SlideShare a Scribd company logo

Container Security Scanning by Timo Pagel

ContainerDay Security 2023
ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. The ClusterImageScanner detects images in Kubernetes clusters and provides fast feedback based on security scans. Security scans are for example image lifetime or detection of known vulnerabilities. This talk will give insights into: - The use cases of the ClusterImageScanner - The different scans - The architecture - A live demo The ClusterImageScannerScanner is OpenSource, get it from https://github.com/SDA-SE/cluster-image-scanner/.

Technology
1 of 54
Download to read offline
Timo Pagel DevSecOps Trainer/Architect/Strategist
Timo Pagel 2 $ /usr/bin/whoami ● DevSecOps Trainer and Consultant ● Lecturer for Security in Web Applications at different Universities ● Open Source / Open Knowledge Enthusiast
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Timo Pagel Companies using modern technologies e.g. User/Creator of the ClusterImageScanner: Typical ClusterImageScanner User Containers Kubernetes Multi Cloud Micro Services
Timo Pagel Typical Problems ● Missing patch management leads to exploitable containers ● Are we using the vulnerable component/version X? ● What vulnerabilities are potentially exploitable? ● Misconfigurations
Timo Pagel Handling of security misconfigurations and known vulnerabilities Solution Overview Prod. (Kubernetes) Cluster Container W Image A Container X Image A Container Y Image B Container Z Image C Developers Report Known Vulnerabilities
Timo Pagel Handling of security misconfigurations and known vulnerabilities Solution Overview Prod. (Kubernetes) Cluster Container W Image A Container X Image A Container Y Image B Container Z Image C Report Lifetime Operators Developers Report Known Vulnerabilities
Timo Pagel Solution Overview Kubernetes Cluster DefectDojo EMail/Messenger Image Registry Dev/Ops
Kubernetes Cluster 1 Image Collector Container A, Image B Kubernetes Cluster n Orchestrator Scan A Kubernetes Cluster 2 Image Collector Container X, Image Y DefectDojo EMail/Messenger SDA SE ClusterScanner Overview Image Registry Scan B e.g. Image Lifetime Dev/Ops
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin 2019 2021
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Issue detected
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Issue detected Developer is working on something else Maybe the developer patched a vulnerability but another is raised Is a good process for introduced vulnerabilities, e.g. SQLi
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Timo Pagel Inform about known vulnerabilities Developer doesn’t change something -> Asynchronous information about known vulnerabilities in third party libraries
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel Master != Production ● Process (e.g. approval) ● Technical issues
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue Approval Product Owner
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue Approval Product Owner
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
Timo Pagel Cluster Components/Layers Application Container Operating System (Host Operating System)
Timo Pagel Patching, a solved issue raises t Build Vulnerability Discovered Patch Published Start Container Build Run Container
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel Images BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer
Timo Pagel Image Build Date BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01
Timo Pagel ImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Root 2019 2021
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021
Timo Pagel ImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime
Timo Pagel BaseImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime Official Distribution Image Build: 2020-02-01
Timo Pagel BaseImageLifetime Scan BaseImage-Layer1 yum update BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime Official Distribution Image Build: 2020-02-01
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version Malware
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version Malware Dependency Track 2022
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
Timo Pagel Software Inventory Answers: Which components/versions are we using (in our components/images) Performs vulnerability scans Software Inventory
Timo Pagel Gathering SBOM ● Build time with a package manager analyser / plugin (cdxgen) ● Post-build: Image analysis (syft)
Implementation: Simple Upload bom.syft.json to Dependency Track Upload vuln. to DefectDojo Create SBOM Put /bom.json into image Optional: Build ClusterImageScanner Generate full bom.syft.json with syft Contains /bom.json and additional found components
Timo Pagel SBOM in Build Exclusion of folders (e.g. with dependency-jars): File in image /clusterImageScanner.yaml: cluster-image-scanner: sbom-analysis: when-sbom-exists-exclude-from-scan: - /app - /usr/app - /usr/src/app - /var/www/html
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production
Timo Pagel Slack Notification Team communications Channel #communications-security
Timo Pagel Routing: Contact Information contact.sdase.org/email='k.panier@sda.se' contact.sdase.org/slack='#fellowship-security'
Timo Pagel Conclusion A patch policy is defined (indirect) Automated PRs for patches (indirect) Nightly build of images (indirect) Usage of a maximum lifetime for images (indirect) Usage of a maximum lifetime for images (indirect)
Timo Pagel Conclusion A patch policy is defined (indirect) Automated PRs for patches (indirect) Nightly build of images (indirect) Usage of a maximum lifetime for images (indirect) Usage of a maximum lifetime for images (indirect) Test of server side components with known vulnerabilities Test of virtualized environments (e.g. root, distroless) Test for Malware Test for new image version
Timo Pagel Cluster Scanner + DefectDojo
Timo Pagel Conclusion The process is important Vulnerability Management via OWASP DefectDojo
Thank you Questions? Contact clusterscanner@pagel.pro Repo: https://github.com/SDA-SE/cluster-image-scanner/ Article: https://medium.com/sda-se/discovery-of-known-vulnerabili ties-and-inventories-for-modern-applications-fb8542555c0 5

