nevertheless, the leading cause for such vulnerabilities is not the application itself but its dependencies. Continuous compliance processes often perform vulnerability assessment in order to prevent compliance breaches during a CI/CD pipeline. However, current proposals do not extend beyond the pipeline, and thus do not take into account incident response when dynamic aspects change, such as newfound vulnerabilities. In this work, we leverage zero-trust to continuously assess vulnerability compliance and isolate workloads that do not conform to a minimum vulnerability posture. This isolation presents a trade-off between exploitation prevention and availability, which is useful for critical use cases. Our approach builds on top of SPIRE, a robust selective identity provider, and integrates response to compliance violation caused by dynamic aspects, monitored by Dependency Track. We show the approach adds no significant latency and does not hinder operational or development efforts.