Date post: | 06-Apr-2017 |
Category: |
Technology |
Upload: | john-kinsella |
View: | 163 times |
Download: | 0 times |
A (FUN!) COMPARISON OF DOCKER VULNERABILITY SCANNERS
FIRST, A NOTE FROM OUR LAWYERS…
We understand that different people have different understandings for the meaning of the word “fun.” We believe that Mr. Kinsella has prepared this talk with true intention to provide a entertaining look into what many (including us) would consider an impossibly dry subject. Information security is bad enough – have you ever looked at Seccomp? He’s giving a talk on that on Wednesday, we guess they had extra rooms at the conference? We thought some of our contracts were bad! Anyways, point is – by reading this text and continuing to remain in the conference hall, you hereby understand that this guy (can be) funny and he’s going to try and make this a fun talk, but you waive your right for recourse in the event you do not emit nary a giggle.
•20 years in security industry•Previously wrote a vulnerability scanner for Linux, Solaris, Windows•Long open source history•Active in Cloud Security Alliance•Founder and CTO of Layered Insight
OVERVIEW• Fun!• Scanning Overview• Discuss a few tools• How to minimize vulnerabilities in your images• Vulnerability triage
TRIGGER WARNING: SECURITY VENDORS
VULNERABILITY SCANNERS
ANOTHER NOTE FROM OUR LAWYERS The previous slide depicted a sample of logos
representing products and vendors in the information security space who claim to provide software or services capable of determining the presence of vulnerable software in a given computer system. As this is a sample set, some vendors or products may not have been listed. Logos which are displayed may differ in size; This is due to laziness on the part of Mr. Kinsella, and is not to be interpreted as a comment on the market share, company size, or effectiveness of any particular logo or representative product. This goes for the next slide, as well.
He’s an engineer. They’re lazy. He’ll probably file a pull request on this slide deck next week for a basic typo. Don’t look at me like that. How am I supposed to know how to merge a patch on a PowerPoint file?
CONTAINER SCANNERS
http://thenewstack.io/draft-vulnerability-scanners/
HOST VS NETWORK SCANNING Network based shows vulnerabilities exposed to the network (running
services not protected by firewalls) Host based shows vulnerabilities in installed sw – doesn’t have to be
running
Host Network
WHY IS CONTAINER SCANNING DIFFERENT?
A container image is made up of layers – to get a real understanding of the vulnerability stance of an image, need to assess each layer
Image: Docker
GATHER INVENTORY…
COMPARE TO CVE/NVD
WHEN VERSION MATCHES CVE…
BUT THE BOX IS PATCHED?
COMPARE TO OVAL Vulnerability databases are specific to OS distributions, understands
versions much better
OVAL IS DISTRO-AWARE
(from https://github.com/coreos/clair/ )
UBUNTU SHOWS ISSUES…
(from https://people.canonical.com/~ubuntu-security/cve/pkg/glibc.html )
SMALLER IMAGE, LESS VULNERABILITIES
Don’t use from:debian, unless really needed
WHY? LEAST PRIVILEGE We want the smallest image possible, when we load it across 100 hosts
The smaller the image, the less exposure for potential vulnerabilities
TRIAGE
TRIAGE As we move to devops, developers are being exposed to the secops work
of vuln/patch management
HOW TO HANDLE THIS??
Understand CVSS v2
CVSS CALCULATOR
ENVIRONMENTAL SCORE!
THANKS!
@johnlkinsella
http://layeredinsight.com
CREDITS Dogs from Last Week Tonights Real Animals, Fake Paws Cats from:
http://i.telegraph.co.uk/multimedia/archive/02830/cat_2830677b.jpg http://imgur.com/gallery/KWvtdg0 http://imgur.com/gallery/2u6BW