Recommended

End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEtienne Tremel
 
A Continuous Delivery Safety Net for Databases
A Continuous Delivery Safety Net for DatabasesA Continuous Delivery Safety Net for Databases
A Continuous Delivery Safety Net for DatabasesIBM UrbanCode Products
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsSpv Reddy
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
Agile + Benefits + Transition Nov 2009
Agile + Benefits + Transition Nov 2009Agile + Benefits + Transition Nov 2009
Agile + Benefits + Transition Nov 2009Michael Sahota
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps ZNetLive
 
Software rotting - 28 Apr - DeveloperWeek Europe 2022
Software rotting - 28 Apr - DeveloperWeek Europe 2022Software rotting - 28 Apr - DeveloperWeek Europe 2022
Software rotting - 28 Apr - DeveloperWeek Europe 2022Giulio Vian
 

Recommended

End-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEnd-to-end testing in complex GitOps environments
End-to-end testing in complex GitOps environmentsEtienne Tremel
 
A Continuous Delivery Safety Net for Databases
A Continuous Delivery Safety Net for DatabasesA Continuous Delivery Safety Net for Databases
A Continuous Delivery Safety Net for DatabasesIBM UrbanCode Products
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsSpv Reddy
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
Agile + Benefits + Transition Nov 2009
Agile + Benefits + Transition Nov 2009Agile + Benefits + Transition Nov 2009
Agile + Benefits + Transition Nov 2009Michael Sahota
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps ZNetLive
 
Software rotting - 28 Apr - DeveloperWeek Europe 2022
Software rotting - 28 Apr - DeveloperWeek Europe 2022Software rotting - 28 Apr - DeveloperWeek Europe 2022
Software rotting - 28 Apr - DeveloperWeek Europe 2022Giulio Vian
 
EuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python DevelopersEuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python DevelopersPeter Bittner
 
Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"Fwdays
 
Agile Bodensee - Testautomation & Continuous Delivery Workshop
Agile Bodensee - Testautomation & Continuous Delivery WorkshopAgile Bodensee - Testautomation & Continuous Delivery Workshop
Agile Bodensee - Testautomation & Continuous Delivery WorkshopMichael Palotas
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)AOE
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]Dynatrace
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Next Level DevOps Implementation with GitOps
Next Level DevOps Implementation with GitOpsNext Level DevOps Implementation with GitOps
Next Level DevOps Implementation with GitOpsRamadoni Ashudi
 
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earthPittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earthGrace Jansen
 
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)Christian Catalan
 
SourceWarp AST 2023.pdf
SourceWarp AST 2023.pdfSourceWarp AST 2023.pdf
SourceWarp AST 2023.pdfJulian Thome
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorEric Smalling
 
Agile & ALM tools
Agile & ALM toolsAgile & ALM tools
Agile & ALM toolsLarry Cai
 
Automating the Quality
Automating the QualityAutomating the Quality
Automating the QualityDejan Vukmirovic
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Continuous Delivery for Python Developers – PyCon Otto
Continuous Delivery for Python Developers – PyCon OttoContinuous Delivery for Python Developers – PyCon Otto
Continuous Delivery for Python Developers – PyCon OttoPeter Bittner
 
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...Flink Forward
 
Progressive Deployment & NoDeploy
Progressive Deployment & NoDeployProgressive Deployment & NoDeploy
Progressive Deployment & NoDeployYi-Feng Tzeng
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Enforce reproducibility: dependency management and build automation
Enforce reproducibility: dependency management and build automationEnforce reproducibility: dependency management and build automation
Enforce reproducibility: dependency management and build automationDanilo Pianini
 
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYBUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYIJNSA Journal
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlContainerDay Security 2023
 

More Related Content

Similar to Container Security Scanning by Timo Pagel

EuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python DevelopersEuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python DevelopersPeter Bittner
 
Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"Fwdays
 
Agile Bodensee - Testautomation & Continuous Delivery Workshop
Agile Bodensee - Testautomation & Continuous Delivery WorkshopAgile Bodensee - Testautomation & Continuous Delivery Workshop
Agile Bodensee - Testautomation & Continuous Delivery WorkshopMichael Palotas
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)AOE
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]Dynatrace
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Next Level DevOps Implementation with GitOps
Next Level DevOps Implementation with GitOpsNext Level DevOps Implementation with GitOps
Next Level DevOps Implementation with GitOpsRamadoni Ashudi
 
