TABLE OF CONTENTS

Overview

Aqua’s CyberCenter is a cloud-based cyber-intelligence knowledge base, maintained and operated by Aqua Security. The CyberCenter:

  • Constantly monitors various security trackers, software vendors' security-related information, websites, and other threat intelligence sources
  • Builds an up-to-date, dynamic, and comprehensive database of known vulnerabilities and malware that could impact images and containers
  • Maintains an IP address blacklist, consisting of IP addresses with known reputations for inadequate security

Aqua uses the CyberCenter knowledge base while scanning images for security exposures (vulnerabilities and malware). During scanning, the Aqua Scanner checks each package in a scanned image against the CyberCenter database. As such, scanning requires that Aqua send selected image identification information to the CyberCenter. For more information, refer to Information Sent to CyberCenter.


This topic describe specific features of the Aqua CyberCenter. 


Accuracy of results

Aqua CyberCenter obtains information on security vulnerabilities from:

  • NVD
  • Mitre
  • Security trackers of operating system vendors, especially for severity ratings and CVSS scores

As the CyberCenter knowledge base is constantly updated, it may contain information that is more up-to-date and complete than the information available from software vendors at the time you selected their packages. This greatly increases the accuracy of results, since vulnerabilities are often mitigated by vendors and greatly reduces (if not completely removing) the exposure. This is not necessarily updated or reflected in NVD.


For more information on assigning severity and score to a vulnerability in Aqua, refer to Vulnerability Severity and Score.


Verbose vendor statements

CyberCenter provides the vendor's full statements regarding vulnerabilities, if available. This extended information often includes links to relevant discussions and references. 


Improved software detection

A big part of vulnerability assessment is accurately detecting the installed software in the image. In many cases a wrong software detection will result in false positives in the vulnerabilities results. 


Examples: 

  • While scanning Docker's debian:jessie image, some scanners may detect gcc-4.9 and report a medium-severity vulnerability. However, this package is not actually installed in the Debian image.
  • While scanning CentOS:7, some scanners may correctly detect bind-license, and report a high-severity vulnerability. On the other hand, this image includes only a simple text file which doesn't really constitute any vulnerability.


Detecting vulnerabilities in installed software is a complex subject. Aqua CyberCenter features enhanced detection mechanisms, supporting OS packages, programming language package managers, and stand-alone files deployed in the image.


Red Hat vulnerabilities with no available fixes

Red Hat issues advisories in separate feeds for:

  • Fixed vulnerabilities
  • Vulnerabilities with no available fixes


Therefore, many other scanners miss Red Hat vulnerabilities that have no available fixes, or list them with incorrect scores or severity ratings.


(**) For example, Red Hat acknowledges CVE-2021-27212 as a vulnerability of Moderate impact, but no fix is available. This CVE might not be detected by some scanners, but will be reported in CyberCenter. This issue also applies to dependent distributions such as CentOS.


(**) This information is correct as of June, 2021.


Test connection between Aqua server and CyberCenter

Aqua CyberCenter is hosted in the cloud and works with Aqua product, according to SaaS model. It does not require any configuration from your Aqua admin. Aqua is predefined by a connection with most recent version of Aqua CyberCenter.

You can test connection from Aqua server to CyberCenter at any time. If the test is not successful, you can contact Aqua.


To test connection to CyberCenter:

  1. In the Aqua UI: Navigate to Settings > Aqua CyberCenter. You should see the address of the CyberCenter (https://cybercenter5.aquasec.com) as shown in the screenshot below.
  2. Click Test to check the connectivity between the Aqua server and the CyberCenter. You can see the message Success: CyberCenter detected as shown below. If it is failed, contact Aqua Security Support.