ContainerDay Security 2023 , profile picture
Uploaded byContainerDay Security 2023
18 views

Container Security Scanning by Timo Pagel

The document outlines Timo Pagel's expertise in DevSecOps, focusing on vulnerability management and the use of various tools such as Jenkins and Defectdojo for security efficiency in Kubernetes environments. It details the challenges of managing known vulnerabilities, container patching, and the importance of monitoring software inventory through SBOM (Software Bill of Materials). The conclusion emphasizes the establishment of a defined patch policy and the necessity of continuous testing for vulnerabilities across different layers of application components.

Embed presentation

Download to read offline
Timo Pagel DevSecOps Trainer/Architect/Strategist
Timo Pagel 2 $ /usr/bin/whoami ● DevSecOps Trainer and Consultant ● Lecturer for Security in Web Applications at different Universities ● Open Source / Open Knowledge Enthusiast
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Timo Pagel Companies using modern technologies e.g. User/Creator of the ClusterImageScanner: Typical ClusterImageScanner User Containers Kubernetes Multi Cloud Micro Services
Timo Pagel Typical Problems ● Missing patch management leads to exploitable containers ● Are we using the vulnerable component/version X? ● What vulnerabilities are potentially exploitable? ● Misconfigurations
Timo Pagel Handling of security misconfigurations and known vulnerabilities Solution Overview Prod. (Kubernetes) Cluster Container W Image A Container X Image A Container Y Image B Container Z Image C Developers Report Known Vulnerabilities
Timo Pagel Handling of security misconfigurations and known vulnerabilities Solution Overview Prod. (Kubernetes) Cluster Container W Image A Container X Image A Container Y Image B Container Z Image C Report Lifetime Operators Developers Report Known Vulnerabilities
Timo Pagel Solution Overview Kubernetes Cluster DefectDojo EMail/Messenger Image Registry Dev/Ops
Kubernetes Cluster 1 Image Collector Container A, Image B Kubernetes Cluster n Orchestrator Scan A Kubernetes Cluster 2 Image Collector Container X, Image Y DefectDojo EMail/Messenger SDA SE ClusterScanner Overview Image Registry Scan B e.g. Image Lifetime Dev/Ops
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin 2019 2021
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Issue detected
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Issue detected Developer is working on something else Maybe the developer patched a vulnerability but another is raised Is a good process for introduced vulnerabilities, e.g. SQLi
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
Timo Pagel Inform about known vulnerabilities Developer doesn’t change something -> Asynchronous information about known vulnerabilities in third party libraries
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel Master != Production ● Process (e.g. approval) ● Technical issues
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue Approval Product Owner
Timo Pagel Developer Version Control Build and Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue Approval Product Owner
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
Timo Pagel Cluster Components/Layers Application Container Operating System (Host Operating System)
Timo Pagel Patching, a solved issue raises t Build Vulnerability Discovered Patch Published Start Container Build Run Container
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel Images BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer
Timo Pagel Image Build Date BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01
Timo Pagel ImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Root 2019 2021
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021
Timo Pagel ImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime
Timo Pagel BaseImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime Official Distribution Image Build: 2020-02-01
Timo Pagel BaseImageLifetime Scan BaseImage-Layer1 yum update BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime Official Distribution Image Build: 2020-02-01
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version Malware
Timo Pagel DevSecOps Test Journey 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version Malware Dependency Track 2022
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
Timo Pagel Software Inventory Answers: Which components/versions are we using (in our components/images) Performs vulnerability scans Software Inventory
Timo Pagel Gathering SBOM ● Build time with a package manager analyser / plugin (cdxgen) ● Post-build: Image analysis (syft)
Implementation: Simple Upload bom.syft.json to Dependency Track Upload vuln. to DefectDojo Create SBOM Put /bom.json into image Optional: Build ClusterImageScanner Generate full bom.syft.json with syft Contains /bom.json and additional found components
Timo Pagel SBOM in Build Exclusion of folders (e.g. with dependency-jars): File in image /clusterImageScanner.yaml: cluster-image-scanner: sbom-analysis: when-sbom-exists-exclude-from-scan: - /app - /usr/app - /usr/src/app - /var/www/html
Timo Pagel Risk Management / CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production
Timo Pagel Slack Notification Team communications Channel #communications-security
Timo Pagel Routing: Contact Information contact.sdase.org/email='k.panier@sda.se' contact.sdase.org/slack='#fellowship-security'
Timo Pagel Conclusion A patch policy is defined (indirect) Automated PRs for patches (indirect) Nightly build of images (indirect) Usage of a maximum lifetime for images (indirect) Usage of a maximum lifetime for images (indirect)
Timo Pagel Conclusion A patch policy is defined (indirect) Automated PRs for patches (indirect) Nightly build of images (indirect) Usage of a maximum lifetime for images (indirect) Usage of a maximum lifetime for images (indirect) Test of server side components with known vulnerabilities Test of virtualized environments (e.g. root, distroless) Test for Malware Test for new image version
Timo Pagel Cluster Scanner + DefectDojo
Timo Pagel Conclusion The process is important Vulnerability Management via OWASP DefectDojo
Thank you Questions? Contact clusterscanner@pagel.pro Repo: https://github.com/SDA-SE/cluster-image-scanner/ Article: https://medium.com/sda-se/discovery-of-known-vulnerabili ties-and-inventories-for-modern-applications-fb8542555c0 5

