DevSecOps - Kubernetes DevOps & Security

DevSecOps Pipeline

Vulnerabilities Basics

In this lesson, we’ll define vulnerabilities, explore their relationship to exploits, threats, and risks, and walk through a standard process for scanning, assessing, and remediating them. Future modules will provide hands-on examples using tools like Dependency Check, Trivy, OPA Conftest, and Kubesec to secure application code, container images, and Kubernetes resources.


Key Concepts

TermDefinitionExample
VulnerabilityA flaw or bug in software that attackers can exploit.SQL injection, broken authentication
ExploitA script or technique that takes advantage of a vulnerability to perform malicious activity.Remote code execution, unauthorized mining
ThreatAny potential cause of an unwanted security incident, such as an attacker or malware.Phishing campaign, zero-day malware
RiskThe potential for loss or damage when a threat exploits a vulnerability. Calculated by severity and impact.High-severity CVE in production environment

Why It Matters

A robust vulnerability management program reduces the window of exposure and lowers the overall security risk to your applications and infrastructure.


Vulnerability Scanning & Databases

Vulnerability scanners inspect code, container images, and configuration files, then compare findings against public vulnerability repositories. Once confirmed, issues are catalogued with unique identifiers.

Database / SystemDescription
NVDThe U.S. government’s repository of publicly disclosed vulnerabilities.
CVEUnique IDs for known cybersecurity flaws (e.g., CVE-2021-34527).
CVSSA scoring framework (0–10) that measures vulnerability severity and potential impact.
CWEA taxonomy of software weaknesses, helping teams understand root causes and prevention strategies.

Vulnerability Assessment

Once scanning completes, generate an assessment report that includes:

  • Severity: CVSS score or custom risk rating
  • Vulnerability Age: Time since public disclosure
  • Exploit Availability: Whether proof-of-concept code exists
  • Remediation Guidance: Patching instructions or workarounds

Prioritization Tip

Always address high-severity vulnerabilities with known exploits before lower-risk items. Automate prioritization using your CI/CD pipeline.


Remediation Workflow

  1. Prioritize
    • Rank CVEs by CVSS score, exploitability, and business impact.
  2. Remediate
    • Update or patch affected dependencies and configurations.
    • Apply security fixes in code and container images.
  3. Verify & Monitor
    • Re-scan to confirm fixes.
    • Implement continuous monitoring and alerting for new vulnerabilities.

The image explains the concepts of vulnerability, exploit, threat, and risk, and outlines the process of vulnerability scanning, assessment, and remediation. It also mentions terms like CVE, CVSS, and NVD related to cybersecurity.


Next Steps

In the following lessons, you’ll perform real-world vulnerability scans and enforce security policies using:

By integrating these tools into your DevSecOps pipeline, you’ll streamline the detection and remediation of security issues from code commit to production.

Watch Video

Watch video content

Previous
Demo SonarQube Authentication Clarification