Patching an OS is easy, but dealing with OSS vulnerabilities is hard

Question: How does your organisation address software/code that leverage open source solutions which contain high risk vulnerabilities that hasn't/won't be fixed?

We're currently using AWS enhanced scanning to inspect our images, and while our base images may be continually patched and secure, as soon as one of our developers modify it via Dockerfile and a language specific package manager, our security hub will often light up with 7.0+ CVSS and CVE's.

We also pull images from private repos of 3rd …

address aws base code cybersecurity developers hard high images language manager may open source organisation oss package package manager patching question risk scanning security software solutions vulnerabilities