Authors: Brad Geesaman, Ian Coldwater, Rory McCune, Duffie Cooley
2023-04-21
tldr - powered by Generative AI
The presentation discusses the potential vulnerabilities and limitations of image scanning and S-bomb generation tools in DevOps and cybersecurity, and suggests ways to improve their effectiveness and prevent malicious attacks.
Image scanning and S-bomb generation tools are sensitive to changes in metadata and the quality of the steps involved in building images, and inconsistent results can cause problems for organizations
Malicious actors can manipulate the results of these tools, causing downstream effects and potentially compromising security
To prevent attacks, tool makers should adopt a more adversarial approach and provide a more restrictive mode with detection coverage as the focus
Users of these tools should check for unusual behavior, validate inputs and processes, and consider their threat model when making policy decisions
Teams should work together to achieve larger goals and reduce toil
The talk discusses the evolution of vulnerabilities in popular public container images and the challenges faced by developers and DevSecOps teams in handling them. The speaker shares insights from a report on publicly available containers on Docker Hub and highlights the need for practical steps to prevent the dev process from grinding to a halt.
Container scanning and security is becoming more widely adopted, but the long-term security posture of containers is not well-understood.
New vulnerabilities arise constantly, and many vulnerabilities fall into a catchall bucket of 'won't fix'.
The attack surface of popular public container images like Python and NodeJS has changed over the past year, and different vulnerability scanners show different results.
Developers and DevSecOps teams face challenges in ensuring containerized applications are free from vulnerabilities due to the complexity of containers and manual processes.
Practical steps can be taken to stay on top of vulnerabilities and prevent the dev process from grinding to a halt.