ConPan: A Tool to Analyze Packages in Software Containers

•Download as PPTX, PDF•

0 likes•29 views

ConPan is a tool that analyzes software packages in Docker containers. It identifies outdated and vulnerable packages. The motivation is that outdated packages often contain security vulnerabilities, and vulnerabilities are a main barrier to adopting containers in production. ConPan scans Docker images and produces results about which packages are outdated and may contain vulnerabilities based on data for different package managers like Debian. It can be run from the command line or via an API.

ConPan: A Tool to Analyze Packages
in Software Containers
Ahmed Zerouali, Valerio Cosentino,
Jesus Gonzalez Barahona, Gregorio Robles,
Tom Mens
Mining Software Repositories 2019
Montreal, QC, Canada - May 26-27, 2019

Motivation: Security vulnerabilities are main barrier to
container adoption in production environments

Motivation: Other main
concerns for container adoption
• Dependencies (required
packages)
• Bugs in third-party software
• Outdated third-party software

“Systems with a low dependency freshness are more than four
times as likely to contain security issues in these dependencies.”
J. Cox et al. “Measuring Dependency Freshness in Software Systems”, ICSE 2015.
"The number of vulnerabilities is moderately correlated with the
number of outdated packages in a container”
A. Zerouali, et al. “On the Relation between Outdated Docker Containers, Severity
Vulnerabilities, and Bugs”, Saner 2019.
Are there any tools that combine information about outdatedness
and security vulnerabilities?
Motivation: Outdatedness causes Security vulnerabilities

ConPan Installation:
$ git clone https://github.com/neglectos/ConPan
$ python3 setup.py build
$ python3 setup.py install

ConPan in action: # Call ConPan from command line
$ conpan -p debian -c <Docker image> -d path/to/data
Example: $ conpan -p debian -c google/mysql -d /ConPan/data/debian/

ConPan in action: # Call ConPan from API

ConPan in action: # Call ConPan from API -> Results

https://media.giphy.com/media/DUrdT2xEmJWbS/giphy.gif
Questions

ConPan is a tool that analyzes software packages installed in Docker containers to identify outdated and vulnerable packages. It combines information about outdatedness and known security vulnerabilities. ConPan works by scanning Docker images and comparing package information to vulnerability databases. The goal is to help identify security risks from outdated and vulnerable packages in container images to improve container security.

Winning open source vulnerabilities without loosing your deveopers - Azure De...

WhiteSource

AI approach to malware similarity analysis: Maping the malware genome with a...

Priyanka Aash

In recent years, cyber defenders protecting enterprise networks have started incorporating malware code sharing identification tools into their workflows. These tools compare new malware samples to a large databases of known malware samples, in order to identify samples with shared code relationships. When unknown malware binaries are found to share code "fingerprints" with malware from known adversaries, they provides a key clue into which adversary is generating these new binaries, thus helping develop a general mitigation strategy against that family of threats. The efficacy of code sharing identification systems is demonstrated every day, as new family of threats are discovered, and countermeasures are rapidly developed for them. Unfortunately, these systems are hard to maintain, deploy, and adapt to evolving threats. First and foremost, these systems do not learn to adapt to new malware obfuscation strategies, meaning they will continuously fall out of date with adversary tradecraft, requiring, periodically, a manually intensive tuning in order to adjust the formulae used for similarity between malware. In addition, these systems require an up to date, well maintained database of recent threats in order to provide relevant results. Such a database is difficult to deploy, and hard and expensive to maintain for smaller organizations. In order to address these issues we developed a new malware similarity detection approach. This approach, not only significantly reduces the need for manual tuning of the similarity formulate, but also allows for significantly smaller deployment footprint and provides significant increase in accuracy. Our family/similarity detection system is the first to use deep neural networks for code sharing identification, automatically learning to see through adversary tradecraft, thereby staying up to date with adversary evolution. Using traditional string similarity features our approach increased accuracy by 10%, from 65% to 75%. Using an advanced set of features that we specifically designed for malware classification, our approach has 98% accuracy. In this presentation we describe how our method works, why it is able to significantly improve upon current approaches, and how this approach can be easily adapted and tuned to individual/organization needs of the attendees. (Source: Black Hat USA 2016, Las Vegas)

FOSDEM 2020 Presentation: Comparing dependency management issues across packa...

Fasten Project

Information Security Incidents Survey in Russia

Positive Hack Days

An information security survey was conducted among the top 100 companies in Russia in 2014. The survey found that all companies experienced information security incidents in 2013, with 58% affecting internal infrastructure availability. The most common threats were vulnerabilities allowing network perimeter hacking in 2 steps, with 82% of attacks being successful despite low attacker qualification. Unpatched software left 57% of systems vulnerable to critical vulnerabilities, and some updates took as long as 9 years to install.

