logo
allArticlesConferencesPresentations

Building Images for the Secure Supply Chain

Conference:  Cloud Native SecurityCon North America 2022

2022-10-24

Authors:   Adrian Mouat

Summary

The talk discusses techniques and tooling to address security concerns in building images for the secure supply chain.
  • Provenance and reproducibility are major issues in the current state of security in IT.
  • The distroless philosophy and using smaller base images can save from scan report purgatory.
  • Updating images and dependencies is crucial.
  • Using apko to build container images with SBOMs and complete reproducibility.
  • Signing images with Sigstore.
  • Cutting down dependencies by using smaller base images and keeping them up to date.
  • Verifying signatures and using policy management tools to check for vulnerabilities.
  • The vulnerability exploitability exchange can help filter vulnerabilities and cut down noise.
  • Google container tools and digital images are small and perfect for running statically compiled binaries.
  • The drawbacks of using Google container tools include a hard-to-extend list and difficulty in installing apps.
  • Cutting down images to the minimum set of dependencies can drastically reduce noise in vulnerability reports.
The speaker highlights the difficulty in gauging exposure to new vulnerabilities and the overwhelming number of vulnerabilities reported by scanning tools. He suggests cutting down images to the minimum set of dependencies and keeping them up to date to reduce noise in vulnerability reports. He also recommends using smaller base images like Alpine or Debian Slim and verifying signatures and using policy management tools to check for vulnerabilities. The speaker also mentions the vulnerability exploitability exchange as a potential solution to filter vulnerabilities and cut down noise. Google container tools and digital images are also discussed as small and perfect for running statically compiled binaries, but with the drawback of a hard-to-extend list and difficulty in installing apps.

Abstract

Security scans getting you down? Users complaining they can't verify your images? Have no idea if your systems are vulnerable to the latest exploit? Want to improve your SLSA level but don't know where to start? You're not alone -- all organisations face these issues. This talk will walk through techniques and tooling that you can use today to address these concerns. In particular it will cover: - The distroless philosophy; why minimal images can save you from scan report purgatory - The importance of updating images and dependencies - Using apko to build container images with SBOMs and complete reproducibility - Signing images with Sigstore The best bit? These tools and techniques will make your systems simpler and faster. Adding security doesn't have to mean hurting usability or productivity.
Materials:
Slides
Tags:
scans
users
images
exploit

Post a comment

Related work

Spicing up Container Image Security with SLSA & GUAC

Conference:  Cloud Native SecurityCon North America 2023
Authors: Ian Lewis

Securing Your Container Native Supply Chain with SLSA, Github and Tekton

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Priya Wadhwa, Laurent Simon
2022-05-19

Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore

Conference:  Cloud Native SecurityCon North America 2023
Authors: Zachary Newman, Marina Moore

Mainframe [z/OS] Reverse Engineering and Exploit Development

Conference:  BlackHat USA 2018
Authors:
2018-08-09

How SIG Release Cooks Trustworthy Artifacts From Raw Source Code

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Carlos Panato, Jeremy Rickard, Sascha Grunert, Adolfo García Veytia
2022-10-26

Distributing Supply Chain Artifacts with OCI & ORAS Artifacts

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Steve Lasker
2022-05-19