A (fun!) Comparison of Docker Vulnerability Scanners
-
Upload
john-kinsella -
Category
Technology
-
view
164 -
download
0
Transcript of A (fun!) Comparison of Docker Vulnerability Scanners
![Page 1: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/1.jpg)
A (FUN!) COMPARISON OF DOCKER VULNERABILITY SCANNERS
![Page 2: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/2.jpg)
FIRST, A NOTE FROM OUR LAWYERS…
We understand that different people have different understandings for the meaning of the word “fun.” We believe that Mr. Kinsella has prepared this talk with true intention to provide a entertaining look into what many (including us) would consider an impossibly dry subject. Information security is bad enough – have you ever looked at Seccomp? He’s giving a talk on that on Wednesday, we guess they had extra rooms at the conference? We thought some of our contracts were bad! Anyways, point is – by reading this text and continuing to remain in the conference hall, you hereby understand that this guy (can be) funny and he’s going to try and make this a fun talk, but you waive your right for recourse in the event you do not emit nary a giggle.
![Page 3: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/3.jpg)
•20 years in security industry•Previously wrote a vulnerability scanner for Linux, Solaris, Windows•Long open source history•Active in Cloud Security Alliance•Founder and CTO of Layered Insight
![Page 4: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/4.jpg)
OVERVIEW• Fun!• Scanning Overview• Discuss a few tools• How to minimize vulnerabilities in your images• Vulnerability triage
![Page 5: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/5.jpg)
TRIGGER WARNING: SECURITY VENDORS
![Page 6: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/6.jpg)
VULNERABILITY SCANNERS
![Page 7: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/7.jpg)
ANOTHER NOTE FROM OUR LAWYERS The previous slide depicted a sample of logos
representing products and vendors in the information security space who claim to provide software or services capable of determining the presence of vulnerable software in a given computer system. As this is a sample set, some vendors or products may not have been listed. Logos which are displayed may differ in size; This is due to laziness on the part of Mr. Kinsella, and is not to be interpreted as a comment on the market share, company size, or effectiveness of any particular logo or representative product. This goes for the next slide, as well.
He’s an engineer. They’re lazy. He’ll probably file a pull request on this slide deck next week for a basic typo. Don’t look at me like that. How am I supposed to know how to merge a patch on a PowerPoint file?
![Page 8: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/8.jpg)
CONTAINER SCANNERS
http://thenewstack.io/draft-vulnerability-scanners/
![Page 9: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/9.jpg)
HOST VS NETWORK SCANNING Network based shows vulnerabilities exposed to the network (running
services not protected by firewalls) Host based shows vulnerabilities in installed sw – doesn’t have to be
running
Host Network
![Page 10: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/10.jpg)
WHY IS CONTAINER SCANNING DIFFERENT?
A container image is made up of layers – to get a real understanding of the vulnerability stance of an image, need to assess each layer
Image: Docker
![Page 11: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/11.jpg)
GATHER INVENTORY…
![Page 12: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/12.jpg)
COMPARE TO CVE/NVD
![Page 13: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/13.jpg)
WHEN VERSION MATCHES CVE…
![Page 14: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/14.jpg)
BUT THE BOX IS PATCHED?
![Page 15: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/15.jpg)
COMPARE TO OVAL Vulnerability databases are specific to OS distributions, understands
versions much better
![Page 16: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/16.jpg)
OVAL IS DISTRO-AWARE
(from https://github.com/coreos/clair/ )
![Page 17: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/17.jpg)
![Page 18: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/18.jpg)
![Page 19: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/19.jpg)
UBUNTU SHOWS ISSUES…
(from https://people.canonical.com/~ubuntu-security/cve/pkg/glibc.html )
![Page 20: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/20.jpg)
SMALLER IMAGE, LESS VULNERABILITIES
Don’t use from:debian, unless really needed
![Page 21: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/21.jpg)
WHY? LEAST PRIVILEGE We want the smallest image possible, when we load it across 100 hosts
The smaller the image, the less exposure for potential vulnerabilities
![Page 22: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/22.jpg)
TRIAGE
![Page 23: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/23.jpg)
TRIAGE As we move to devops, developers are being exposed to the secops work
of vuln/patch management
![Page 24: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/24.jpg)
HOW TO HANDLE THIS??
![Page 25: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/25.jpg)
Understand CVSS v2
![Page 26: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/26.jpg)
CVSS CALCULATOR
![Page 27: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/27.jpg)
ENVIRONMENTAL SCORE!
![Page 28: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/28.jpg)
THANKS!
@johnlkinsella
http://layeredinsight.com
![Page 29: A (fun!) Comparison of Docker Vulnerability Scanners](https://reader036.fdocuments.net/reader036/viewer/2022062503/58e541771a28ab3a468b4807/html5/thumbnails/29.jpg)
CREDITS Dogs from Last Week Tonights Real Animals, Fake Paws Cats from:
http://i.telegraph.co.uk/multimedia/archive/02830/cat_2830677b.jpg http://imgur.com/gallery/KWvtdg0 http://imgur.com/gallery/2u6BW