The Cloudcast - Weekly Cloud Computing Podcast Podcast Artwork Image
The Cloudcast - Weekly Cloud Computing Podcast
The Cloudcast #343 - Container Vulnerability Scanning
April 19, 2018 Aaron Delp & Brian Gracely
Aaron and Tyler Britten talk with Liz Rice (@lizrice, Technology Evangelist @AquaSecTeam) about what's easy—and what's not—about finding and patching security vulnerabilities in containers. This is a cross-over show with @PodCTL podcast.

Show Links:

Show Notes
  • Topic 1 - Welcome to the show Liz. Tell us a little bit about your background and the types of things that you’re working on these days.
  • Topic 2 - Let’s start with the basics. A container is defined by a file (e.g. Dockerfile) that the user/developer/operator defines. How can a vulnerability get into that file?
  • Topic 3 - Is it up to the CI/CD system or  host OS (where the container runs) or container orchestrator (e.g. Kubernetes) or container registry to figure out if a vulnerability exists?
  • Topic 4 - How do most container registries today manage vulnerability lists, container scanning and potential mitigations? What are the difficult parts of those tasks?
  • Topic 5 - Most containers today are Linux containers. Are you seeing anything happening (yet) around how to manage Windows containers vulnerabilities? Is the assumption that Microsoft will fix this through one of their existing tools, or are things happening in the open source community as well?
Feedback?
Aaron and Tyler Britten talk with Liz Rice (@lizrice, Technology Evangelist @AquaSecTeam) about what's easy—and what's not—about finding and patching security vulnerabilities in containers. This is a cross-over show with @PodCTL podcast.

Show Links:

Show Notes
  • Topic 1 - Welcome to the show Liz. Tell us a little bit about your background and the types of things that you’re working on these days.
  • Topic 2 - Let’s start with the basics. A container is defined by a file (e.g. Dockerfile) that the user/developer/operator defines. How can a vulnerability get into that file?
  • Topic 3 - Is it up to the CI/CD system or  host OS (where the container runs) or container orchestrator (e.g. Kubernetes) or container registry to figure out if a vulnerability exists?
  • Topic 4 - How do most container registries today manage vulnerability lists, container scanning and potential mitigations? What are the difficult parts of those tasks?
  • Topic 5 - Most containers today are Linux containers. Are you seeing anything happening (yet) around how to manage Windows containers vulnerabilities? Is the assumption that Microsoft will fix this through one of their existing tools, or are things happening in the open source community as well?
Feedback?
See All Episodes