My container application has 100 vulnerabilities, now what?

Speaker(s): Rachana Vishwanathula Audience: Everyone Description: Enterprises are moving to a “shift-left” culture with security seamlessly embedded throughout the development life cycle. Enterprises are ‘shifting-left’ and incorporating security into every stage of the development life cycle of a project/product. This talk covers the challenges of securing containerized workloads, major risk areas, new threat vectors that containers introduce us to, best practices for container security, identifying cves, content trust and image signing and how to secure the application from the risks. Some of the best practices to ensure security in container images are to: • use DCT (Docker Content Trust), • perform VA (Vulnerability Advisor) Scan on Images, • securely signing an image and enforcing a policy that ensures an image can’t be deployed until the signatures are found and validated. Is there a way to automate these tasks? Yes, by setting up a CI/CD pipeline that in-turn manages these tasks every time a new change is made to the image. This talk focuses on how to continuously integrate and deliver a secure signed Docker app to Kubernetes service. Docker Content Trust provides strong cryptographic guarantees over what code and what versions of software are run in your infrastructure. Docker Content Trust integrates The Update Framework (TUF) into Docker by using Notary, an open-source tool that provides trust over any content. And this can beautifully be leveraged in CI/CD pipelines along with Key Management software. When a publisher who is using Docker Content Trust pushes an image to a remote registry, Docker Engine locally signs the image with the publisher’s private key. When a user pulls this image, Docker Engine uses the publisher’s public key to verify that the image is exactly what the publisher created. It also ensures that the image wasn’t tampered with and that it is up to date. VA (Vulnerability Advisor) Scan on Images is an assessment on docker images which identifies if there are any OS Vulnerabilities(unpatched libraries and OS components, vulnerable kernel versions), Application Weaknesses(SQL Injection, XSS and Buffer Overloading), Configuration vulnerabilities(nonsecure OS settings, such as passwords or logins as well as network configuration, including allow root). This can be done with opensource tools like OpenSCAP and there are enterprise flavours which does the same functionality. This talk demonstrates how to perform this on docker images in CI/CD pipelines before they are deployed. Container Image Security Enforcement (CISE) retrieves information about image content trust and vulnerabilities. This step is to securely sign an image and enforce a policy that ensures an image can’t be deployed until the signatures are found and validated. This can be achieved through Image Signing.” Bio: Rachana Vishwanathula is an IBMer. In her current role as Software Developer at Hybrid Cloud Build Team, her technology focus is Hybrid Cloud Applications and IBM Cloud Paks, and mission is to interact with IBM’s Build Partner Companies and help them in their journey to hybrid cloud to build solutions that bring value to IBM’s tech stack. She is also a Developer Advocate and an active member of IBM’s Developer Ecosystem Group, where her mission is to enable developers on various technologies like Cloud and Cognitive, Data and AI, Security. She has engaged with client, partner, startup, and student communities and have delivered immersive and engaging tech-talks, workshops, and keynotes on diverse set of technologies. She works with Academic Institutions in India and have delivered several Faculty Development Programs for colleges.