Minimus has extended its managed service for providing application developers with hardened images to include support for the Vulnerability Exploittability eXchange (VEX) format used to share data across multiple application security tools and platforms along with hardened Helm charts for securely deploying applications on Kubernetes clusters.
Additionally, Minimus has added compliance dashboards and views, and integration with Microsoft for Single Sign-On (SSO) service.
Minimus CTO John Morello said the overall goal is not just to provide access to a set of hardened images but also make it simpler for DevSecOps teams to operationalize them.
For example, Minimus now provides hardened Helm charts aligned with Kubernetes security best practices as defined by benchmarks and frameworks from the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST). That capability ensures that role-based access controls are enforced along with minimal permissions when relying on Helm charts to provision a Kubernetes environment.
In theory, DevOps teams could build and maintain their own repositories of hardened images, but it’s generally going to be easier to rely on an automated service that ensures those images are always vetted for vulnerabilities, said Morello. That approach enables application development teams to spend more time building secure applications versus trying to maintain an approved set of hardened images.
At the core of the Minimus service is an operating system the company specifically developed to make managing the orchestration of software artifacts simpler. That capability then enabled Minimus to ensure that hardened software artifacts that have been configured to minimize the overall size of the attack surface that might be presented can be integrated into DevSecOps workflows. Minimus also constantly monitors threat intelligence to ensure the security of those artifacts while also providing developers with real-time insights into potential threats to reduce overall risk.
While a lot of progress has been made in securing software supply chains, too many developers are still downloading software artifacts from insecure repositories. It’s not clear why more DevSecOps teams are not limiting the number of repositories that application developers can use to download software artifacts but cybercriminals have clearly become more adept at injecting malware into them as part of an effort to infect as many downstream applications as possible.
DevSecOps teams, of course, have been making a concerted effort to provide application developers with scanning tools that discover vulnerabilities and malware in software artifacts. However, the success of those efforts is often limited simply because the number of alerts being generated overwhelms the ability of application developers to recognize and remediate issues based on their actual severity. The Minimus service reduces the need to run those scans by ensuring the software artifacts being used are secure in the first place.
It’s not clear how many application security incidents can be traced specifically back to vulnerabilities and malware in software artifacts, but most developers would prefer to not have to address an issue discovered months, sometimes even years, after an application has been deployed in a production environment. As always, an ounce of prevention is worth more than a pound of any proverbial cure.
