Never miss a critical upgrade thanks to Minimus threat intelligence. While Minimus images typically have no vulnerabilities at their time of release, staying secure over time depends on upgrading to newer versions. Older versions will inevitably become less secure as new vulnerabilities are published. Minimus threat intel helps you track important upgrades so you can protect your tech stack against active and likely exploits.

Exploitability label

Security guidelines now recommend prioritizing vulnerabilities by exploitability rather than severity. Minimus uses an exploitability label to help your team prioritize the deployment of vulnerability fixes.

  • Vulnerabilities listed in the CISA KEV catalog are labeled as active exploits.
  • Vulnerabilities with an EPSS probability score above 60% are labeled as likely to be exploited.

The exploitability label appears in advisories and vulnerability reports for image versions so you can see the risk in all relevant contexts.

Using the exploitability label

The exploitability label is designed to provide a measure of urgency. Vulnerabilities listed in the CISA KEV catalog should be considered top priority. CISA KEV, unlike EPSS and CVSS metrics, deals only with confirmed risks that have gained visibility. These vulnerabilities pose immediate risk and are already actively exploited or attempted by threat actors. It is recommended to upgrade as soon as a fixed version becomes available.

EPSS metrics are second only to the CISA KEV list as they provide data-driven threat intelligence. Collective experience has shown that many exploitable vulnerabilities are often ranked as medium or even low severity. Therefore it’s important to prioritize upgrades that remediate vulnerabilities with a high EPSS probability over a high severity score.

Balancing DEV capacity with security requirements

Balancing DEV capacity with security requirements is a serious challenge. Minimus threat intel is designed to reduce some of this inherent tension and help improve dev velocity.

Managing software security requires striking a delicate balance between frequent security updates and necessary testing. There is no blanket solution for striking this fine balance, and the recommended approach depends on the urgency of the fix and the nature of the application. The following guidelines are a good place to start:

  • Application images such as Nginx and Prometheus that are deployed as-is without a build or adjustments are relatively easy to test and upgrade. In such cases, we recommend upgrading to latest as soon as possible to benefit from the latest security enhancements. Minimus actions triggered by threat intel can help you stay informed of recent version releases and security patches.
  • Images that are used as a base layer or middle layer usually require more testing which can delay critical security upgrades in favor of stability concerns. In such cases, we recommend using Minimus threat intel to identify the most critical fixes available and to prioritize their implementation for risky assets, such as production containers or VMs which are external facing. A gradual upgrade schedule will support more rigorous testing and help to balance security and stability concerns.

Leveraging threat intel with actions

Actions can be used to notify your team when likely and confirmed exploit fixes become available so you can upgrade your images to mitigate known risks. About actions