logo
allArticlesConferencesPresentations

Keeping Up with the CVEs: How to Find a Needle in a Haystack?

Conference:  KubeCon + CloudNativeCon North America 2021

2021-10-14

Authors:   Pushkar Joglekar

Summary

The talk discusses the issue of managing vulnerabilities in Kubernetes container images and proposes a practical approach to assess product security based on risk rather than raw vulnerability numbers.
  • Kubernetes end users often rely on image scanning to manage vulnerabilities, but it may not be effective in reducing the number of vulnerabilities.
  • The focus should be on understanding the impact of vulnerabilities and removing unnecessary components from container images.
  • Kubernetes project manages vulnerabilities by reducing image churn and removing unnecessary components through the use of distroless base images.
  • The use of distroless base images can reduce the attack surface and simplify vulnerability management.
  • The speaker shares a fictional anecdote of a CISO's frustration with a high number of vulnerabilities detected in container images.
  • The talk emphasizes the importance of understanding risk posture and threat models in assessing product security.
The speaker shares a fictional anecdote of a CISO's frustration with a high number of vulnerabilities detected in container images. The platform architect suggests that the vulnerabilities may be due to unnecessary components in the base image, and that the focus should be on understanding the impact of vulnerabilities and removing unnecessary components. This highlights the importance of assessing product security based on risk rather than raw vulnerability numbers.

Abstract

An end user team bought a new product that ships as a set of container images. Their CISO requests a scan of the images before going live. The internal scan, to everyone’s surprise results in 314159 vulnerabilities. The CISO is furious & rejects any claims that the scanner is faulty, since it worked fine for VM images. After multiple back and forth exchanges with the product’s vendor, the vast majority of the detected vulnerabilities are false positives / do not have a fix / are not in the code execution path. Everyone breathes a sigh of relief until a few weeks later, the same thing happens for another product & the story repeats itself. It does not have to be this way! In this talk using the Kubernetes images as an example we will unravel how vulnerability scanners work, their blind spots and discuss how to implement a practical approach that allows end users to assess product’s security not by the raw vulnerability numbers & severity but by the risk it poses to their environment.
Materials:
Slides
Tags:
container images
end user team
Kubernetes images
new product
vulnerability scanners

Post a comment

Related work

OmniBOR: Bringing the Receipts for Supply Chain Security

Conference:  Cloud Native SecurityCon North America 2023
Authors: Frederick Kautz

Malicious Compliance: Reflections on Trusting Container Scanners

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Brad Geesaman, Ian Coldwater, Rory McCune, Duffie Cooley
2023-04-21

Day in the Life of a Base Image: The Evolution of Vulnerabilities in the Most Popular Containers

Conference:  Cloud Native SecurityCon North America 2022
Authors: Ayse Kaya
2022-10-24

🦝 Minimalism: Key to Cloud Security

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Barun Acharya
2023-04-20

Automatic Vulnerability Remediation: The Trusted and Secure Road to Developer Happiness

Conference:  OWASP 20th Anniversary Event
Authors: Rami Elron
2021-09-24

FPs are Cheap. Show me the CVEs!

Conference:  BlackHat EU 2020
Authors:
2020-12-09