May 2023 - Container image and supply chain security

Name: May 2023 - Container image and supply chain security
Start: 2023-05-15T18:00:00+01:00
End: 2023-05-15T21:00:00+01:00
Location: CodeBase Ltd

Edinburgh

May 15, 2023, 5:00 – 8:00 PM

In-person event

CNKEDI's May event will have a very practical security theme, with talks from Adrian Mouat and Matt Jarvis.

About this event

Here's the agenda for the night:
6:00pm - Food and drink, networking
6:30pm - My container image has 500 vulnerabilities, now what ? - Matt Jarvis, Director - Developer Relations, Snyk
7:15pm - Break
7:30pm - Building a Secure Supply Chain with Wolfi and Chainguard Images - Adrian Mouat, Developer Relations at Chainguard
8:15pm - Wrap up
· My container image has 500 vulnerabilities, now what ? (Matt Jarvis)
As security becomes a bigger concern in the world of containers and Kubernetes, using vulnerability scanning tooling in our workflows is becoming increasingly common. But many container images can show tens if not hundreds of vulnerabilities, particularly if they are built using upstream base images from public repositories. If your container has a huge amount of vulnerabilities, what do you do ? Many of us will reach information overload when faced with such a list, and struggle to work out what actions we should take. In this talk, we’ll look at how container images are constructed, understand how potential vulnerabilities can get into our images, and explore how we can prioritize and remediate the vulnerabilities we find. Take control of your vulnerabilities !
· Building a Secure Supply Chain with Wolfi and Chainguard Images (Adrian Mouat)
Security scans getting you down? Users complaining they can’t verify your container images? Have no idea if your systems are vulnerable to the latest exploit? Want to improve your SLSA level but don’t know where to start? You’re not alone -- all organisations face these issues. This talk will walk through techniques and tooling that you can use today to address these concerns. In particular it will cover:- The distroless philosophy; why minimal images can save you from scan report purgatory
- The importance of updating images and dependencies
- Using apko to build container images with SBOMs and complete reproducibility
- Signing images with SigstoreThe best bit? These tools and techniques will make your systems simpler and faster. Adding security doesn’t have to mean hurting usability or productivity.