On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...

Tom Mens

Empirically Analysing the Socio-Technical Health of Software Package Managers

Tom Mens

Invited presentation at Concordia University (Montreal, Canada) by Eleni Constantinou and Tom Mens on recent research about the socio-technical health issues in software package management ecosystems. Abstract: The large majority of today’s software is relying on open software software components. Such components are typically distributed through package managers for a wide variety of programming languages, and developed and maintained through online distributed software development services like GitHub. Software component repositories are perceived as software ecosystems that constitute complex and evolving socio-technical software dependency networks. Because of their complexity and evolution, these ecosystems tend to suffer from a wide variety of software health issues that can be either technical or social in nature. Examples of such issues include the ecosystem fragility due to exponential growth and transitive dependencies; the abundance of outdated, unmaintained or obsolete software components; the prolonged presence of unfixed bugs and security vulnerabilities; the abandonment or high turnover of key contributors, suboptimal collaboration between contributors, and many more. This presentation will report on our past and ongoing empirical research that studies such health factors within and across different software packaging ecosystems (such as npm, RubyGems, Cargo, CRAN, CPAN). We provide empirical evidence of some of the health problems, compare their presence across different ecosystems, and suggest ways to reduce their potential impact by providing concrete guidelines and tools. The presented research Is being conducted by researchers of the Software Engineering Lab at the University of Mons in the context of two ongoing projects SECOHealth and SECO-ASSIST, aiming to analyse and improve the health of software ecosystems.

Container Security Essentials

DNIF

The document summarizes a working session on software engineering myths held on October 4, 2007 in Paris. The session included discussions of common myths in areas such as complexity, bugs, clones, aspect-oriented programming, and project management. Participants shared and debated myths in small group discussions. Some examples of myths discussed include the ideas that complexity leads to more bugs, clones are always bad, and aspect-oriented programs are inherently easier to maintain. The session aimed to evaluate whether such perceptions are truly myths or if aspects of them have been found to hold true in various studies.

How to increase the technical health of your software?

Tom Mens

Presentation by Prof. Tom Mens (University of Mons) about the relation between, and guidelines for increasing, the internal and external technical debt and technical health of software. This talk was presented at the Business and Technology Club of the Infopole Cluster TIC in Gosselies (Belgium) on 19 February 2019. The ideas presented are partly based on research conducted in the context of the FRNS-FWO co-financed "Excellence of Science" Research Project SECO-ASSIST (http://secoassist.github.io)

On the health of the npm packaging ecosystem

Tom Mens

Is my software ecosystem healthy? It depends!

Tom Mens

Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...

Alfredo Hickman

The unique and intrinsic methods by which Linux application containers are created, deployed, networked, and operated do not lend themselves well to the conventional application of methods for conducting intrusion detection and analysis in traditional physical and virtual machine networks. While similarities exist in some of the methods used to perform intrusion detection and analysis in conventional networks as compared to container networks, the effectiveness between the two has not been thoroughly measured and assessed: this presents a gap in application container security knowledge. By researching the efficacy of these methods as implemented in container networks compared to traditional networks, this research will provide empirical evidence to identify the gap, and provide data useful for identifying and developing new and more effective methods to secure application container networks

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Black Duck by Synopsys

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.

Empowering Application Security Protection in the World of DevOps

Black Duck by Synopsys

Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/ How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools. What can development teams do to keep pace with rapidly-evolving application security threats? The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks. In this session, you will learn: - New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments. - Best practices for designing and incorporating an automated approach to application security into your existing development environment. - Future development and application security challenges organizations will face and what they can do to prepare.

Empowering Application Security Protection in the World of DevOps

IBM Security

Standardizing Source Code Security Audits

ijseajournal

This summarizes a research paper about standardizing source code security audits. The paper proposes assembling literature on security audit techniques to promote standard methodology. It then presents a case study analyzing vulnerabilities in the Apache Traffic Server using two proprietary tools. The study examines potential issues, connects them to a standard taxonomy (CWE), and describes consequences of exploits. The paper concludes by reviewing other security case studies.

Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...

ESET Middle East

The document examines major software vulnerabilities and exploits from 2017-2018, including EternalBlue, WannaCryptor, CoinMiner, Diskcoder (aka Petya), and Meltdown/Spectre. It discusses how the number of reported vulnerabilities reached a historic peak in 2017, with the number of high severity vulnerabilities increasing by 68% from 2016. Exploits like EternalBlue were utilized by ransomware like WannaCryptor to devastating effect by taking advantage of vulnerabilities in older, unpatched systems. The risk posed by vulnerabilities underscores the need for multilayered endpoint security through timely patching and protection layers.

