Unpacking Open Source Security in Public Repos & Registries

The presentation discusses the analysis of data from Kubernetes deployments and container registries to identify security issues and prioritize their resolution. The focus is on comparing vulnerability scans of the general population with those of graduated projects within CNCF.

• The project aims to provide a platform to store and analyze data from scans of GitHub repositories and container registries to identify security issues and prioritize their resolution.
• The presentation compares vulnerability scans of the general population with those of graduated projects within CNCF.
• The most prevalent image repositories in the general population are Argo CD, Redis, and Prometheus, while in the graduated projects, they are Argo CD, Prometheus, Q proxy, and CubeState Matrix exporter.
• The presentation discusses specific vulnerabilities, such as BusyBox, Lipcrypt, and SQLite, and their relevance to cloud-native applications.
• The anecdote highlights the low likelihood of exploiting the BusyBox vulnerability and the prevalence of Lipcrypt due to its use in package managers.
• Tags: cybersecurity, DevOps, Kubernetes, container registries, vulnerability scans, CNCF, cloud-native applications.

The speaker shares their experience of reading the description of the BusyBox vulnerability, which could be exploited through network connections and cause a takeover of the client process. They note that the vulnerability requires the attacker to poison the DNS servers and have the victim read DNS records using netstat in a terminal. The speaker highlights the low likelihood of exploiting this vulnerability in cloud-native applications. They also discuss the prevalence of Lipcrypt due to its use in package managers, despite the small percentage of container images containing private keys.

The container ecosystem has exploded in the decade since it's been introduced, with containers becoming the backbone for the way be package, deploy, orchestrate, schedule & operate our production applications. It's no surprise then, that so many public facing resources have popped up over the years, both complementary open source projects & public registries that aggregate commonly used container images. In this talk we will unveil data from first of its kind research conducted by scanning the most popular and widely adopted open source projects––from Grafana to Prometheus, Lens, Helm, ArgoCD and others to the public registries from which we pull our base images––from DockerHub, Quay, to GCR, & ECR. We will share how these public-facing resources leveraged by practically all developers stack up against common compliance frameworks - CIS, MITRE ATT&CK®, NIST, NSA-CISA, the most common misconfigs, prevalence of well-known CVEs (through a Log4J example) with a look at the stats & hard numbers, and any other red flags you need to be aware of when leveraging public resources. We will wrap up with a risk analysis and scoring of the resources, highlight the risks to pay attention to, & provide some best practices to keep your systems & ops safe in this evolving security landscape.