More Related Content

PDF
Vulnerability and Patch Management
byn|u - The Open Security Community
 
PDF
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
PPTX
VRX_ Presentation 2023 (1).pptx
bychannelnext21
 
PPTX
Vulnerability Prioritization and Prediction
byJonathan Cran
 
PPTX
Security as Code
byEd Bellis
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PPTX
BsidesMCR_2016-what-can-infosec-learn-from-devops
byJames '​-- Mckinlay
 
PDF
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
byOutpost24
 
Vulnerability and Patch Management
byn|u - The Open Security Community
 
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
VRX_ Presentation 2023 (1).pptx
bychannelnext21
 
Vulnerability Prioritization and Prediction
byJonathan Cran
 
Security as Code
byEd Bellis
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
byJames '​-- Mckinlay
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
byOutpost24
 

Similar to Container Security Scanning by Timo Pagel

PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
byAnchore
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PDF
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
PDF
Implementing Vulnerability Management
byArgyle Executive Forum
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
PPTX
Patch Management Best Practices 2019
byIvanti
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PDF
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
PDF
BSidesLV Vulnerability & Exploit Trends
byEd Bellis
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PDF
Embracing the Rise of SecDevOps
byTom Cappetta
 
PDF
Is Your Vulnerability Management Program Irrelevant?
bySkybox Security
 
PDF
The uncool-security-hygiene
byThiagu Haldurai
 
PPTX
Automating IT Analytics to Optimize Service Delivery and Cost at Safeway - A ...
byTeamQuest Corporation
 
PDF
Norman Patch and Remediation
byKavlieBorge
 
PDF
Service now vulnerability patching_move
bySubrat Kumar Dash
 
PPTX
Frustrated with Vulnerability Assessments you must put your Blood, Sweat, and...
byIvanti
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
byAnchore
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
Implementing Vulnerability Management
byArgyle Executive Forum
 
The What, Why, and How of DevSecOps
byCprime
 
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
Patch Management Best Practices 2019
byIvanti
 
How to Get Started with DevSecOps
byCYBRIC
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
BSidesLV Vulnerability & Exploit Trends
byEd Bellis
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
Embracing the Rise of SecDevOps
byTom Cappetta
 
Is Your Vulnerability Management Program Irrelevant?
bySkybox Security
 
The uncool-security-hygiene
byThiagu Haldurai
 
Automating IT Analytics to Optimize Service Delivery and Cost at Safeway - A ...
byTeamQuest Corporation
 
Norman Patch and Remediation
byKavlieBorge
 
Service now vulnerability patching_move
bySubrat Kumar Dash
 
Frustrated with Vulnerability Assessments you must put your Blood, Sweat, and...
byIvanti
 

More from ContainerDay Security 2023

PDF
Container Security Scanning by Timo Pagel
byContainerDay Security 2023
 
PDF
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
byContainerDay Security 2023
 
PDF
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
byContainerDay Security 2023
 
PDF
Hardening automation with Kubespray by Alessio Greggi
byContainerDay Security 2023
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
byContainerDay Security 2023
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
byContainerDay Security 2023
 
PDF
Constellation - The first always encrypted Kubernetes by Moritz Eckert
byContainerDay Security 2023
 
PDF
Constellation - The first always encrypted Kubernetes by Moritz Eckert
byContainerDay Security 2023
 
