Day in the Life of a Base Image: The Evolution of Vulnerabilities in the Most Popular Containers - Ayse Kaya, Slim.AI
Abstract
While container scanning & security is becoming more widely adopted, it’s still not well-understood how these containers evolve over time from a security perspective. This includes understanding the long-term security posture of these containers, whether it is improving or declining as new vulnerabilities are discovered. This talk will take a first-time look at why handling vulnerabilities in containers is a really sticky problem to begin with, with known vulnerabilities requiring patching, as new vulnerabilities arise constantly, and many other vulnerabilities simply falling into a catchall bucket of “won’t fix” . We’ll show data visualizations of how the attack surface of two mega-popular public container images (Python, NodeJS) have changed over the past year, highlighting the problem developers and DevSecOps teams are facing. We’ll demonstrate how some of the most popular vulnerability scanners show different results, sometimes to extreme degrees. But stick around to the very end, because on the upside, we’ll wrap up with practical steps developers can take to stay on top of vulnerabilities and prevent their dev process from grinding to a halt.