Taming Vulnerability Chaos

Taming vulnerability chaos across the multiverse of kubernetes and edge

The problem

From virus scanners to binary scanners, they scan binary signatures, file patterns and resource usage. CVE scanners have a package database and do some metadata analysis. They differ in scanning techniques.

Demo - Scanner comparison

When you do scanning on images, use digest pinning and always assume that image tags are mutable. When scanning images with Grype and Trivy, they differ in output, most notably on the vulerabilities without a fix. Trivy does not support vulnerabilities without a fix for alpine. This gives a false sense of security.

Demo - SBOMs

Software Bill Of Materials describe all software and dependencies used. Why do this? When the next log4j happens, you can quickly analyze where the code is used and which applications are impacted.

Demo - Metadata manipulation

Some humans blindly trust scan results. Zero CVEs, let's use it! The demo shows that you can rename files in your image so they no longer match the CVE database. Now your image has 0 CVEs.

Demo - Sigstore

When pusing the image to the registry, sign the digest because tags are mutable. Use sigstore in combination with Kubernetes admission controller to validate the images are not tampered with.

Conclusion

• Supply chain security starts at the source
  • Generate SBOM during the build (apko and melange)
• Use full provenance using sigstore
• Reach level 3 SLSA

Links

• https://www.chainguard.dev/
• https://github.com/aquasecurity/trivy
• https://github.com/anchore/grype
• https://www.chainguard.dev/unchained/introducing-wolfi-the-first-linux-un-distro-designed-for-securing-the-software-supply-chain
• https://www.sigstore.dev/
• https://slsa.dev/