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earthPittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earthGrace Jansen
 
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)Christian Catalan
 
SourceWarp AST 2023.pdf
SourceWarp AST 2023.pdfSourceWarp AST 2023.pdf
SourceWarp AST 2023.pdfJulian Thome
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorEric Smalling
 
Agile & ALM tools
Agile & ALM toolsAgile & ALM tools
Agile & ALM toolsLarry Cai
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Continuous Delivery for Python Developers – PyCon Otto
Continuous Delivery for Python Developers – PyCon OttoContinuous Delivery for Python Developers – PyCon Otto
Continuous Delivery for Python Developers – PyCon OttoPeter Bittner
 
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...Flink Forward
 
Progressive Deployment & NoDeploy
Progressive Deployment & NoDeployProgressive Deployment & NoDeploy
Progressive Deployment & NoDeployYi-Feng Tzeng
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Enforce reproducibility: dependency management and build automation
Enforce reproducibility: dependency management and build automationEnforce reproducibility: dependency management and build automation
Enforce reproducibility: dependency management and build automationDanilo Pianini
 
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYBUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYIJNSA Journal
 

Similar to Container Security Scanning by Timo Pagel (20)

EuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python DevelopersEuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python Developers
 
Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"
 
Agile Bodensee - Testautomation & Continuous Delivery Workshop
Agile Bodensee - Testautomation & Continuous Delivery WorkshopAgile Bodensee - Testautomation & Continuous Delivery Workshop
Agile Bodensee - Testautomation & Continuous Delivery Workshop
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Next Level DevOps Implementation with GitOps
Next Level DevOps Implementation with GitOpsNext Level DevOps Implementation with GitOps
Next Level DevOps Implementation with GitOps
 
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earthPittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
 
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)
Testing Vue Apps with Cypress.io (STLJS Meetup April 2018)
 
SourceWarp AST 2023.pdf
SourceWarp AST 2023.pdfSourceWarp AST 2023.pdf
SourceWarp AST 2023.pdf
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
 
Agile & ALM tools
Agile & ALM toolsAgile & ALM tools
Agile & ALM tools
 
Automating the Quality
Automating the QualityAutomating the Quality
Automating the Quality
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
Continuous Delivery for Python Developers – PyCon Otto
Continuous Delivery for Python Developers – PyCon OttoContinuous Delivery for Python Developers – PyCon Otto
Continuous Delivery for Python Developers – PyCon Otto
 
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...
Flink Forward San Francisco 2018: Andrew Gao & Jeff Sharpe - "Finding Bad Ac...
 
Progressive Deployment & NoDeploy
Progressive Deployment & NoDeployProgressive Deployment & NoDeploy
Progressive Deployment & NoDeploy
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Enforce reproducibility: dependency management and build automation
Enforce reproducibility: dependency management and build automationEnforce reproducibility: dependency management and build automation
Enforce reproducibility: dependency management and build automation
 
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETYBUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
BUILDING A CONTINUOUSLY INTEGRATING SYSTEM WITH HIGH SAFETY
 

More from ContainerDay Security 2023

Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlContainerDay Security 2023
 
Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •
Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •
Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •ContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlContainerDay Security 2023
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiContainerDay Security 2023
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertContainerDay Security 2023
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayContainerDay Security 2023
 

More from ContainerDay Security 2023 (11)

Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
 
Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •
Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •
Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •
 
Container Security Scanning by Timo Pagel
Container Security Scanning by Timo PagelContainer Security Scanning by Timo Pagel
Container Security Scanning by Timo Pagel
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
 
Hardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio GreggiHardening automation with Kubespray by Alessio Greggi
Hardening automation with Kubespray by Alessio Greggi
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
 
Cloud Hacking Scenarios by Michał Brygidyn
Cloud Hacking Scenarios by Michał BrygidynCloud Hacking Scenarios by Michał Brygidyn
Cloud Hacking Scenarios by Michał Brygidyn
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Container Security Scanning by Timo Pagel

