Day in the Life of a Base Image: The Evolution of Vulnerabilities in the Most Popular Containers

The talk discusses the evolution of vulnerabilities in popular public container images and the challenges faced by developers and DevSecOps teams in handling them. The speaker shares insights from a report on publicly available containers on Docker Hub and highlights the need for practical steps to prevent the dev process from grinding to a halt.

• Container scanning and security is becoming more widely adopted, but the long-term security posture of containers is not well-understood.
• New vulnerabilities arise constantly, and many vulnerabilities fall into a catchall bucket of 'won't fix'.
• The attack surface of popular public container images like Python and NodeJS has changed over the past year, and different vulnerability scanners show different results.
• Developers and DevSecOps teams face challenges in ensuring containerized applications are free from vulnerabilities due to the complexity of containers and manual processes.
• Practical steps can be taken to stay on top of vulnerabilities and prevent the dev process from grinding to a halt.

The speaker mentions that her research team has been working on a report on publicly available containers on Docker Hub and has found some interesting insights. However, she is not allowed to share them until the report is published online the next day. She encourages the audience to download the report and attend the kubecon Keynotes to hear the messenger. She believes that the data speaks for itself and her goal is to get out of the way of the message.

While container scanning & security is becoming more widely adopted, it’s still not well-understood how these containers evolve over time from a security perspective. This includes understanding the long-term security posture of these containers, whether it is improving or declining as new vulnerabilities are discovered. 

 This talk will take a first-time look at why handling vulnerabilities in containers is a really sticky problem to begin with, with known vulnerabilities requiring patching, as new vulnerabilities arise constantly, and many other vulnerabilities simply falling into a catchall bucket of "won't fix" . We'll show data visualizations of how the attack surface of two mega-popular public container images (Python, NodeJS) have changed over the past year, highlighting the problem developers and DevSecOps teams are facing. We'll demonstrate how some of the most popular vulnerability scanners show different results, sometimes to extreme degrees. But stick around to the very end, because on the upside, we'll wrap up with practical steps developers can take to stay on top of vulnerabilities and prevent their dev process from grinding to a halt.