Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. What’s so hard about vulnerability scanning? Liz Rice @LizRice | @AquaSecTeam

2

3 Software vulnerabilities

4 Common Vulnerabilities & Exposures

5

6 Heartbleed

7

8 Image vulnerability scanning @LizRice | @AquaSecTeam ■ Identify the packages & versions in the image ■ Cross-reference with vulnerability database ■ Profit Sounds easy!

Linux, distributions & container images

10 Linux distributions ■ The Linux Kernel is A Thing ■ And then there are distributions: kernel + ■ shell ■ init system ■ package manager ■ GUI ■ …

11 @LizRice | @AquaSecTeam Linux distributions Debian Ubuntu OpenSUSE Alpine Arch Linux Default GUI GNOME GNOME (prev. Unity) KDE None None Default Shell dash bash bash busybox sh bash Default Editor nano vim vim busybox vi vim Default Init System systemd (prev. SysV) systemd (prev. Upstart) systemd (prev. SysV) busybox init systemd (prev. SysV) Default Package Manager deb deb rpm apk pacman Release Model Fixed, infrequent updates Fixed, infrequent updates Fixed, frequent updates Fixed, relatively frequent Rolling, constant updates

12 @LizRice | @AquaSecTeam /bin /lib /usr /opt /var /bin /lib /usr /var /bin /opt /usr /var Container images

Linux & software packages

14 How does software get into a Linux distribution? 3rd-party developers write source Compiled & packaged Binary distribution Upstream Distribution Package repository ■ Enable / disable features ■ Link with libraries ■ Re-package ■ Fix bugs that aren’t in upstream ■ Apply security patches

15 Case study: Debian - focus on stability ■ New versions may take months to reach the package repositories ■ Often don’t want to update to latest version for an upstream fix to a security vulnerability ■ Debian often backports security fixes to older versions and repackages them

16 Case study: Debian / CVE-2017-8807 ■ NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0

17 Case study: Debian / CVE-2017-8807 ■ NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0 ■ Debian applied patch to 5.0.0

18 Case study: Alpine / busybox 1.27.2

19 Case study: Alpine / busybox 1.27.2 Patches for the known vulnerabilities Other patches not known to NVD

20 Vendor security advisories Only affects server component NVD doesn’t know that

Not all scanners are created equal

22 Not all scanners are created equal Information sources / advisories ■ NVD ■ Distributions ■ Vendors ■ Languages ■ Whitesource Scanning techniques ■ Layer-by-layer or image Functionality ■ Malware ■ File scanning ■ Windows

Microscanner preview

24 Microscanner - package vulnerability scanning ■ Runs as part of build ■ Contacts Aqua Security cyber-center vulnerability database ■ Free! FROM debian:jessie-slim RUN apt-get update && apt-get -y install ca-certificates ADD https://get.aquasec.com/microscanner RUN chmod +x microscanner ARG token RUN /microscanner ${token} && rm /microscanner

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Thank you! @LizRice | @AquaSecTeam