Light-hearted talk about heavy subject - vulnerability management in container ecosystems

2.  We understand that different people have
different understandings for the meaning of the
word “fun.” We believe that Mr. Kinsella has
prepared this talk with true intention to provide
a entertaining look into what many (including us)
would consider an impossibly dry subject.
Information security is bad enough – have you
ever looked at Seccomp? He’s giving a talk on
that on Wednesday, we guess they had extra
rooms at the conference? We thought some of our
contracts were bad! Anyways, point is – by
reading this text and continuing to remain in the
conference hall, you hereby understand that this
guy (can be) funny and he’s going to try and
make this a fun talk, but you waive your right for
recourse in the event you do not emit nary a
giggle.

3. •20 years in security
industry
•Previously wrote a
vulnerability scanner
for Linux, Solaris,
Windows
•Long open source
history
•Active in Cloud
Security Alliance
•Founder and CTO of
Layered Insight

4. • Fun!
• Scanning Overview
• Discuss a few tools
• How to minimize vulnerabilities in your images
• Vulnerability triage

7.  The previous slide depicted a sample of logos
representing products and vendors in the information
security space who claim to provide software or
services capable of determining the presence of
vulnerable software in a given computer system. As
this is a sample set, some vendors or products may not
have been listed. Logos which are displayed may differ
in size; This is due to laziness on the part of Mr.
Kinsella, and is not to be interpreted as a comment on
the market share, company size, or effectiveness of any
particular logo or representative product. This goes for
the next slide, as well.
He’s an engineer. They’re lazy. He’ll probably file a pull request on this slide deck next week
for a basic typo. Don’t look at me like that. How am I supposed to know how to merge a patch
on a PowerPoint file?

8. http://thenewstack.io/draft-vulnerability-scanners/

9.  Network based shows vulnerabilities exposed to the network (running services not
protected by firewalls)
 Host based shows vulnerabilities in installed sw – doesn’t have to be running
Host Network

10.  A container image is made up of layers – to
get a real understanding of the
vulnerability stance of an image, need to
assess each layer
Image: Docker

15.  Vulnerability databases are specific to OS distributions, understands versions
much better

16. (from https://github.com/coreos/clair/ )

19. (from https://people.canonical.com/~ubuntu-security/cve/pkg/glibc.html )

20. Don’t use from:debian, unless really needed

21.  We want the smallest image possible, when we load it across 100 hosts
 The smaller the image, the less exposure for potential vulnerabilities

23.  As we move to devops, developers are being exposed to the secops work of
vuln/patch management

25. Understand CVSS v2

28. @johnlkinsella
http://layeredinsight.com

29.  Dogs from Last Week Tonights Real Animals, Fake Paws
 Cats from:
 http://i.telegraph.co.uk/multimedia/archive/02830/cat_2830677b.jpg
 http://imgur.com/gallery/KWvtdg0
 http://imgur.com/gallery/2u6BW