I've noticed that every finding from our Kubernetes manifest and image scanning is flagged with the same priority, regardless of the workload's nature. For instance, a privileged container's result is highlighted with the same severity whether it's used in an externally facing service handling sensitive data or for a trivial internal task that runs weekly. This lack of context makes it hard to accurately gauge real risks versus theoretical ones, leading my team to treat most of the alerts as background noise. I'm wondering how others are incorporating workload exposure and blast radius context into their security findings?
2 Answers
Honestly, it’s a struggle sometimes! I've started adding context to our findings, like whether something is public-facing or has access to secrets, and then we re-rank based on the potential blast radius. Otherwise, everything just feels like noise and no one pays attention to the alerts.
I think the real issue is having privileged containers at all. If you can fix that problem first, it can help streamline the process. Focus on reducing the number of unnecessary privileged containers in your environment.
Exactly! Without that context, it's easy to miss real threats.