Avoiding Security Theatre with Tigera, New Relic and JFrog

Information security remains a fraught and messy domain, with seemingly constant data leaks and malware infections running security teams ragged. Many tools mindlessly report a seemingly endless list of potential vulnerabilities, often as high risk items that need immediate attention.

Customers have become frustrated by the false positives and over-reporting from paranoid security tools that alert on theoretical risks. For example, the often-used Common Vulnerabilities and Exposures (CVE) system provides a list of potential risks while the actual risk to any given customer depends on context. Generating an alert simply because a CVE exists tends to overwhelm customers and slows down development.

“Feedback from customers was that we needed to provide more comprehensive security visibility,” said Utpal Bhatt, Chief Marketing Officer at Tigera, makers of the Calico container networking software. “They told us ‘Don’t just tell me where the risks are. Score those risks based on the potential for exploitation.’”

Tigera’s approach can now check to see if a workload has, for example, strong isolation controls. If so, the rating of a particular vulnerability can be downgraded because it is less likely to be actively exploited in the customer’s environment. Previously, this triage work needed to be done by overworked security teams, forced to review the paranoid alerts of hyper-sensitive security tools.

With a fuller view of the specifics and context, tools can provide a more useful set of actionable information. Instead of constantly rushing to address ‘high risk’ alerts that really aren’t, teams can focus their energies on what really makes a difference. Customers can choose from a range of actions rather than using a single hammer for every problem.

“Customers can use a series of mechanisms, including code remediation, network policies, or some sort of improved configuration to limit the risk of exploitation,” said Bhatt. Customers can choose the most appropriate action for their circumstances, and look more holistically across their environment.

New Relic is also taking advantage of contextual information to help customers manage real risks.

“We realized that with our APM agents, we have information on your software composition. If we have that, why not match it against vulnerability databases and provide vulnerability detection?” said Greg Ouillon, EMEA CTO at New Relic. “It will scan for all the libraries that your code relies upon, in production or in any environment, and it will surface all the vulnerabilities, sort them by criticality, and show where they are in the environments.”

While customers may also use code scanning tools such as Snyk, Oillon is keen to point out that New Relic is monitoring the live production environment. Scanning before deployment can prevent vulnerabilities in the first place, but live scanning can find them if they sneak through the scans, or if they weren’t known about at the time.

New Relic also provides an Interactive Application Security Testing (IAST) tool. Integrated into New Relic’s agent, the IAST tool runs automated penetration tests on designated environments to uncover exploitable vulnerabilities. Any vulnerabilities discovered are reported with a proof of exploit and a recommendation for how to remedy the issue. The IAST capability came from K2 Systems, which was acquired by New Relic in late 2022.

JFrog, the well-regarded software supply chain company, also augments basic CVE reporting with greater context. In its case, JFrog’s security research team assesses the real-work risk of exploitation of publicly known vulnerabilities, and customers can sort issues reported by JFrog Xray by its proprietary JFrog Research Severity. Each assessment includes information on the reasoning employed, allowing customers to better understand their risk. XRay also takes customer-specific context into account, reducing the potential for false positives and needless busywork.

With so much work to be done in improving cyber security, helping customers to make the most impact, quickly, is to be lauded. Too much public reporting of vulnerabilities is spent panicking about theoretical risks, distracting us from the often more boring but important work of fixing real problems. The more security tools can help us filter out low value work, the better.