logo

Improve Vulnerability Management with OCI Artifacts – It Is That Easy!

2023-04-20

Authors:   Itay Shakury, Toddy Mladenov


Summary

The presentation discusses the challenges and solutions in managing vulnerabilities as software bills of materials (SBOMs) in the context of DevOps and cybersecurity.
  • The new OCI changes make it easier to manage images and vulnerabilities as SBOMs.
  • However, there are challenges in standardizing artifact types and annotations.
  • Getting the right artifact is difficult and requires manual and automated steps.
  • The specifications for SBOMs are not always accurate and require additional information to make vulnerability reports more accurate.
The speaker shared an example of how they had to create custom annotations like 'created by trivi' because OCI doesn't have guidance on how to store the tool that generated the SBOM or report in the artifact itself. They also had to push more information to make the vulnerability report more accurate.

Abstract

In the past couple of years supply chain security rose to mainstream attention and the industry has been devoted to address related concerns. Managing vulnerabilities and software dependencies is an integral part of this process. One of the most dominant advancements was the popularization of standard SBOMs (Software Bill of Materials) as well as signed attestations. While SBOM generation and validation is a non-issue today, efficiently utilizing it at scale is still a challenge. It relies on custom solutions or proprietary integrations. OCI artifacts specification is a new specification, which solves this challenge in an elegant and efficient manner. With it, you can sign images, store and sign SBOMs, scan results and other important supply chain related attestations alongside the relevant artifacts in the registry. In this talk, the audience will learn how to improve their vulnerability management practices by employing the new registry capabilities and using open-source tools like Trivy, Notary and ORAS. Same practices could be utilized for any OCI artifact including WASM, packages, and libraries.

Materials: