11-10, 09:40–10:10 (MST), Theater
You know that feeling when you think are done, but then you realize you are not even close and you don't have time to do anything about it?
In this talk we'll go on a journey with a developer, who just finished his application. He's happy because he's done early and there's still 24 hours before the application has to be released, but then he learns that he has 4000 vulnerabilities in his application and there's no way he'll be able to fix them all. He needs a miracle and whatever it is it needs to be automated.
We'll explore the good, the bad and the fun of minifying container images. We'll see the side effects of image minification on the existing vulnerability scanners and exploits and how they will be disrupted and broken. We'll also investigate a number of additional container obfuscation techniques that will make vulnerability scanners completely blind.
You will learn what it takes to build minimal container images and how to make sure you have only the components you need to reduce the attack surface of your containers. You will learn about what's truely necessary for your containers to function. You will also learn how it's possible to automate container image minification leveraging low level Linux kernel interfaces and application analysis.
The vulnerability scanner limitations exposed in this talk shouldn't be there. They are there because users don't demand something better. The call to action in this talk is to ask for better products and not to accept the current status quo. It's time for change!
Talk highlights:
* Minimal container images and their benefits.
* Build minimal container images manually, with distroless container images and with DockerSlim.
* How automated minification in DockerSlim breaks vulnerability scanners.
* How vulnerability scanners work.
* Advanced obfuscation techniques that break the major vulnerability scanners (Clair, Docker Scout, Snyk, Grype, Trivy, OSV-Scanner) and SBOM scanners (Syft, CDXGen).
Kyle is the creator of DockerSlim (aka SlimToolkit), a popular tool to inspect, optimize and debug containers. He's the founder/CEO of AutonomousPlane.dev and he's also the founder/CTO of Slim.AI. He's building an AI agent to automatically fix vulnerabilities in cloud native application dependencies. Kyle has been building applications and platforms using many different programming languages since the early days of cloud computing. He’s been involved in security for more than two decades wearing many different hats as a builder, breaker and defender.