Cloud Marketplaces: Let the buyer beware
The cloud marketplaces are useful tools. I believe the major cloud providers set some basic reviews/standards for solutions before they are initially published. It appears perhaps that some of the solutions are then left to rot on the vine. I believe they need to raise the bar, especially when you think about the lack of IT sophistication in the small and medium business markets.
Customers should run a vulnerability scan on any marketplace image after installation.When you do, you might be surprised at what you find. I have seen ones with 30-40 vulnerabilities, many of them critical. I have seen some install software that is no longer being patched. Perhaps I just found the few bad tomatoes, I suspect not. Running a scan of these solutions and appropriate remediation should be part of your standard practice. It would be great if the cloud providers exposed a last scan date as part of the marketplace to help encourage the right solution provider behavior.
The risk associated with the marketplace images are amplified because many of the templates that I have seen installed, take a lowest common denominator approach to security. Leaving ports open to the internet and in some cases installing internet gateways. Cloud providers maintain and promote security best practices. I think there should be a security disclosure tab on the solution page for each marketplace image. It should explain in clear language what are the specific "potential security risks" that the default template would create and suggested areas for review after installation tailored to the changes made by the solution ( review x open ports to validate it meet your security standards etc).
Perhaps I am dreaming, but, I think it would be ideal to have an optional vulnerability and security scan on your solution included after the install. This would help accelerate time to safe usage. Yes, large customers can build automation required to do this, but what about the small and medium businesses (SMB)?
I am a strong believer in the voice of the customer. Share this if you believe these changes will help make cloud computing a better place.
Modern, comprehensive data consulting for enterprise DevOps, DataOps, ML, AI, and testing, with database subsetting and virtualization, synthetic data, and cross platform data migration.
6 年The marketplaces definitely need oversight.? ?We had a case of someone marketing pirated Windocks software, and the Marketplace vendor wasn't even interested to curtail the fraud.?