"Breaking Bad: Container Security is Broken" - A Hacker's Guide to Finding Real Threats

Transcript

1. "Breaking Bad: Container Security is Broken" A Hacker's Guide to

   Finding Real Threats Shivam Saraswat | BSides Vizag 2025

2. Your Guide: Shivam Saraswat Senior Cybersecurity Engineer at PayPal 3.5+

   Years Experience leading DevSecOps & Cybersecurity Track Record: PayPal, IKEA, Tekion, and BreachLock Core Expertise: Container Security SAST/SCA CI/CD Security

3. Our Journey Today: Unmasking Container Threats Here's what we'll cover

   to equip you for the container security rebellion: 01 Exposing the Lies We'll kick things off with a live demo and dissect why conventional vulnerability scoring fails to capture real threats. 02 Deep Dive into Layers Understand the deceptive nature of container layers and witness a live analysis of hidden vulnerabilities. 03 The Smart Solution Discover the "Smart Scanner" and learn how to build your ultimate rebellion toolkit, including a live GitHub Actions demo. 04 Real-World Impact Explore the practical implications for enterprises.

4. The Chaos Demo A live demo showing a flood of

   CVE listings from nginx:1.21.1-alpine. "Which one would you fix first?" Most teams pick the highest CVSS score, but reality shows they're probably wrong.

5. Why Can't We Just Patch (Upgrade) Everything? Hell no!

6. The CVSS Lie What vendors want you to believe: CVSS

   9.8 = CRITICAL! DROP EVERYTHING! CVSS 4.2 = Meh, fix it next quarter What hackers know: CVE-2024-6387 (CVSS 8.1): Requires precise timing for race conditions (~10,000 attempts) CVE-2021-26829 (CVSS 5.4): Simple XSS injection. One payload, auto-executes on page visit "CVSS was never designed for containers. We're using a hammer to perform surgery." Sources: Splunk: CVE-2024-6387 Regresshion Vulnerability Palo Alto Networks Unit 42: Threat Brief CVE-2024-6387 The Hacker News: CISA Adds Actively Exploited XSS Bug to KEV Catalog

7. The Real Threat Landscape CISA KEV (Known Exploited Vulnerabilities) 1400+

   actively exploited CVEs Many have "medium" CVSS scores These are what attackers ACTUALLY use EPSS Score Reality Check Predicts 30-day exploitation probability. Often contradicts CVSS severity Machine learning > Marketing scores VulnCheck KEV Enhanced vulnerability intelligence Broader coverage than CISA alone (3600+) Others SSVC (Stakeholder-Specific Vulnerability Categorization) LEV (Likely Exploited Vulnerabilities), etc.

8. Container Layer Deception What you think you're scanning: What you're

   actually scanning: Each layer = Unique SHA = Different risk profile

9. The Base Layer Problem One vulnerable base image = Mass

   infection Example: ubuntu:20.04 with OpenSSL vulnerability used in 1,247 images. Traditional scanners report it 1,247 times. Fix: Update ONE base layer. Time saved: Weeks ³ Hours

10. Layer Analysis Use Docker tools to inspect layers and Trivy

    to map vulnerabilities. $ docker inspect myapp:latest | jq '.[].RootFS.Layers' [ "sha256:7c3b88808835892...", # Base Ubuntu layer "sha256:2f57ca9b3b442a1...", # Nginx installation "sha256:8b15606a9e3e430...", # Config and cleanup ] $ trivy image --format json nginx:latest | jq '.Results[].Vulnerabilities[] | select(.Layer).Layer.DiffID' | sort -u The revelation: sha256:7c3b88 (base): 47 vulnerabilities affecting 200+ images sha256:2f57ca (nginx): 3 vulnerabilities specific to this build sha256:8b1560 (config): 0 vulnerabilities, just configuration Which layer would you fix first now?

11. The Smart Scanner $ trivy image myapp:latest Total: 847 vulnerabilities

    (CRITICAL: 23, HIGH: 156...) Traditional approach: Hacker approach - Layer-mapped analysis: Developers actually fix vulnerabilities instead of ignoring security noise.

12. Building Your Rebellion Toolkit 1 Built-in Tools docker inspect (layer

    SHA extraction) jq (JSON parsing for correlation) trivy (vulnerability scanning with layer info) 2 External Intelligence Sources EPSS API (real threat intelligence) CISA KEV feed (actually exploited CVEs) The layer-to-vulnerability mapping: # Extract layers docker inspect $IMAGE | jq '.[].RootFS.Layers' # Get vulnerabilities with layer context trivy image --format json $IMAGE | \ jq '.Results[].Vulnerabilities[] | { cve: .VulnerabilityID, layer: .Layer.DiffID, severity: .Severity, package: .PkgName }'

13. Live GitHub Actions Demo This GitHub Actions workflow integrates the

    "hacker way" of container vulnerability analysis directly into your CI/CD pipeline, demonstrating how to move beyond overwhelming traditional reports. name: Smart Container Security (with VulnSort) on: [push, pull_request] IMAGE: myapp:latest jobs: security-scan: runs-on: ubuntu-latest steps: - name: Run Trivy scan # Traditional way (broken) uses: aquasecurity/trivy-action@master # 847 results - name: Smart vulnerability analysis # Hacker way (working) uses: shivamsaraswat/VulnSort@main # 3 real threats The result is a drastic reduction in reported vulnerabilities, enabling developers to focus on actual, exploitable threats rather than ignoring the security noise generated by traditional scanning methods. Tool: VulnSort on GitHub Demo: Demo on GitHub

14. Real-World Impact Before Smart Prioritization: 847 vulnerabilities reported Devs say:

    "Security team crying wolf again" Fix time for criticals: 3-6 months Actual security: Terrible After Layer-Aware Prioritization: 3 real threats identified Devs say: "Holy sh!t, fix this now!" Fix time for criticals: Same day Actual security: Dramatically improved

15. The Enterprise Reality Check Most security vendors want you to

    believe that effective container security requires expensive, complex platforms. But what do you actually need? What security vendors sell you: AI-powered vulnerability management platform $50,000/year for advanced threat detection Executive dashboards with pretty graphs What you actually need: 150 lines of bash script CISA KEV feed (free) EPSS API (free) Container layer awareness Cost difference: $50,000/year ³ $0

16. Summary Traditional Scanning Ineffective, noisy CVSS focus CISA KEV &

    EPSS Threat-informed prioritization Layer Analysis Identify vulnerable image layers Smart Scanner Contextual, efficient detection This diagram outlines the critical shift needed in container security, moving from overwhelming and often misleading traditional scanning methods to a precise, threat-informed approach.

17. Get the Slides! Scan this QR code to download the

    presentation slides OR go to https://speakerdeck.com/shivamsaraswat.

18. Let's Connect Shivam Saraswat linkedin.com/in/shivamsaraswat Website shivamsaraswat.com Blog blog.shivamsaraswat.com Feel

    free to reach out with any questions or for further discussion on container security!

19. Questions? Remember: The best security tool is the one developers

    actually use.