The talk discusses how to prioritize and remediate vulnerabilities in container images by understanding how they are constructed and where potential vulnerabilities can come from.
- Container images are constructed in layers, some of which come from base images and parent images
- Understanding how software gets into the images is key to deciding on a strategy for minimizing vulnerabilities
- Prioritizing and fixing high severity vulnerabilities with available fixes is a good starting point
- Security in containers should be multi-layered and consider infrastructure misconfigurations
- Containers are often run in orchestration systems like Kubernetes, and security principles for Kubernetes should be followed
The speaker presents an example of a vulnerable node image with over 800 vulnerabilities, highlighting the overwhelming nature of vulnerability scanning results. However, the talk emphasizes the importance of not getting bogged down in individual CVEs and instead focusing on understanding the image construction and prioritizing fixes.
As security becomes a bigger concern in the world of containers and Kubernetes, using vulnerability scanning tooling in our workflows is becoming increasingly common. But many container images can show tens if not hundreds of vulnerabilities, particularly if they are built using upstream base images from public repositories. If your container has a huge amount of vulnerabilities, what do you do ? Many of us will reach information overload when faced with such a list, and struggle to work out what actions we should take. In this talk, we’ll look at how container images are constructed, understand how potential vulnerabilities can get into our images, and explore how we can prioritize and remediate the vulnerabilities we find. Take control of your vulnerabilities !