Headline
Proactive Vulnerability Management for Engineering Success
By integrating security into CI/CD, applying automated policies, and supporting developers with the right processes and tools, infosec teams can increase efficiency and build secure software.
Remi Yazigi, Information Security Engineer, Cisco Systems
February 3, 2025
4 Min Read
Source: Cagkan Sayin via Alamy Stock Photo
COMMENTARY
As cyber threats grow more sophisticated, organizations must prioritize secure software development practices. Vulnerability management is a critical aspect of this, but its success depends on clear ownership and collaboration between information security and engineering teams. By shifting left and embedding vulnerability management into the development life cycle, organizations can empower engineering teams to deliver secure code efficiently. Here’s how infosec teams can drive this transformation.
Shifting Left: The Key to Proactive Security
Traditional vulnerability management approaches often focus on addressing issues post-deployment. This reactive strategy slows development and increases the risk of exposure. Shifting left means identifying and remediating vulnerabilities earlier in the development process, during the build phase, or even before code reaches the repository. This early action reduces cost and effort while improving the quality of the codebase.
By integrating vulnerability scanning tools like Trivy into continuous integration and continuous delivery (CI/CD) pipelines, infosec teams can block builds that introduce known vulnerabilities. Tools like these, with seamless integration with GitHub Actions (GHA) and Jenkins, provide immediate feedback to developers. When vulnerabilities are identified, engineers can address them without disrupting the workflow. This approach not only enhances security but also fosters a culture of accountability and ownership among developers.
Applying Policies for Image Promotion
One of the most effective ways to enforce security practices is through automated policies for container image promotion. For example:
Base images: Ensure that development teams use only approved base images vetted by information security. These images should be regularly updated to incorporate security patches and align with organizational standards.
Docker registries: Restrict usage to trusted and approved registries, reducing the risk of introducing malicious or outdated images. Approved registries should provide regular scans and metadata to verify image integrity.
Image scanning: Automate the scanning process for all container images before they are promoted to staging or production environments. By applying strict vulnerability gates, organizations can ensure only secure images progress through the pipeline. Coupled with regular rescanning of images in production, this practice maintains security over time.
Handling Exceptions Transparently
No vulnerability management strategy is complete without a robust mechanism for handling exceptions. infosec teams should provide engineering teams with a clear process to request and manage exceptions when immediate fixes are not feasible. This includes:
Time-bound exceptions: Set expiry dates for exceptions to ensure vulnerabilities are addressed within a reasonable time frame. Expired exceptions should trigger reminders and escalate unresolved issues.
Approval workflow: Establish an approval workflow that involves both engineering and infosec stakeholders. Collaboration ensures balanced decisions that consider security and business needs.
Documentation: Require detailed justifications for exceptions, including mitigation strategies, impact assessments, and follow-up plans. Documentation enables transparency and ensures accountability for all stakeholders.
By managing exceptions transparently, organizations can balance security requirements with operational realities while maintaining accountability. This process also offers an opportunity for continuous improvement by identifying recurring vulnerabilities or patterns requiring systemic fixes.
Building a Collaborative Framework
For vulnerability management to succeed, infosec and engineering teams must work in harmony. Information security teams can support engineering teams by:
Providing tools and training: Offer developers access to easy-to-use security tools and training on secure coding practices. This training should emphasize real-world examples.
Defining clear policies: Develop and document policies that align with engineering workflows, ensuring that security requirements are achievable without disrupting productivity. Regularly review these policies to adapt to evolving threats and technologies.
Creating feedback loops: Establish feedback mechanisms to address false positives, improve tool configurations, and enhance the developer experience. Prompt feedback helps developers focus on genuine risks and encourages compliance with security measures.
Encouraging shared metrics: Track shared security metrics that matter to both teams, such as vulnerability closure rates and build success rates. Shared goals foster collaboration and build a sense of collective responsibility.
Leveraging Automation and Metrics
Automation plays a pivotal role in ensuring the scalability and reliability of vulnerability management processes. Integrating tools for automated scanning, ticket generation, and remediation tracking saves time and reduces human error. Meanwhile, metrics such as mean time to resolution (MTTR) and the number of vulnerabilities detected per build provide valuable insights into program effectiveness and areas for improvement.
The Path Forward
Empowering engineering teams with ownership of vulnerability management is a cultural shift that requires effort and collaboration. By integrating security into the CI/CD pipeline, applying automated policies, and supporting developers with clear processes and tools, infosec teams can drive efficiency and foster a shared commitment to building secure software.
Organizations that embrace this approach will not only reduce risk but also enhance their ability to deliver secure and reliable applications at scale. The time to shift left is now. Success requires a proactive mindset, the right tools, and above all, a strong partnership between infosec and engineering teams.
About the Author
Information Security Engineer, Cisco Systems
Remi Yazigi is information security engineer for Cisco Systems. He has extensive experience in cloud and container vulnerability management, specializing in automation to enhance security workflows. He holds two master’s degrees in computer engineering and cybersecurity and forensics. He joined ThousandEyes in London in 2018 and moved to the US in 2022 after Cisco Systems acquired ThousandEyes in 2020. There, he lead efforts to improve vulnerability detection and remediation. Prior to that, he worked in France as a cybersecurity consultant, focusing on securing industrial systems, including projects such as Ariane 5 space rocket and SECOIA. He is passionate about empowering engineering teams to take ownership of security processes, ensuring resilient and secure infrastructures. His expertise lies in creating scalable, efficient solutions that address modern security challenges.