PDF
Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •
byContainerDay Security 2023
 
PDF
Cloud Hacking Scenarios by Michał Brygidyn
byContainerDay Security 2023
 
PDF
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
byContainerDay Security 2023
 
Container Security Scanning by Timo Pagel
byContainerDay Security 2023
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
byContainerDay Security 2023
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
byContainerDay Security 2023
 
Hardening automation with Kubespray by Alessio Greggi
byContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
byContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
byContainerDay Security 2023
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
byContainerDay Security 2023
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
byContainerDay Security 2023
 
Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •
byContainerDay Security 2023
 
Cloud Hacking Scenarios by Michał Brygidyn
byContainerDay Security 2023
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
byContainerDay Security 2023
 

Recently uploaded

PDF
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PPTX
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
connectives-linking words in English.ppt
byAmrMohammed82
 

Container Security Scanning by Timo Pagel

  • 1.
  • 2.
    Timo Pagel 2 $ /usr/bin/whoami ●DevSecOps Trainer and Consultant ● Lecturer for Security in Web Applications at different Universities ● Open Source / Open Knowledge Enthusiast
  • 3.
    Timo Pagel Risk Management/ CIS Evolution Discover Prioritize Act Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
  • 4.
    Timo Pagel Risk Management/ CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
  • 5.
    Timo Pagel Companies usingmodern technologies e.g. User/Creator of the ClusterImageScanner: Typical ClusterImageScanner User Containers Kubernetes Multi Cloud Micro Services
  • 6.
    Timo Pagel Typical Problems ●Missing patch management leads to exploitable containers ● Are we using the vulnerable component/version X? ● What vulnerabilities are potentially exploitable? ● Misconfigurations
  • 7.
    Timo Pagel Handling ofsecurity misconfigurations and known vulnerabilities Solution Overview Prod. (Kubernetes) Cluster Container W Image A Container X Image A Container Y Image B Container Z Image C Developers Report Known Vulnerabilities
  • 8.
    Timo Pagel Handling ofsecurity misconfigurations and known vulnerabilities Solution Overview Prod. (Kubernetes) Cluster Container W Image A Container X Image A Container Y Image B Container Z Image C Report Lifetime Operators Developers Report Known Vulnerabilities
  • 9.
    Timo Pagel Solution Overview Kubernetes Cluster DefectDojoEMail/Messenger Image Registry Dev/Ops
  • 10.
    Kubernetes Cluster 1 ImageCollector Container A, Image B Kubernetes Cluster n Orchestrator Scan A Kubernetes Cluster 2 Image Collector Container X, Image Y DefectDojo EMail/Messenger SDA SE ClusterScanner Overview Image Registry Scan B e.g. Image Lifetime Dev/Ops
  • 11.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin 2019 2021
  • 12.
    Timo Pagel Risk Management/ CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
  • 13.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check (master) with DefectDojo 2019 2021
  • 14.
    Timo Pagel Developer Version Control Buildand Deployment Production System Internal Repository Production near System Build and Deployment Process
  • 15.
    Timo Pagel Developer Version Control Buildand Deployment Production System Internal Repository Production near System Build and Deployment Process Issue detected
  • 16.
    Timo Pagel Developer Version Control Buildand Deployment Production System Internal Repository Production near System Build and Deployment Process Issue detected Developer is working on something else Maybe the developer patched a vulnerability but another is raised Is a good process for introduced vulnerabilities, e.g. SQLi
  • 17.
    Timo Pagel Risk Management/ CIS Evolution Discover Prioritize Act Testing Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity
  • 18.
    Timo Pagel Inform aboutknown vulnerabilities Developer doesn’t change something -> Asynchronous information about known vulnerabilities in third party libraries
  • 19.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
  • 20.
    Timo Pagel Master !=Production ● Process (e.g. approval) ● Technical issues
  • 21.
    Timo Pagel Developer Version Control Buildand Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue
  • 22.
    Timo Pagel Developer Version Control Buildand Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue Approval Product Owner
  • 23.
    Timo Pagel Developer Version Control Buildand Deployment Production System Internal Repository Production near System Build and Deployment Process Technical issue Approval Product Owner
