Session at ContainerDay Security 2023 on the 8th of March in Hamburg.
The ClusterImageScanner detects images in Kubernetes clusters and provides fast feedback based on security scans. Security scans are for example image lifetime or detection of known vulnerabilities.
This talk will give insights into:
- The use cases of the ClusterImageScanner
- The different scans
- The architecture
- A live demo
The ClusterImageScannerScanner is OpenSource, get it from https://github.com/SDA-SE/cluster-image-scanner/.
2. Timo Pagel
2
$ /usr/bin/whoami
● DevSecOps Trainer and Consultant
● Lecturer for Security in Web Applications at different Universities
● Open Source / Open Knowledge Enthusiast
3. Timo Pagel
Risk Management / CIS Evolution
Discover Prioritize Act
Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
4. Timo Pagel
Risk Management / CIS Evolution
Discover Prioritize Act
Testing Env Aggregation Prioritization Action Measurement
Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
5. Timo Pagel
Companies using modern technologies e.g.
User/Creator of the ClusterImageScanner:
Typical ClusterImageScanner User
Containers Kubernetes Multi Cloud Micro Services
6. Timo Pagel
Typical Problems
● Missing patch management leads to exploitable
containers
● Are we using the vulnerable component/version X?
● What vulnerabilities are potentially exploitable?
● Misconfigurations
7. Timo Pagel
Handling of security misconfigurations and known
vulnerabilities
Solution Overview
Prod. (Kubernetes) Cluster
Container W
Image A
Container X
Image A
Container Y
Image B
Container Z
Image C
Developers
Report Known
Vulnerabilities
8. Timo Pagel
Handling of security misconfigurations and known
vulnerabilities
Solution Overview
Prod. (Kubernetes) Cluster
Container W
Image A
Container X
Image A
Container Y
Image B
Container Z
Image C
Report Lifetime
Operators
Developers
Report Known
Vulnerabilities
10. Kubernetes Cluster 1
Image Collector
Container A,
Image B
Kubernetes Cluster n
Orchestrator
Scan A
Kubernetes Cluster 2
Image Collector
Container X,
Image Y
DefectDojo EMail/Messenger
SDA SE ClusterScanner Overview
Image
Registry
Scan B e.g.
Image Lifetime
Dev/Ops
16. Timo Pagel
Developer Version
Control
Build and
Deployment
Production
System
Internal
Repository
Production near
System
Build and Deployment Process
Issue detected
Developer is working on something else
Maybe the developer patched a vulnerability but another is raised
Is a good process for introduced vulnerabilities, e.g. SQLi
17. Timo Pagel
Risk Management / CIS Evolution
Discover Prioritize Act
Testing Env Aggregation Prioritization Action Measurement
Vulnerability Severity Mitigation Controls
Enhancement of
threshold
Mitigation Controls
Vulnerability Severity Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
Master (ahead of
production)
Master (ahead of
production)
Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
18. Timo Pagel
Inform about known vulnerabilities
Developer doesn’t change something
-> Asynchronous information about known
vulnerabilities in third party libraries
19. Timo Pagel
DevSecOps Test Journey
2017 2018 2020
Dependency Check with Jenkins-Plugin
Dependency Check on Production Images (kustomize + grep)
Dependency Check (master) with DefectDojo
2019 2021
22. Timo Pagel
Developer Version
Control
Build and
Deployment
Production
System
Internal
Repository
Production near
System
Build and Deployment Process
Technical issue
Approval
Product Owner
23. Timo Pagel
Developer Version
Control
Build and
Deployment
Production
System
Internal
Repository
Production near
System
Build and Deployment Process
Technical issue
Approval
Product Owner
24. Timo Pagel
DevSecOps Test Journey
2017 2018 2020
Dependency Check with Jenkins-Plugin
Dependency Check
Dependency Check on Production Images (kustomize + grep)
Dependency Check (master) with DefectDojo
2019 2021
25. Timo Pagel
Risk Management / CIS Evolution
Discover Prioritize Act
Env Aggregation Prioritization Action Measurement
Vulnerability Severity Mitigation Controls
Enhancement of
threshold
Mitigation Controls
Vulnerability Severity Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
Master (ahead of
production)
Master (ahead of
production)
Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Vulnerability Severity
Contextual
Information
Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
(Base)-Image Lifetime
Real-time
Production
Testing
38. Timo Pagel
DevSecOps Test Journey
2017 2018 2020
Dependency Check with Jenkins-Plugin
Image Lifetime
Distroless
Dependency Check
Dependency Check on Production Images (kustomize + grep)
Dependency Check (master) with DefectDojo
Base Image Lifetime
Root
2019 2021
New Version
39. Timo Pagel
Risk Management / CIS Evolution
Discover Prioritize Act
Env Aggregation Prioritization Action Measurement
Vulnerability Severity Mitigation Controls
Enhancement of
threshold
Mitigation Controls
Vulnerability Severity Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
Master (ahead of
production)
Master (ahead of
production)
Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Vulnerability Severity
Contextual
Information
Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
(Base)-Image Lifetime
Real-time
Production
Testing
40. Timo Pagel
DevSecOps Test Journey
2017 2018 2020
Dependency Check with Jenkins-Plugin
Image Lifetime
Distroless
Dependency Check
Dependency Check on Production Images (kustomize + grep)
Dependency Check (master) with DefectDojo
Base Image Lifetime
Root
2019 2021
New Version
Malware
41. Timo Pagel
DevSecOps Test Journey
2017 2018 2020
Dependency Check with Jenkins-Plugin
Image Lifetime
Distroless
Dependency Check
Dependency Check on Production Images (kustomize + grep)
Dependency Check (master) with DefectDojo
Base Image Lifetime
Root
2019 2021
New Version
Malware
Dependency Track
2022
42. Timo Pagel
Risk Management / CIS Evolution
Discover Prioritize Act
Env Aggregation Prioritization Action Measurement
Vulnerability Severity Mitigation Controls
Enhancement of
threshold
Mitigation Controls
Vulnerability Severity Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
Master (ahead of
production)
Master (ahead of
production)
Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Vulnerability Severity
Contextual
Information
Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
(Base)-Image Lifetime
Real-time
Production
Testing
43. Timo Pagel
Software Inventory
Answers: Which components/versions are we
using (in our components/images)
Performs vulnerability scans
Software Inventory
44. Timo Pagel
Gathering SBOM
● Build time with a package manager analyser /
plugin (cdxgen)
● Post-build: Image analysis (syft)
45. Implementation: Simple
Upload bom.syft.json to
Dependency Track
Upload vuln. to
DefectDojo
Create SBOM
Put /bom.json
into image
Optional: Build
ClusterImageScanner
Generate full
bom.syft.json with syft
Contains /bom.json and
additional found components
46. Timo Pagel
SBOM in Build
Exclusion of folders (e.g. with dependency-jars):
File in image /clusterImageScanner.yaml:
cluster-image-scanner:
sbom-analysis:
when-sbom-exists-exclude-from-scan:
- /app
- /usr/app
- /usr/src/app
- /var/www/html
47. Timo Pagel
Risk Management / CIS Evolution
Discover Prioritize Act
Env Aggregation Prioritization Action Measurement
Vulnerability Severity Mitigation Controls
Enhancement of
threshold
Mitigation Controls
Vulnerability Severity Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
Master (ahead of
production)
Master (ahead of
production)
Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Vulnerability Severity
Contextual
Information
Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
(Base)-Image Lifetime
Real-time
Production
Testing
Vulnerability Severity
Contextual
Information
Mitigation Controls,
Acceptance, Marking as
false positive
Mean Time to
Resolution
(Base)-Image Lifetime
Real-time
Production
49. Timo Pagel
Routing: Contact Information
contact.sdase.org/email='k.panier@sda.se'
contact.sdase.org/slack='#fellowship-security'
50. Timo Pagel
Conclusion
A patch policy is defined (indirect)
Automated PRs for patches (indirect)
Nightly build of images (indirect)
Usage of a maximum lifetime for images (indirect)
Usage of a maximum lifetime for
images (indirect)
51. Timo Pagel
Conclusion
A patch policy is defined (indirect)
Automated PRs for patches (indirect)
Nightly build of images (indirect)
Usage of a maximum lifetime for images (indirect)
Usage of a maximum lifetime for
images (indirect)
Test of server side components
with known vulnerabilities
Test of virtualized environments (e.g. root, distroless)
Test for Malware
Test for new image version