The talk discusses techniques and tooling to address security concerns in building images for the secure supply chain.
- Provenance and reproducibility are major issues in the current state of security in IT.
- The distroless philosophy and using smaller base images can save from scan report purgatory.
- Updating images and dependencies is crucial.
- Using apko to build container images with SBOMs and complete reproducibility.
- Signing images with Sigstore.
- Cutting down dependencies by using smaller base images and keeping them up to date.
- Verifying signatures and using policy management tools to check for vulnerabilities.
- The vulnerability exploitability exchange can help filter vulnerabilities and cut down noise.
- Google container tools and digital images are small and perfect for running statically compiled binaries.
- The drawbacks of using Google container tools include a hard-to-extend list and difficulty in installing apps.
- Cutting down images to the minimum set of dependencies can drastically reduce noise in vulnerability reports.
The speaker highlights the difficulty in gauging exposure to new vulnerabilities and the overwhelming number of vulnerabilities reported by scanning tools. He suggests cutting down images to the minimum set of dependencies and keeping them up to date to reduce noise in vulnerability reports. He also recommends using smaller base images like Alpine or Debian Slim and verifying signatures and using policy management tools to check for vulnerabilities. The speaker also mentions the vulnerability exploitability exchange as a potential solution to filter vulnerabilities and cut down noise. Google container tools and digital images are also discussed as small and perfect for running statically compiled binaries, but with the drawback of a hard-to-extend list and difficulty in installing apps.