2018_Ottawa_Q2_CNCF_Meetup Key Considerations for Image Admittance within K8s

Transcript

1. None

2. ▪ ▪ ▪ ▪ ▪ ▪ Dev Ops Sec

3. None

4. ▪ ▪ ▪ Dev cycles Scale Connectivity Infrequent, major releases

   10x per host, weeks/months Few apps, few nodes Continuous deployment 1000x per host, hours/days Dozens of interconnected micro services Attack surface CONTAINER VM

5. ▪ ▪ ▪ ▪ ▪ ▪ ▪

6. FROM jboss/base-jdk:8 ENV WILDFLY_VERSION 12.0.0.Final ENV WILDFLY_SHA1 b2039cc4979c7e50a0b6ee0e5153d13d537d492f ENV JBOSS_HOME

   /opt/jboss/wildfly USER root RUN cd $HOME \ && curl -O https://download.jboss.org/wildfly/$WILDFLY_VERSION/wildfly-$WILDFLY_VERSION.tar.gz \ && sha1sum wildfly-$WILDFLY_VERSION.tar.gz | grep $WILDFLY_SHA1 \ && tar xf wildfly-$WILDFLY_VERSION.tar.gz \ && mv $HOME/wildfly-$WILDFLY_VERSION $JBOSS_HOME \ && rm wildfly-$WILDFLY_VERSION.tar.gz \ && chown -R jboss:0 ${JBOSS_HOME} \ && chmod -R g+rw ${JBOSS_HOME} ENV LAUNCH_JBOSS_IN_BACKGROUND true USER jboss EXPOSE 8080 CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-b", "0.0.0.0"]
7. None

8. ▪ ▪ ▪ ▪ ▪

9. Vulnerability (computing) From Wikipedia, the free encyclopedia In computer security,

   a vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorised actions within a computer system. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
10. None

11. ▪ ▪ ▪

12. ▪ ▪ ▪

13. ▪ ▪ ▪ ▪

14. ▪ ▪ ▪ ▪ ▪

15. ▪

16. ▪ ▪ ▪

17. None
18. None
19. None

20. ツ

21. ▪ ▪ ▪ Vulnerabilities are the intersection of three elements:

    a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

22. ▪ ▪ ▪

23. ▪ ▪ ▪

24. ▪ ▪ ▪

25. ▪ ▪ ▪ FROM debian:jessie-slim RUN apt-get update && apt-get

    -y install ca-certificates ADD https://get.aquasec.com/microscanner / RUN chmod +x microscanner ARG token RUN /microscanner ${token} && rm /microscanner

26. { "name": "CVE-2016-7444", "description": "\nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in

    GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.\nA flaw was found in the way GnuTLS validated certificates using OCSP responses. This could falsely report a certificate as valid under certain circumstances.", "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "nvd_severity": "medium", "nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444", "vendor_score": 4.3, "vendor_score_version": "CVSS v2", "vendor_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "vendor_severity": "low", "vendor_url": "https://access.redhat.com/security/cve/CVE-2016-7444", "publish_date": "2016-09-27", "modification_date": "2018-01-04", "fix_version": "3.3.26-9.el7", "solution": "Upgrade package gnutls to version 3.3.26-9.el7 or above." }

27. ▪

28. None
29. None
30. None

31. ▪ ▪ ▪

32. None
33. None
34. None
35. None