pivotal deploys updated stemcells regularly to PWS. high and critical CVEs have a 48hr goal. we catch up on lows and mediums generally approximately once per month.
On Wed, Mar 1, 2017 at 5:48 PM, Jonathan Stockley <jstockle(a)opentext.com> wrote:
Hi, before deploying/upgrading a stemcell in production our security group runs vulnerability scans on our staging deployments. The problem is that by the time we get the stemcell into staging (about a 4-6 weeks), they have updated the vulnerability database and then there scan find new issues.
How often are people upgrading stemcells in production? How do you handle vulnerability scanning of BOSH deployed apps? How about run.pivotal.io? How do they address this?
