TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
A (fun!) Comparison of Docker Vulnerability Scanners
1.
2. We understand that different people have
different understandings for the meaning of the
word “fun.” We believe that Mr. Kinsella has
prepared this talk with true intention to provide
a entertaining look into what many (including us)
would consider an impossibly dry subject.
Information security is bad enough – have you
ever looked at Seccomp? He’s giving a talk on
that on Wednesday, we guess they had extra
rooms at the conference? We thought some of our
contracts were bad! Anyways, point is – by
reading this text and continuing to remain in the
conference hall, you hereby understand that this
guy (can be) funny and he’s going to try and
make this a fun talk, but you waive your right for
recourse in the event you do not emit nary a
giggle.
3. •20 years in security
industry
•Previously wrote a
vulnerability scanner
for Linux, Solaris,
Windows
•Long open source
history
•Active in Cloud
Security Alliance
•Founder and CTO of
Layered Insight
4. • Fun!
• Scanning Overview
• Discuss a few tools
• How to minimize vulnerabilities in your images
• Vulnerability triage
5.
6.
7. The previous slide depicted a sample of logos
representing products and vendors in the information
security space who claim to provide software or
services capable of determining the presence of
vulnerable software in a given computer system. As
this is a sample set, some vendors or products may not
have been listed. Logos which are displayed may differ
in size; This is due to laziness on the part of Mr.
Kinsella, and is not to be interpreted as a comment on
the market share, company size, or effectiveness of any
particular logo or representative product. This goes for
the next slide, as well.
He’s an engineer. They’re lazy. He’ll probably file a pull request on this slide deck next week
for a basic typo. Don’t look at me like that. How am I supposed to know how to merge a patch
on a PowerPoint file?
9. Network based shows vulnerabilities exposed to the network (running services not
protected by firewalls)
Host based shows vulnerabilities in installed sw – doesn’t have to be running
Host Network
10. A container image is made up of layers – to
get a real understanding of the
vulnerability stance of an image, need to
assess each layer
Image: Docker
29. Dogs from Last Week Tonights Real Animals, Fake Paws
Cats from:
http://i.telegraph.co.uk/multimedia/archive/02830/cat_2830677b.jpg
http://imgur.com/gallery/KWvtdg0
http://imgur.com/gallery/2u6BW
Editor's Notes
Host scans are sometimes referred to as “authenticated scans”
Is there a licensing conference? ‘cause seems we could talk on that for a week…
13 total, 13 shown. No PCRE.
Clair fetches a container image, looks at each level, stores inventory in a database, then compares against latest OVAL data
This is from our Qreva scanning service. We’re working on open sourcing the project!