Mitigate Taurus Cloud Vulnerabilities

This document is targeted at those responsible for security auditing BlazeMeter private locations on customer sites.

BlazeMeter addresses identified vulnerabilities in Taurus Cloud images based on published Service Level Agreements (SLAs) and our internal Secure Software Development Lifecycle (SSDLC) Policy. Internal security auditors or customer site personnel may conduct additional vulnerability scans. To learn how to submit your findings to BlazeMeter, see Private Locations image scan requirements.

• Mitigate Taurus Cloud Vulnerabilities
  • Understanding Vulnerability Scan Results
  • What do those vulnerabilities mean for my environment?
  • How can I reduce potential risk in my environment?
  • Does the Taurus cloud image run continuously?

Understanding Vulnerability Scan Results

When the Taurus Cloud image is scanned, some components may be flagged for known vulnerabilities. This is because the image includes third-party open-source tools, such as JMeter, which are maintained by their respective communities. Remediation of these findings depends on fixes released by their upstream maintainers, after which they can be incorporated into the Taurus Cloud image.

BlazeMeter maintains and supports the Taurus package itself and addresses vulnerabilities with Taurus in accordance with our security processes.

What do those vulnerabilities mean for my environment?

The presence of vulnerability findings does not necessarily mean your environment is exposed to risk. In private locations, BlazeMeter runs in isolated containers, and test executions only use the components required by your configuration. As a result, the applicability of a given finding depends on your specific usage and execution context, which you can control.

How can I reduce potential risk in my environment?

Most exploitation scenarios require some level of control over the system where the image is running. In BlazeMeter private locations, test executions run in isolated containers and only while a test is actively executed. As a result, the relevance of a given vulnerability finding depends on how the image is deployed and used within your environment.

You can further reduce potential risk by following standard security practices when running private locations, including:

• Run test executions in isolated containers

• Run containers as a non-root user

• Use role-based access control to limit access

• Keep private locations behind your firewall in a secure network

• Avoid using production data or sensitive information, such as PII data, in tests

• Do not expose non-production systems to public networks

• Allowlist IP addresses where appropriate

This execution model is also relevant when interpreting vulnerability scan results, as findings may reflect components present in the image even when they are not continuously running.

Does the Taurus cloud image run continuously?

No, the Taurus cloud image runs only when a BlazeMeter test job is executed. The BlazeMeter crane image, a lightweight component inside your environment, checks for pending jobs and starts a Taurus Cloud image only when a test needs to run. Once the test is complete, the Taurus Cloud image is no longer active. Your test configuration determines which executors are used during execution.

Understanding when the Taurus Cloud image runs can help put vulnerability scan findings into context.