Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Scanning & Notary & CNCF donation by David Lawrence (Docker)


Published on

Get updates on the Notary & TUF donation to CNCF along with information on proposed additions to the TUF specification. TUF is a living specification and there are a number of interesting proposals that have been submitted to meet distributed trust use cases, allowing one to incorporate multiple sources of trust into a process.
We’ll also look at what SIG Scanning has been up to and what the group will be taking on in the future. Find out about some of the standards we’re looking at integrating and the main use cases we believe SIG Scanning can help address.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Scanning & Notary & CNCF donation by David Lawrence (Docker)

  1. 1. Signing (Notary)
  2. 2. What is Notary A highly secure platform for signing collections of digital content. ● Golang implementation of The Update Framework (TUF) ● Used in Docker Content Trust for container image signing
  3. 3. “TUF has been designed by academic experts in the subject, based both on research and existing real-world systems. Our crypto-humility should cover not just crypto algorithms but extend to whole system designs.” Duncan Coutts, Cabal maintainer
  4. 4. CNCF Donation ● Formal invitation to submit to Cloud Native Computing Foundation (CNCF) ● Working through the process. ● We have a logo now:
  5. 5. TUF Augmentation Proposals (TAPS) Accepted: ● Multi-delegation thresholds ● Remove native support for compressed metadata In Review: ● Multi-repo thresholds ● Self service key rotation
  6. 6. SIG Scanning
  7. 7. Goals ● Standardized report format for scanners ● Understand use cases for scanners ● Tooling for scanning users to easily integrate and consumer scans
  8. 8. What do we mean by “scanning”? ● Any inspection and analysis of container images
  9. 9. Types of Scanning Code Analysis ● Code security issues ○ SQL Injection ○ Bad file permissions ● Sensitive data in code/config Binary Analysis ● Fingerprinting for CVEs ● Deep inspection of statically compiled binaries
  10. 10. Use Cases ● Vulnerability Scanning for: ○ Compliance ○ General health ● License Auditing ● Software Inventorying
  11. 11. Standards ● Broad range of existing standards. ○ CVE, CVSSv2/3, CWE, CPE, SPDX, ISO 19770, SWID ● Where possible we want to incorporate these
  12. 12. Next steps ● Currently have JSON example ○ Needs formalization ● Development of tooling
  13. 13. Twitter: @endophage Email: endophage@docker.comThank you!