Continuous Cluster Security Scanning with Open Source Tools

A shared responsibility between the development team and operations of what is build in images and what runs in the cluster is ideally considered common sense in a DevOps world.

In practice, nobody feels responsible for patch management in (running) containers.

This talk will provide information on how to perform security tests for container images like
– test for known vulnerabilities in packages/applications
– test for missing patch management
– test for malware
– test for container hardening practices (distroless or non-root)
After scanning for defects, the potential defects need to be handled, which will be showcased.

Required audience experience
Basic understanding of clusters and containers

Objective of the talk
Provide an overview of best practices to ensure containers do not run with security defects in production.

Participants will get know how to combine the DevSecOps open source tools and frameworks:
– SDA SE Cluster Scanner
– OWASP DevSecOps Maturity Model
– OWASP DefectDojo

Location: Date: May 12, 2021 Time: 10:15 am - 11:15 am Timo Pagel Timo Pagel