Mastering the “compliance end run” with Chainguard Images

I have lost count of how many prospects have come to us saying:

‍

We gave the customer our software to run in their environment, and they sent it back with a list of vulnerabilities for us to fix.

‍

This back and forth slows down procurement cycles, time to value, creates friction with product adoption, and can stoke a customer’s fears that your product is a liability in their environment. But why is this such a common occurrence? It is because of the “compliance end run” where companies have their customers run their product themselves because the customer is subject to stricter compliance than the company is certified for “as-a-Service.”

‍

The basic idea is: frameworks like PCI DSS and FedRAMP are strict and expensive to implement, so instead of going through them many companies will let customers run a version of their stack themselves. But now the customer is accountable for that piece of software being compliant with their frameworks. This technique is a brilliant dodge of most of the controls, since they slot into the customer’s existing processes for many facets of compliance, but there’s one key facet this technique does not dodge: vulnerability management.

‍

The compliance frameworks that this technique is most commonly used to dodge are also the frameworks with the strictest policies around vulnerability management! Both PCI DSS v4 and FedRAMP Rev 5 require vulnerabilities to be fixed with strict timelines. Companies that fall out of compliance can get hit with expensive fines (to the tune of millions of dollars), or worse still: lose their certification and wipe out an entire line of business.

‍

Enter Chainguard Images. Our minimal, secure container images have helped companies achieve compliance with the most stringent frameworks out there, which makes them an ideal starting point for a successful “compliance end run.” What’s more, your images may come out looking better than most of what they are currently running! Generally, once our customers have on-boarded they see reductions far exceeding their initial vulnerability reduction goals.

‍

If this compliance back and forth sounds familiar to you, head over to our Compliance & Risk Mitigation resource page to learn more about how Chainguard Images can help you with your compliance goals!