Unchained
Products
Chainguard Images
Reduce your attack surface with hardened container images.
Solutions
Developer
Resources
Company
Contact
Back
Container Image Security
Run hardened container images.
Vulnerability Remediation
Eliminate CVEs daily.
Open Source Software Security
Consume OSS safely.
Compliance & Risk Mitigation
Meet and maintain compliance.
Software Supply Chain Security
Build secure software by default.
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Events
Security
Education
Back
About
Newsroom
Careers
Chainguard love
Back
About
Newsroom
Careers
Security

How CVEs slow down developer productivity

John Speed Meyers, Manager at Chainguard Labs
April 18, 2024
copied

The Pain of CVEs

No (sane) software developer or security engineer wakes up excited to deal with CVEs. They're tedious, break your focus, and can feel like a waste of time. But it’s the sad reality that either for compliance or security reasons, reducing known software vulnerabilities (or CVEs) has become part of the day-to-day job of software professionals. That's why developers and security teams are increasingly frustrated by the sheer amount of time and effort sunk into CVE management.

My own past research on CVE management and containers reveals both a substantial “time” cost and negative effects on staff morale. In essence, companies that build or operate containers are spending thousands of hours annually on CVE triage, forcing skilled developers to chase false positives and piece together confusing information instead of building the next killer app.

Problem 1: Time drain

The number of hours lost to CVE management is staggering. In Chainguard's The True Cost of CVE Management in Containers report, we interviewed companies estimated anywhere from hundreds to thousands of hours spent annually on tasks related to identifying, triaging, and fixing vulnerabilities. One company even dedicated the equivalent of 10 full-time employees to this work every year.

But where does all this time go? The problem is multifaceted:

  • False alarms: Security scanners often flag vulnerabilities that are irrelevant to your specific container, leading to wasted time confirming or dismissing the alerts.
  • Confusing information: Sifting through CVE descriptions, deciphering severity ratings, and finding viable fixes can be a scavenger hunt. Many exasperated developers end up with dozens of browser tabs open just to understand a single vulnerability.
  • Testing and dependency headaches: Even minor updates to address a CVE can trigger time-consuming regression testing. Fears of breaking the application make developers hesitant, leading to even longer delays.

Problem 2: Beyond time

The frustrations of CVE management extend beyond the hours spent chasing vulnerabilities. The constant firefighting erodes developer productivity, damages team collaboration, and potentially increases the risk of a successful attack.

  • Morale drain: The constant churn of CVEs — especially false positives — is demoralizing. In our annual report on CISO and developer trends in software supply chain security, a third of the surveyed software developers expressed the belief that false positives from software composition analysis tools are a major obstacle to improved software supply chain security.
  • Container security disconnect: A stark gap exists between developer and CISO perceptions, as surfaced by the same report. Only 43% of developers believe CISOs understand the risk of container images, while just 50% of CISOs rate developers as "very security-conscious." This disconnect undermines collaboration and increases vulnerability risk.
  • The risk of exploit chains: Attackers don't just exploit major vulnerabilities. They can chain together a series of seemingly minor CVEs to compromise an organization. This means even low-severity vulnerabilities need attention, overwhelming developers further.

Can DIY OS package updates help?

Faced with the massive burden of CVEs, it's logical to think that keeping your container images up-to-date with the latest OS packages would significantly reduce risk. After all, shouldn't those updates include fixes for known vulnerabilities? Unfortunately, as Chainguard's research in the Zero CVE Challenge blog post revealed, the reality is far more disappointing.

Even after updating popular Docker Hub images, the average CVE count dropped by less than six percent. Why? Because even the latest official OS packages contain a vast number of pre-existing CVEs. This forces teams into that same cycle of chasing CVEs, even after what should, in theory, be a simple fix.

Pre-built, hardened container images are better

The struggle with CVEs highlights a need for a different approach. Continuously patching CVEs as they emerge is important, but there's a better way to lighten the load upfront.

Chainguard Images are built to have low-to-no CVEs. They are designed to be minimal: they use only what is necessary to build or run an application. These Images, when a component version is available, are updated rapidly. The result is that developers can begin working with minimal, hardened containers at the start of their development, which drastically reduces vulnerability counts from day one. This translates to:

  • Time back for innovation: Developers spend more time building product innovation that generates revenue and satisfies customers and users, not chasing noisy false positives or navigating confusing CVE data.
  • Stronger security posture: Minimizing vulnerabilities significantly reduces the attack surface, improving overall an organization’s security posture.
  • Better together dev and security teams: Fewer vulnerabilities can mean less friction between security and development teams, fostering better collaboration on the most important work for their business. Hear from GitGuardian about their experience.

Build faster, safer: Discover Chainguard Images

Ready to break free from the CVE time sink? Explore Chainguard Images and discover how to stop wasting time and start building more secure software. Reach out to our team today to get started.

Related articles
Security
Chainguard Images CVE patch report: Securing software supply chains
May 1, 2024
Security
Avoid exploit chaining threats with Chainguard Images
April 23, 2024
Security
If xz's backdoors are inevitable, how do we stay secure? The answer is: move faster!
April 16, 2024

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.

Get started
Products

Chainguard Images

Solutions

Container Image Security

Vulnerability Remediation

Open Source Software Security

Compliance & Risk Mitigation

Software Supply Chain Security

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Chainguard love

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact
Contact