Julius is an active software engineer and lapsed Apache committer with 20 years experience writing software. He spends most of his time these days writing Java and SQL code for MergeBase, the AppSec startup he co-founded in 2018. Julius is 100% to blame for CVE-2014-3604.
This talk details six common ways known-vulnerabilities can find their way into docker container images.
1.) Stale base images.
2.) Stale packages introduced during your docker build.
3.) Direct download of packages (from outside the distro) during docker build.
4.) Off-Roading 1: Direct download of platform components (e.g., language runtimes, application servers, database engines, etc).
5.) Off-Roading 2: Open source libraries in your application itself.
6.) Runtime Modifications: Any of the above during runtime!
During this talk I will assemble a docker image for running Jira (a well known productivity tool). I will show how known-vulnerabilities from each of these 6 categories can be found in my resulting docker image, and how I would go about fixing these.
After attending this talk attendees will understand these 6 known-vulnerability vectors that affect docker images, and will understand the different detection and mitigation techniques required for each of these 6 vectors.