BROADCASTS.com

b'Are you using container images with hundreds of known vulnerabilities?\\n\\nThe majority of us are using images based on the Docker official images available on the Docker Hub. This includes base images \\u2013 such as Debian and Ubuntu \\u2013 as well as application images such as nginx and redis. Unfortunately these images often have hundreds of known vulnerabilities due to excessively large dependency trees with out-of-date packages. This security debt can lead to unnecessary security risks and slower development cycles.\\n\\nWolfi (\\u200b\\u200bhttps://github.com/wolfi-dev/) is a new Linux distribution optimized for building minimal, secure container images. Wolfi maintainers prioritize a rolling release model built on a rapid package update cycle, which ensures that new vulnerabilities are remediated quickly.\\n\\nThis talk not only describes the problems that motivate Wolfi but also provides hands-on knowledge to help developers take advantage of Wolfi. By the end of the talk, developers will learn about packaging techniques with apko and melange, tools specifically designed to build Wolfi packages and turn them into minimal, low- or no-vulnerability containers.\\n\\nKey Takeaways and Highlights\\n\\nPopular, off-the-shelf base images and containers often have hundreds of known vulnerabilities (\\u201cCVEs\\u201d), which can, at worst, be a security risk and, at best, be a giant time suck.\\nWolfi is a new secure-by-default linux distribution that prioritizes rapid package updates and, by extension, fast mean time-to-remediation for known vulnerabilities.\\nPackages in Wolfi can form the foundation of secure, minimal base images and containers, freeing developers of tedious vulnerability management tasks and increasing security for cloud-native applications.\\n\\nTalk Outline\\n\\nThe Cloud-Native Application Status Quo: Bloated, Outdated, Vulnerability-Laden Images\\nContainers 101\\nShow the results of running security scanners against popular Dockerhub official images\\nUse (grype, an open source scanner) to scan golang:latest and nginx:latest. Show via command line.\\nShow data and analysis on package counts, package staleness, vulnerability counts of official Docker Hub images\\nDraw on six months of daily scanning results collected by presentation team\\nOverview of Wolfi\\nFast package update times\\nFast vulnerability mean time-to-remediation\\nGranular packages\\nWolfi packages are often packaged at a more granular level than their counterparts in other distributions, which allows developers to pick and choose only the components that are essential for an image, without dragging in unnecessary functionality and attack surface.\\nRolling release\\nWhy not alternative approaches, either other minimal images or using other distros?\\nGoogle distroless\\nDebian-based so there can be slow update times for packages\\nDebian - Slow package updates\\nHow to build images with Wolfi packages\\nExplain melange and building packages\\nExample of building a package with melange\\nExplain apko and building images\\nDemo of building an image with apko\\nabout this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/V9EZSS/'