Our Golden Docker Image Was Patched for Three Weeks Before Anyone Actually Ran It
A critical OpenSSL CVE dropped on a Tuesday, and our platform team did exactly what they were supposed to do: they patched the org's golden base image and pushed a new version by Wednesday morning. The security dashboard turned green. Leadership got an email saying the fleet was patched. Then, almost three weeks later, a routine penetration test against one of our customer-facing services flagged the exact same vulnerability in a container that had been running, untouched, since before the patch existed. The image had been fixed. The thing actually serving traffic hadn't.
Nobody had lied on that dashboard. The golden image really was patched the day it said it was. The dashboard never tracked the gap between an image existing and the team's actual rebuilding and redeploying efforts, which became the real attack surface.
Why Enterprises Reach for a Golden Image in the First Place
The problem golden images...
Copyright of this story solely belongs to hackernoon.com. To see the full text click HERE