Gartner on Delivering DevOps Risk-Prioritized Vulnerability Guidance

We recently highlighted Gartner’s advice to “shift right” with security, to avoid burdening developers from a security standpoint. Gartner analyst Dale Gardner continued that theme with this opening slide to his talk advising teams to “Fix What Matters” in the area of vulnerabilities.

Dale noted that we excel at finding vulnerabilities, leading to the garbage heap analogy. “We end up with this graveyard of multiple vulnerability reports,” Dale observed. Bringing this world view into container security doesn’t make this problem any easier – indeed, now you have more “things” to secure.

The challenge is that the industry isn’t using enough automation to address this challenge, he said. Lots of tools pull info from lots of sources, but ops ends up with too many lists of “stuff to fix” and no notion of their relative importance. Dale advocated for consolidation and prioritization.

Here at StackRox, we couldn’t agree more. We pull info from orchestrators, registries, vulnerability scanners – but we don’t just dump a list on DevOps. Instead, we present a stack-ranked list, by criticality, of which vulnerabilities should get addressed before containers hit production. Plus, we’ve integrated with developer tools like Slack, Jira, and email to automate the process of getting the right feedback to the right developers.

In fact, this view of your container security landscape – what containers are running, with what vulnerabilities, in priority order – has proven so valuable that we now offer a free risk assessment to gain these insights for your environment.

Next up, we’ll discuss Gartner’s take on the need for Continuous Security and highlight which security projects Gartner thinks should be on your “must do” list for this year.