Duffie Cooley

The speaker's profile picture

Sessions

11-10
09:40
30min
Malicious Compliance Automated: When You Have 4000 Vulnerabilities and only 24 Hours Before Release
Duffie Cooley, Kyle Quest

You know that feeling when you think are done, but then you realize you are not even close and you don't have time to do anything about it?

In this talk we'll go on a journey with a developer, who just finished his application. He's happy because he's done early and there's still 24 hours before the application has to be released, but then he learns that he has 4000 vulnerabilities in his application and there's no way he'll be able to fix them all. He needs a miracle and whatever it is it needs to be automated.

We'll explore the good, the bad and the fun of minifying container images. We'll see the side effects of image minification on the existing vulnerability scanners and exploits and how they will be disrupted and broken. We'll also investigate a number of additional container obfuscation techniques that will make vulnerability scanners completely blind.

You will learn what it takes to build minimal container images and how to make sure you have only the components you need to reduce the attack surface of your containers. You will learn about what's truely necessary for your containers to function. You will also learn how it's possible to automate container image minification leveraging low level Linux kernel interfaces and application analysis.

The vulnerability scanner limitations exposed in this talk shouldn't be there. They are there because users don't demand something better. The call to action in this talk is to ask for better products and not to accept the current status quo. It's time for change!

Theater