Unpacking Open Source Security in Public Repos & Registries - Ben Hirschberg, ARMO
Abstract
The container ecosystem has exploded in the decade since it’s been introduced, with containers becoming the backbone for the way be package, deploy, orchestrate, schedule & operate our production applications. It’s no surprise then, that so many public facing resources have popped up over the years, both complementary open source projects & public registries that aggregate commonly used container images. In this talk we will unveil data from first of its kind research conducted by scanning the most popular and widely adopted open source projects––from Grafana to Prometheus, Lens, Helm, ArgoCD and others to the public registries from which we pull our base images––from DockerHub, Quay, to GCR, & ECR. We will share how these public-facing resources leveraged by practically all developers stack up against common compliance frameworks - CIS, MITRE ATT&CK®, NIST, NSA-CISA, the most common misconfigs, prevalence of well-known CVEs (through a Log4J example) with a look at the stats & hard numbers, and any other red flags you need to be aware of when leveraging public resources. We will wrap up with a risk analysis and scoring of the resources, highlight the risks to pay attention to, & provide some best practices to keep your systems & ops safe in this evolving security landscape.