container_patching_cnscon_2023_castle_panther.pdf

1、Container PatchingMaking It Less Gross Than The Seattle Gum WallGreg Castlemrgcastle,gregcastleinfosec.exchangeGKE Security,Google CloudWeston PantherGKE Security,Google CloudSimple View Of Patching0 days Scanner detects15 days Maintainer patches30 days Production patchedSeverityFedRAMPTargetsCRITIC

2、AL/HIGH30 daysMedium90 daysLow180 daysA Trip Down Empathy Lane2 weeks Bi-weekly cluster scan2 weeks Hey web team,webfrontend is missing 2 CRITICAL patches3 weeks Friendly ping?3 weeks Not our code,maybe django base container?3 weeks Django container team,can you patch?4 weeks These vulns are in perl

3、,we dont even use perl,do we need to patch?A Trip Down Empathy Lane4 weeks Yes,or better yet,remove perl.OUT OF FedRAMP/PCI SLO5 weeks Patched acme-django:v2.1.1 5 weeks Hey web team,rebuild with acme-django:v2.1.16 weeks Done!7 weeks Still running the old version?A Trip Down Empathy Lane8 weeks For

4、got to update the K8s manifest.Done!9 weeks Still no?Also theres three new HIGH vulns,but lets get this done first.10 weeks Had to soak in QA first,updated for prod rollout.11 weeks Fixed!Who else runs django apps.?Why Its GrossHumans at every stepWhich layer needs patching?No inventoryPatching unus

5、ed codeVulns faster than patches=Slow,incomplete,unscalable patchingIs the majority of the industry doing better than this today?88%of respondents:“Challenging to ensure containerized applications are free from vulnerabilities”https:/www.slim.ai/blog/container-report-2022/GKE Container Patching Case

6、 StudyEnforcement PointsPrevent:minimal containersDetect:scanning capability/coverageFix:ownership,dependencies,releaseMonitor:dashboards,alerting,escalationsWhat Containers?Vendor/MSP containersContainers you rebuildK8s manifests you updateWhat Do We Know Anyway?Patching for 1000s of containers acr