We understand that different people have different understandings - - PowerPoint PPT Presentation

§ We understand that different people have

different understandings for the meaning of the word “fun.” We believe that Mr. Kinsella has prepared this talk with true intention to provide a entertaining look into what many (including us) would consider an impossibly dry subject. Information security is bad enough – have you ever looked at Seccomp? He’s giving a talk on that

• n Wednesday, we guess they had extra rooms at

the conference? We thought some of our contracts were bad! Anyways, point is – by reading this text and continuing to remain in the conference hall, you hereby understand that this guy (can be) funny and he’s going to try and make this a fun talk, but you waive your right for recourse in the event you do not emit nary a giggle.

• 20 years in security

industry

• Previously wrote a

vulnerability scanner for Linux, Solaris, Windows

• Long open source

history

• Active in Cloud

Security Alliance

• Founder and CTO of

Layered Insight

• Fun!
• Scanning Overview
• Discuss a few tools
• How to minimize vulnerabilities in your images
• Vulnerability triage

§ The previous slide depicted a sample of logos

representing products and vendors in the information security space who claim to provide software or services capable of determining the presence of vulnerable software in a given computer system. As this is a sample set, some vendors or products may not have been listed. Logos which are displayed may differ in size; This is due to laziness on the part of Mr. Kinsella, and is not to be interpreted as a comment on the market share, company size, or effectiveness of any particular logo or representative product. This goes for the next slide, as well.

He’s an engineer. They’re lazy. He’ll probably file a pull request on this slide deck next week for a basic typo. Don’t look at me like that. How am I supposed to know how to merge a patch

• n a PowerPoint file?

http://thenewstack.io/draft-vulnerability-scanners/

§ Network based shows vulnerabilities exposed to the network (running services not

protected by firewalls)

§ Host based shows vulnerabilities in installed sw – doesn’t have to be running

Host Network

§ A container image is made up of layers – to

get a real understanding of the vulnerability stance of an image, need to assess each layer

Image: Docker

§ Vulnerability databases are specific to OS distributions, understands versions

much better

(from https://github.com/coreos/clair/ )

(from https://people.canonical.com/~ubuntu-security/cve/pkg/glibc.html )

§Don’t use from:debian, unless really needed

§ We want the smallest image possible, when we load it across 100 hosts § The smaller the image, the less exposure for potential vulnerabilities

§ As we move to devops, developers are being exposed to the secops work of

vuln/patch management

Understand CVSS v2

@johnlkinsella http://layeredinsight.com

§ Dogs from Last Week Tonights Real Animals, Fake Paws § Cats from:

§ http://i.telegraph.co.uk/multimedia/archive/02830/cat_2830677b.jpg § http://imgur.com/gallery/KWvtdg0 § http://imgur.com/gallery/2u6BW