We understand that different people have different understandings - PowerPoint PPT Presentation

§ We understand that different people have different understandings for the meaning of the word “fun.” We believe that Mr. Kinsella has prepared this talk with true intention to provide a entertaining look into what many (including us) would consider an impossibly dry subject. Information security is bad enough – have you ever looked at Seccomp? He’s giving a talk on that on Wednesday, we guess they had extra rooms at the conference? We thought some of our contracts were bad! Anyways, point is – by reading this text and continuing to remain in the conference hall, you hereby understand that this guy (can be) funny and he’s going to try and make this a fun talk, but you waive your right for recourse in the event you do not emit nary a giggle.

• 20 years in security industry • Previously wrote a vulnerability scanner for Linux, Solaris, Windows • Long open source history • Active in Cloud Security Alliance • Founder and CTO of Layered Insight

• Fun! • Scanning Overview • Discuss a few tools • How to minimize vulnerabilities in your images • Vulnerability triage

§ The previous slide depicted a sample of logos representing products and vendors in the information security space who claim to provide software or services capable of determining the presence of vulnerable software in a given computer system. As this is a sample set, some vendors or products may not have been listed. Logos which are displayed may differ in size; This is due to laziness on the part of Mr. Kinsella, and is not to be interpreted as a comment on the market share, company size, or effectiveness of any particular logo or representative product. This goes for the next slide, as well. He’s an engineer. They’re lazy. He’ll probably file a pull request on this slide deck next week for a basic typo. Don’t look at me like that. How am I supposed to know how to merge a patch on a PowerPoint file?

http://thenewstack.io/draft-vulnerability-scanners/

§ Network based shows vulnerabilities exposed to the network (running services not protected by firewalls) § Host based shows vulnerabilities in installed sw – doesn’t have to be running Host Network

§ A container image is made up of layers – to get a real understanding of the vulnerability stance of an image, need to assess each layer Image: Docker

§ Vulnerability databases are specific to OS distributions, understands versions much better

(from https://github.com/coreos/clair/ )

(from https://people.canonical.com/~ubuntu-security/cve/pkg/glibc.html )

§ Don’t use from:debian, unless really needed

§ We want the smallest image possible, when we load it across 100 hosts § The smaller the image, the less exposure for potential vulnerabilities

§ As we move to devops, developers are being exposed to the secops work of vuln/patch management

Understand CVSS v2

@johnlkinsella http://layeredinsight.com

§ Dogs from Last Week Tonights Real Animals, Fake Paws § Cats from: § http://i.telegraph.co.uk/multimedia/archive/02830/cat_2830677b.jpg § http://imgur.com/gallery/KWvtdg0 § http://imgur.com/gallery/2u6BW