In this episode of TFiR: T3M, Swapnil Bhartiya sits down with Ian Riopel, Chief Customer Officer at Slim.AI, to share his insights on the current trends in the market, particularly in the security space.
Current state-of-affairs in container security:
- The security industry has done a good job at telling everyone how bad they’re doing, but it has not really offered a meaningful way to solve the challenge, putting developers in an impossible situation.
- Most companies try to start with a minimized image if they can, do some scanning, and get it out the door.
- Larger, more sophisticated companies have entire teams that do nothing but specialize in creating golden images, and then ensuring that there are no new vulnerabilities added as it goes through the developer pipeline.
- By the time a company ships a container out the door, the attackable surface could be 50 times larger than what was started within the base OS. While it may be relatively clean today, there is a high likelihood that’s not going to be the case the next day. The state of vulnerability changes every second.
Slim.AI believes the way to solve this is to focus on
- reducing vulnerability, and
- reducing the size of containers at the final point.
Slim.AI also believes developers should have the freedom to iterate and to develop as they’d like, using the containers and the libraries that they’d like. What makes Slim.AI unique:
- It is able to make determinations around whether or not containers have extra components that don’t need to be there.
- It understands contextually the type of risks that are associated with the components that are there.
- It is able to remove all the components that don’t need to be there and ship out a hardened container.
- It provides a before and after diff and a software bill of materials (SBOM).
The US federal government is very active in the security space:
- There is an executive order that effectively requires SBOMs to be delivered as part of any container that the government purchases and consumes.
- The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- The White House recently released the National Cybersecurity Strategy for 2023 that outlined several pillars. Various resources will be made available to the public. Organizations that are delivering solutions to critical infrastructure are going to be under significant scrutiny.
The idea behind continuous monitoring (ConMon) is you don’t want your customers to find out potential vulnerabilities before you do. Slim.AI works with some companies and continuously scans and monitors the containers that they’re shipping to production into their customers, every day. These companies are able to understand when a new vulnerability arises before their customer calls them about it. It prevents having to scramble to fix it and avoids damage to their reputation, i.e., coming across as unaware or not being a mature organization.
Advice for companies looking to improve their security posture:
- Train your users basic cybersecurity hygiene. Resources are available out there; some are free from the government.
- Scan your containers and understand your risk. If you don’t know where you stand today, ignorance is not your friend when it comes to mitigating and getting ahead of threats.
- Have an action plan to mitigate and do something with those results.
This summary was written by Camille Gregory.