Why Isn’t the Fix in My Container? Tracking CVE Propagation Across 10,000 Projects - Mor Weinberger, Echo Security & Lior Kaplan, Kaplan Open Source

less than 1 minute read

Abstract

We analyzed CVE remediation patterns across 10,000 open source projects to uncover a critical problem: vulnerabilities fixed upstream often take weeks or months to reach downstream containers. This lag creates massive security exposure windows in Kubernetes environments.In this talk, we’ll present our findings showing how CVE fixes flow (or stall) across ecosystem layers, from upstream projects to package managers to base images to final containers. You’ll see real metrics on remediation delays, and the compounding effect of layered dependencies.But we won’t stop at the problem. The second half focuses on practical solutions. From automated patch backporting to in-place image patching with tools like Copa. You’ll learn how to build workflows that dramatically reduce MTTR, including dependency automation patterns and risk-based prioritization.Attendees will leave with both a data-driven understanding of the CVE remediation challenge and a practical playbook for fixing it.

Sched URL

Video

Share on

X Facebook LinkedIn Bluesky

About

Conferences

Why Isn’t the Fix in My Container? Tracking CVE Propagation Across 10,000 Projects - Mor Weinberger, Echo Security & Lior Kaplan, Kaplan Open Source

Abstract

Video

Share on

You May Also Enjoy

The Shared Service Blueprint: A Guide to Multi-Tenancy, Illustrated With KEDA - Aya Igarashi, Preferred Networks, Inc.

Tailor Made: Dynamic Fine-Grained Authorization for API Traffic - Erica Hughberg, Tetrate & Andres Aguiar, Okta

SPIFFE Meets OAuth: Federated Identity for Cloud Native Workloads - Yoshiyuki Tabata, Hitachi, Ltd.

SB💣💣M: Making SBOMs Play Together - Jacopo Bufalino, CNAM & Agathe Blaise, Thales SIX GTS France