  • 2. Timo Pagel 2 $ /usr/bin/whoami ● DevSecOps Trainer and Consultant ● Lecturer for Security in Web Applications at different Universities ● Open Source / Open Knowledge Enthusiast
  • 3. Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
  • 4. Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
  • 5. Timo Pagel Companies using modern technologies e.g. User/Creator of the ClusterImageScanner: Typical ClusterImageScanner User Containers Kubernetes Multi Cloud Micro Services
  • 6. Timo Pagel Typical Problems ● Missing patch management leads to exploitable containers ● Are we using the vulnerable component/version X? ● What vulnerabilities are potentially exploitable? ● Misconfigurations
  • 7. Timo Pagel Handling of security misconfigurations and known vulnerabilities Solution Overview Prod. (Kubernetes) Cluster Container W Image A Container X Image A Container Y Image B Container Z Image C Developers Report Known Vulnerabilities
  • 8. Timo Pagel Handling of security misconfigurations and known vulnerabilities Solution Overview Prod. (Kubernetes) Cluster Container W Image A Container X Image A Container Y Image B Container Z Image C Report Lifetime Operators Developers Report Known Vulnerabilities
  • 9. Timo Pagel Solution Overview Kubernetes Cluster DefectDojo EMail/Messenger Image Registry Dev/Ops
  • 10. Kubernetes Cluster 1 Image Collector Container A, Image B Kubernetes Cluster n Orchestrator Scan A Kubernetes Cluster 2 Image Collector Container X, Image Y DefectDojo EMail/Messenger SDA SE ClusterScanner Overview Image Registry Scan B e.g. Image Lifetime Dev/Ops
  • 11. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin 2019 2021
  • 12. Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
  • 13. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check (master) with DefectDojo 2019 2021
  • 14. Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process
  • 15. Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Issue detected
  • 16. Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Issue detected Developer is working on something else Maybe the developer patched a vulnerability but another is raised Is a good process for introduced vulnerabilities, e.g. SQLi
  • 17. Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
  • 18. Timo Pagel Inform about known vulnerabilities Developer doesn’t change something -> Asynchronous information about known vulnerabilities in third party libraries
  • 19. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
  • 20. Timo Pagel Master != Production ● Process (e.g. approval) ● Technical issues
  • 21. Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue
  • 22. Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue Approval Product Owner
  • 23. Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue Approval Product Owner
  • 24. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
  • 25. Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
  • 26. Timo Pagel Cluster Components/Layers Application Container Operating System (Host Operating System)
  • 27. Timo Pagel Patching, a solved issue raises t Build Vulnerability Discovered Patch Published Start Container Build Run Container
  • 28. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
  • 30. Timo Pagel Image Build Date BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01
  • 31. Timo Pagel ImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime
  • 32. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
  • 33. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Root 2019 2021
  • 34. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021
  • 35. Timo Pagel ImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime
  • 36. Timo Pagel BaseImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime Official Distribution Image Build: 2020-02-01
  • 37. Timo Pagel BaseImageLifetime Scan BaseImage-Layer1 yum update BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime Official Distribution Image Build: 2020-02-01
  • 38. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version
  • 39. Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
  • 40. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version Malware
  • 41. Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version Malware Dependency Track 2022
  • 42. Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
  • 43. Timo Pagel Software Inventory Answers: Which components/versions are we using (in our components/images) Performs vulnerability scans Software Inventory
  • 44. Timo Pagel Gathering SBOM ● Build time with a package manager analyser / plugin (cdxgen) ● Post-build: Image analysis (syft)
  • 45. Implementation: Simple Upload bom.syft.json to Dependency Track Upload vuln. to DefectDojo Create SBOM Put /bom.json into image Optional: Build ClusterImageScanner Generate full bom.syft.json with syft Contains /bom.json and additional found components
  • 46. Timo Pagel SBOM in Build Exclusion of folders (e.g. with dependency-jars): File in image /clusterImageScanner.yaml: cluster-image-scanner: sbom-analysis: when-sbom-exists-exclude-from-scan: - /app - /usr/app - /usr/src/app - /var/www/html
  • 47. Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production
  • 48. Timo Pagel Slack Notification Team communications Channel #communications-security
  • 49. Timo Pagel Routing: Contact Information contact.sdase.org/email='k.panier@sda.se' contact.sdase.org/slack='#fellowship-security'
  • 50. Timo Pagel Conclusion A patch policy is defined (indirect) Automated PRs for patches (indirect) Nightly build of images (indirect) Usage of a maximum lifetime for images (indirect) Usage of a maximum lifetime for images (indirect)
  • 51. Timo Pagel Conclusion A patch policy is defined (indirect) Automated PRs for patches (indirect) Nightly build of images (indirect) Usage of a maximum lifetime for images (indirect) Usage of a maximum lifetime for images (indirect) Test of server side components with known vulnerabilities Test of virtualized environments (e.g. root, distroless) Test for Malware Test for new image version
  • 53. Timo Pagel Conclusion The process is important Vulnerability Management via OWASP DefectDojo
  • 54. Thank you Questions? Contact clusterscanner@pagel.pro Repo: https://github.com/SDA-SE/cluster-image-scanner/ Article: https://medium.com/sda-se/discovery-of-known-vulnerabili ties-and-inventories-for-modern-applications-fb8542555c0 5