I'm working with a third-party Kubernetes-based application. I set up the VM and installed the software using its Web-GUI but didn't configure the Kubernetes environment myself. After running a SCAP scan with the V2R3 benchmark, I found nine Category 1 issues flagged as open. Although I managed to identify two issues immediately, I had to manually check and resolve the other seven.
Since I'm not very experienced with Kubernetes, I'm uncertain about who is responsible for addressing these vulnerabilities. Is it my responsibility to implement these changes, or should the third-party vendor provide fixes and solutions?
3 Answers
That really depends on your contract with the vendor. A well-structured agreement should clarify who’s in charge of patches and changes for security compliance. It’s worth digging into that documentation to get a clear understanding of responsibilities.
From my experience managing STIG programs, it's important to note that SCAP benchmarks don't always cover all STIG checks directly. You'll want to manually review the SCAP results, as there can be discrepancies.
Typically, implementing STIG requirements is the organization's responsibility, especially defining security needs when procuring software. Vendors may have the capability to assist, but verification should be done by your information assurance team. So, in your case, the onus likely falls on your team to ensure compliance after deploying the third-party software.
In our case, we usually have a three-way discussion involving our security/compliance team, the vendor, and the internal maintenance team. The initial deployment team sets the ball rolling, but it's crucial that all three parties collaborate to address the issues. This should help in formulating a mitigation strategy moving forward.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures