A (FUN!) COMPARISON OF DOCKER VULNERABILITY SCANNERS

FIRST, A NOTE FROM OUR LAWYERS…

We understand that different people have different understandings for the meaning of the word “fun.” We believe that Mr. Kinsella has prepared this talk with true intention to provide a entertaining look into what many (including us) would consider an impossibly dry subject. Information security is bad enough – have you ever looked at Seccomp? He’s giving a talk on that on Wednesday, we guess they had extra rooms at the conference? We thought some of our contracts were bad! Anyways, point is – by reading this text and continuing to remain in the conference hall, you hereby understand that this guy (can be) funny and he’s going to try and make this a fun talk, but you waive your right for recourse in the event you do not emit nary a giggle.

•20 years in security industry•Previously wrote a vulnerability scanner for Linux, Solaris, Windows•Long open source history•Active in Cloud Security Alliance•Founder and CTO of Layered Insight

OVERVIEW• Fun!• Scanning Overview• Discuss a few tools• How to minimize vulnerabilities in your images• Vulnerability triage

TRIGGER WARNING: SECURITY VENDORS

VULNERABILITY SCANNERS

ANOTHER NOTE FROM OUR LAWYERS The previous slide depicted a sample of logos

representing products and vendors in the information security space who claim to provide software or services capable of determining the presence of vulnerable software in a given computer system. As this is a sample set, some vendors or products may not have been listed. Logos which are displayed may differ in size; This is due to laziness on the part of Mr. Kinsella, and is not to be interpreted as a comment on the market share, company size, or effectiveness of any particular logo or representative product. This goes for the next slide, as well.

He’s an engineer. They’re lazy. He’ll probably file a pull request on this slide deck next week for a basic typo. Don’t look at me like that. How am I supposed to know how to merge a patch on a PowerPoint file?

CONTAINER SCANNERS

http://thenewstack.io/draft-vulnerability-scanners/

HOST VS NETWORK SCANNING Network based shows vulnerabilities exposed to the network (running

services not protected by firewalls) Host based shows vulnerabilities in installed sw – doesn’t have to be

running

Host Network

WHY IS CONTAINER SCANNING DIFFERENT?

A container image is made up of layers – to get a real understanding of the vulnerability stance of an image, need to assess each layer

Image: Docker

GATHER INVENTORY…

COMPARE TO CVE/NVD

WHEN VERSION MATCHES CVE…

BUT THE BOX IS PATCHED?

COMPARE TO OVAL Vulnerability databases are specific to OS distributions, understands

versions much better

OVAL IS DISTRO-AWARE

(from https://github.com/coreos/clair/ )

UBUNTU SHOWS ISSUES…

(from https://people.canonical.com/~ubuntu-security/cve/pkg/glibc.html )

SMALLER IMAGE, LESS VULNERABILITIES

Don’t use from:debian, unless really needed

WHY? LEAST PRIVILEGE We want the smallest image possible, when we load it across 100 hosts

The smaller the image, the less exposure for potential vulnerabilities

TRIAGE

TRIAGE As we move to devops, developers are being exposed to the secops work

of vuln/patch management

HOW TO HANDLE THIS??

Understand CVSS v2

CVSS CALCULATOR

ENVIRONMENTAL SCORE!

THANKS!

@johnlkinsella

http://layeredinsight.com

CREDITS Dogs from Last Week Tonights Real Animals, Fake Paws Cats from:

http://i.telegraph.co.uk/multimedia/archive/02830/cat_2830677b.jpg http://imgur.com/gallery/KWvtdg0 http://imgur.com/gallery/2u6BW