|
| 1 | +# Taming Vulnerability Chaos |
| 2 | + |
| 3 | +> Taming vulnerability chaos across the multiverse of kubernetes and edge |
| 4 | +
|
| 5 | +## The problem |
| 6 | + |
| 7 | +From virus scanners to binary scanners, they scan binary signatures, file patterns and resource usage. CVE scanners |
| 8 | +have a package database and do some metadata analysis. They differ in scanning techniques. |
| 9 | + |
| 10 | +### Demo - Scanner comparison |
| 11 | + |
| 12 | +When you do scanning on images, use digest pinning and always assume that image tags are mutable. |
| 13 | +When scanning images with Grype and Trivy, they differ in output, most notably on the vulerabilities without a fix. |
| 14 | +Trivy does not support vulnerabilities without a fix for alpine. This gives a false sense of security. |
| 15 | + |
| 16 | +### Demo - SBOMs |
| 17 | + |
| 18 | +Software Bill Of Materials describe all software and dependencies used. Why do this? When the next _log4j_ happens, |
| 19 | +you can quickly analyze where the code is used and which applications are impacted. |
| 20 | + |
| 21 | +### Demo - Metadata manipulation |
| 22 | + |
| 23 | +Some humans blindly trust scan results. Zero CVEs, let's use it! The demo shows that you can rename files in your image |
| 24 | +so they no longer match the CVE database. Now your image has 0 CVEs. |
| 25 | + |
| 26 | +### Demo - Sigstore |
| 27 | + |
| 28 | +When pusing the image to the registry, sign the digest because tags are mutable. Use sigstore in combination with Kubernetes |
| 29 | +admission controller to validate the images are not tampered with. |
| 30 | + |
| 31 | +## Conclusion |
| 32 | + |
| 33 | +- Supply chain security starts at the source |
| 34 | + - Generate SBOM during the build (apko and melange) |
| 35 | +- Use full provenance using sigstore |
| 36 | +- Reach level 3 SLSA |
| 37 | + |
| 38 | +## Links |
| 39 | + |
| 40 | +- <https://www.chainguard.dev/> |
| 41 | +- <https://github.com/aquasecurity/trivy> |
| 42 | +- <https://github.com/anchore/grype> |
| 43 | +- <https://www.chainguard.dev/unchained/introducing-wolfi-the-first-linux-un-distro-designed-for-securing-the-software-supply-chain> |
| 44 | +- <https://www.sigstore.dev/> |
| 45 | +- <https://slsa.dev/> |
0 commit comments