Explore vulnerability scanning in Kubernetes clusters and learn effective security measures in this comprehensive conference talk. Discover how to audit technical configurations, identify vulnerabilities, and apply patches to critical components. Delve into exploiting Kubernetes primitives for implementing robust security mechanisms, including RBAC, AdmissionController, NetworkPolicy, and SecurityContext. Enhance cluster security with Open Policy Agent for finer control and integrate Falco for detecting suspicious actions within containers and at the API Server level. Learn to implement a CI/CD pipeline with Clair for vulnerability analysis during image builds. Gain insights into penetration testing, package discovery challenges, vulnerability databases, and automating decision processes. Understand the complexities of container results, issues with specific components like libcurl and Busybox, and explore solutions such as VEX (Vulnerability Exploitability eXchange) for more accurate vulnerability assessments.
Overcoming CVE Shock - Adding Perspective in Vulnerability Scanning
Overview
Syllabus
Intro
Survey
Why Vulnerability Scanning
Penetration Testing vs Vulnerability Scanning
What is Vulnerability Scanning
Basic Package Discovery
Problem with Basic Package Discovery
Components which dont have metadata
Debian Vulnerability Database
Google Vulnerability Database
Summary
The problem is deep
Whats happening inside Docker
The problem with container results
The problem with libcurl
The problem with Busybox
Automating the decision process
Small research
Scripting magic
Vulnerability list
Automation
What it means
Vex
What is VX
VX in action
From VX perspective
Questions
Taught by
Devoxx