  • 24.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
  • 25.
    Timo Pagel Risk Management/ CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
  • 26.
    Timo Pagel Cluster Components/Layers Application ContainerOperating System (Host Operating System)
  • 27.
    Timo Pagel Patching, asolved issue raises t Build Vulnerability Discovered Patch Published Start Container Build Run Container
  • 28.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
  • 29.
  • 30.
    Timo Pagel Image BuildDate BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01
  • 31.
    Timo Pagel ImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 ProjectLayer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime
  • 32.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo 2019 2021
  • 33.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Root 2019 2021
  • 34.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021
  • 35.
    Timo Pagel ImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 ProjectLayer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime
  • 36.
    Timo Pagel BaseImageLifetime Scan BaseImage-Layer1 BaseImage-Layer2 BaseImage-Layer3 ProjectLayer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime Official Distribution Image Build: 2020-02-01
  • 37.
    Timo Pagel BaseImageLifetime Scan BaseImage-Layer1yum update BaseImage-Layer2 BaseImage-Layer3 Project Layer Build: 2021-07-01 Build: 2021-03-01 Build: 2021-01-01 Build: 2020-11-01 Image Lifetime BaseImage Lifetime Official Distribution Image Build: 2020-02-01
  • 38.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version
  • 39.
    Timo Pagel Risk Management/ CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
  • 40.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version Malware
  • 41.
    Timo Pagel DevSecOps TestJourney 2017 2018 2020 Dependency Check with Jenkins-Plugin Image Lifetime Distroless Dependency Check Dependency Check on Production Images (kustomize + grep) Dependency Check (master) with DefectDojo Base Image Lifetime Root 2019 2021 New Version Malware Dependency Track 2022
  • 42.
    Timo Pagel Risk Management/ CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing
  • 43.
    Timo Pagel Software Inventory Answers:Which components/versions are we using (in our components/images) Performs vulnerability scans Software Inventory
  • 44.
    Timo Pagel Gathering SBOM ●Build time with a package manager analyser / plugin (cdxgen) ● Post-build: Image analysis (syft)
  • 45.
    Implementation: Simple Upload bom.syft.jsonto Dependency Track Upload vuln. to DefectDojo Create SBOM Put /bom.json into image Optional: Build ClusterImageScanner Generate full bom.syft.json with syft Contains /bom.json and additional found components
  • 46.
    Timo Pagel SBOM inBuild Exclusion of folders (e.g. with dependency-jars): File in image /clusterImageScanner.yaml: cluster-image-scanner: sbom-analysis: when-sbom-exists-exclude-from-scan: - /app - /usr/app - /usr/src/app - /var/www/html
  • 47.
    Timo Pagel Risk Management/ CIS Evolution Discover Prioritize Act Env Aggregation Prioritization Action Measurement Vulnerability Severity Mitigation Controls Enhancement of threshold Mitigation Controls Vulnerability Severity Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution Master (ahead of production) Master (ahead of production) Inspired by The vulnerability management framework, https://github.com/franksec42/Vulnerability-management-maturity Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production Testing Vulnerability Severity Contextual Information Mitigation Controls, Acceptance, Marking as false positive Mean Time to Resolution (Base)-Image Lifetime Real-time Production
  • 48.
    Timo Pagel Slack Notification Teamcommunications Channel #communications-security
  • 49.
    Timo Pagel Routing: ContactInformation contact.sdase.org/email='k.panier@sda.se' contact.sdase.org/slack='#fellowship-security'
  • 50.
    Timo Pagel Conclusion A patchpolicy is defined (indirect) Automated PRs for patches (indirect) Nightly build of images (indirect) Usage of a maximum lifetime for images (indirect) Usage of a maximum lifetime for images (indirect)
  • 51.
    Timo Pagel Conclusion A patchpolicy is defined (indirect) Automated PRs for patches (indirect) Nightly build of images (indirect) Usage of a maximum lifetime for images (indirect) Usage of a maximum lifetime for images (indirect) Test of server side components with known vulnerabilities Test of virtualized environments (e.g. root, distroless) Test for Malware Test for new image version
  • 52.
  • 53.
    Timo Pagel Conclusion The processis important Vulnerability Management via OWASP DefectDojo
  • 54.
    Thank you Questions? Contact clusterscanner@pagel.pro Repo:https://github.com/SDA-SE/cluster-image-scanner/ Article: https://medium.com/sda-se/discovery-of-known-vulnerabili ties-and-inventories-for-modern-applications-fb8542555c0 5