6. Vulnerability management
Introduction
Yandex Cloud is responsible for managing vulnerabilities and security updates in managed services. The client is responsible for managing vulnerabilities and security updates for all other system components.
For an example of the scope of responsibility for managing vulnerabilities and security updates, see Requirement 5 in the PCI DSS responsibility matrix
6.1 A vulnerability scanner is used for container images
We recommend using the image vulnerability scanner integrated into Container Registry.
- In the management console, select the cloud or folder to check the images in.
- In the list of services, select Container Registry.
- Go to each of the images and check the value of the Scan status column.
6.2 Vulnerability scanning is performed at the cloud IP level
We recommend that clients scan their own hosts for vulnerabilities. Cloud resources support the installation of custom virtual images of vulnerability scanners or software agents on hosts. There are many fee-based and free solutions for scanning.
Network scanners scan hosts that are accessible over a network. Generally, authentication can be configured on network scanners.
Examples of free network scanners:
Example of a free scanner that operates as an agent on hosts: Wazuh
You can also use a solution from Cloud Marketplace.
Run a manual check.
6.3 External security scans are performed according to the cloud rules
Customers hosting their own software in Yandex Cloud can perform external security scans for the hosted software, including penetration tests. You can run your own scans or use contractors. For more information, see Rules for performing external security scans.
Run a manual check.
6.4 The process of security updates is set up
A client must perform their own security updates within their scope of responsibility. Various automated tools are available for centralized automated OS and software updates.
Yandex Cloud publishes security bulletins to notify customers of newly discovered vulnerabilities and security updates.
6.5 A Web Application Firewall is used
To mitigate risks associated with web attacks, we recommend using a Web Application Firewall (WAF). A client can install and maintain a WAF independently or use the Yandex Smart Web Security WAF.
Installing a WAF on your own
WAF images are available from the Yandex Cloud Marketplace. License types and other required information are available in the product descriptions.
Solution: A fault-tolerant installation of PT Application Firewall built on Yandex Cloud
You can also install Wallarm WAF in Managed Service for Kubernetes. See the guide
Yandex Smart Web Security WAF
A client can use the Yandex Smart Web Security WAF. A web application firewall analyzes HTTP requests to a web app according to pre-configured rules. Based on the analysis results, certain actions are applied to HTTP requests.
You can manage the web application firewall using a WAF profile that connects to the security profile as a separate rule.
For more information about connecting to a security profile, see Getting started with a WAF profile.
- In the management console, select the cloud or folder to check the security profile in.
- In the list of services, select Smart Web Security.
- Check that the security profile was created with the Web Application Firewall rule type.