Solnet dev secops meetup

pbink

DevSecOps aims to integrate security practices into DevOps workflows to deliver value faster and safer. It addresses challenges like keeping security practices aligned with continuous delivery models and empowered DevOps teams. DevSecOps incorporates security checks and tools into development pipelines to find and fix issues early. This helps prevent breaches like the 2017 Equifax hack, which exploited a known vulnerability. DevSecOps promotes a culture of collaboration, shared responsibility, and proactive security monitoring throughout the software development lifecycle.

Open Source Security

William Chipman

This document discusses whether open source operating systems and software are inherently more secure than closed source alternatives. It presents arguments from experts on both sides of the issue. Proponents of open source software argue that with many eyes reviewing the publicly available source code, security issues will be found and fixed more quickly. However, experts in favor of closed source software counter that open source code may not receive thorough reviews, and that commercial developers have greater expertise and incentives to ensure security. The document provides context on open source and closed source definitions and licensing, and how each approach deals with vulnerabilities.

Comparing dependency issues across software package distributions (FOSDEM 2020)

Tom Mens

This talk reports on our findings based on multiple empirical studies that we have conducted to understand different aspects of dependency management and their practical implications. This includes: * the outdatedness of package dependencies, the transitive impact of such "technical lag", and its relation to the presence of bugs and security vulnerabilities. * the impact of using either more permissive or more restrictive version contraints on dependencies. * the virtues and limitations of being compliant to semantic versioning, a common policy to inform dependents whether new releases of software packages introduce possibly backward incompatible changes. * the impact of specific characteristics, policies and tools used by the packaging ecosystem and its supporting community on all of the above. The contents of the talk is primarily based on the following peer-reviewed scientific articles: * What do package dependencies tell us about semantic versioning? Alexandre Decan, Tom Mens. IEEE Transactions on Software Engineering, 2019. https://doi.org/10.1109/TSE.2019.2918315 * An empirical comparison of dependency network evolution in seven software packaging ecosystems. Alexandre Decan, Tom Mens, Philippe Grosjean. Empirical Software Engineering 24(1):381-416, 2019. https://doi.org/10.1007/s10664-017-9589-y * A formal framework for measuring technical lag in component repositories and its application to npm. Ahmed Zerouali, Tom Mens, Jesus Gonzalez‐Barahona, Alexandre Decan, Eleni Constantinou, Gregorio Robles. Journal of Software: Evolution and Process 31(8), 2019. https://doi.org/10.1002/smr.2157 * On the Impact of Security Vulnerabilities in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Mining Software Repositories, 2018. https://doi.org/10.1145/3196398.3196401 * On the Evolution of Technical Lag in the npm Package Dependency Network. Alexandre Decan, Tom Mens, Eleni Constantinou. International Conference on Software Maintenance and Evolution, 2018. https://doi.org/10.1109/ICSME.2018.00050

DevOps Support for an Ethical Software Development Life Cycle (SDLC)

Mark Underwood

Socio-Technical Empirical Comparison of Software Package Ecosystems

Tom Mens

Producing Quality Software

Simon Smith

Dependency Bugs The Dark Side Of Variability, Reuse, and Modularity

Andrzej Wasowski

This document discusses dependency bugs in ROS (Robot Operating System), an open-source robotics middleware. The authors define dependency bugs and analyze their prevalence and impact based on a study of over 100 bugs reports. They find that 53% of ROS packages are affected by dependency bugs, which attract more discussion than other bugs. While each dependency bug may seem simple to fix, together they represent a significant and ongoing problem due to the complex web of dependencies in ROS. The document calls for more work to reduce the occurrence of these bugs.

Software Security Assurance for Devops

Jerika Phelps

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for DevOps

Black Duck by Synopsys

US AI Safety Institute and Trustworthy AI Details.

Bob Marcus

Prevalence and Evolution of License Violations in npm and RubyGems Dependency...

ConPan: A Tool to Analyze Packages in Software Containers

Recommended

Recommended

More Related Content

Similar to ConPan: A Tool to Analyze Packages in Software Containers

Similar to ConPan: A Tool to Analyze Packages in Software Containers (20)

More from Ahmed Zerouali

More from Ahmed Zerouali (16)

Recently uploaded

Recently uploaded (20)

ConPan: A Tool to Analyze Packages in Software Containers

Editor's Notes