Stay Informed with the Mirantis Product Security Incident Response Team (PSIRT)

Eric Gregory - December 23, 2021 - ,

The Log4Shell critical vulnerability is only the most recent reminder that enterprise security is a matter of continuous vigilance and information-sharing. Security requires transparency and rapid response — and that’s the role of the Mirantis Product Security Incident Response Team.

What is a PSIRT?

A Product Security Incident Response Team (PSIRT) is a part of an organization dedicated to identifying, evaluating, and mitigating risks that may arise from security vulnerabilities within the organization’s offerings. Additionally, a PSIRT facilitates communication about these vulnerabilities.

The Mirantis PSIRT is comprised of product team representatives who work to achieve a set of core responsibilities:

  • Establishing processes to assess and remediate vulnerabilities, as well as advise on mitigation strategies
  • Acting as the centralized, standardized hub for data collection and response coordination on security vulnerabilities
  • Collaborating across the organization to assist in remediation plans and communication

How vulnerabilities are identified, assessed, and mitigated

The PSIRT may identify vulnerabilities through a variety of means, including automated scanning and tracking of software dependencies and regular penetration tests conducted both internally and by third parties.

When a vulnerability is identified, it goes through a process of assessment and triage. During the triage stage, vulnerabilities’ severity is scored using the Common Vulnerability Scoring System (CVSS), and this guides the PSIRT’s targeted response times.

“Critical” vulnerabilities call for rapid response — though Mirantis products were mostly unaffected by Log4Shell, Mirantis Secure Registry was updated the same weekend the vulnerability was first identified, in order to help customers mitigate the issue by scanning for affected components.

In order to address vulnerabilities, the PSIRT works with development teams to find the most appropriate mitigation for the issue at hand. These mitigations might take the form of code modifications, usage or deployment advisories, workarounds, or other solutions. At this stage, the PSIRT also begins a search for possible vulnerabilities that may be similar to the one in question. For example, if a problem is the result of a particular software component (as was the case with Log4Shell), might other components introduce vulnerabilities with a similar pattern? If new issues are identified during this discovery stage, they go through the same assessment and mitigation process.

Hardening security through communication

With many entities involved in the creation and support of enterprise software — from open source project teams to software and infrastructure vendors to in-house teams — open channels of communication are essential.

The Mirantis PSIRT publishes security vulnerabilities through security bulletins, software release notes, and a GitHub repository that you can follow for notifications. For developers, security teams, or others wishing to stay informed about incident response at Mirantis, we encourage you to follow the PSIRT GitHub repo so you can stay on top of security news and advisories on Mirantis products. By working together with speed and transparency, enterprises can harden their deployments even in an ever-evolving security environment.

Read the Mirantis PSIRT update on Log4Shell (CVE-2021-44228).

banner-img
test
tst
tst
Cloud Native 5 Minutes at a Time: Creating, Observing, and Deleting Containers

One of the biggest challenges for implementing cloud native technologies is learning the fundamentals — especially when you need to fit your learning in a busy schedule. In this series, we’ll break down core cloud native concepts, challenges, and best practices into short, manageable exercises and explainers, so you can learn five minutes at a time. These lessons assume a basic …

Cloud Native 5 Minutes at a Time: Creating, Observing, and Deleting Containers
Cloud Native 5 Minutes at a Time: What is a Container?

One of the biggest challenges for implementing cloud native technologies is learning the fundamentals — especially when you need to fit your learning in a busy schedule. In this series, we’ll break down core cloud native concepts, challenges, and best practices into short, manageable exercises and explainers, so you can learn five minutes at a time. These lessons assume a basic …

Cloud Native 5 Minutes at a Time: What is a Container?
Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)

Note: this blog post was originally published by Avinash Desireddy on Medium. You can view the original post here. Docker Containers, Kubernetes, CNCF, and many other relevant projects completely changed how we package, ship, and run applications. As you all know, Kubernetes has become a defacto standard for running applications. At the same time, container registries and chart repositories play a …

Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule
LIVE WEBINAR
Getting started with Kubernetes part 2: Creating K8s objects with YAML

Thursday, December 30, 2021 at 10:00 AM PST
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW