Blog
Ghost Security at KubeCon + CloudNativeCon Europe 2023
·
Tuesday, February 14, 2023
Ghost writer
Ghost Security is headed to Amsterdam! Brad Geesaman, our very own Staff Security Engineer and Cloud Kubernetes security aficionado, will be joined by Ian Coldwater, Duffie Cooley, and Rory McCune to present, “Malicious Compliance: Reflections on Trusting Container Scanners” at KubeCon EU in April
What exactly can you expect during this 35-minute discussion? Check out the official abstract below. {% module_attribute "child_css" is_json="true" %}{}{% end_module_attribute %}{% module_attribute "content" is_json="true" %}"A commonly recommended best practice for security and compliance is to scan container images for vulnerabilities before allowing them to run inside a cluster. Many organizations codify allow/deny policies based on the results of these scans, using this policy-as-code approach to form the basis of trust. But what exactly are container scanners looking for? And can you always trust the results?"{% end_module_attribute %}{% module_attribute "css" is_json="true" %}{}{% end_module_attribute %}{% module_attribute "definition_id" is_json="true" %}null{% end_module_attribute %}{% module_attribute "field_types" is_json="true" %}{"content":"richtext","el_alignment":"group","el_animation":"group","el_meta":"group","el_parent_meta":"group","el_responsive":"group","el_sizing":"group","el_spacing_layout":"group"}{% end_module_attribute %}{% module_attribute "label" is_json="true" %}null{% end_module_attribute %}{% module_attribute "module_id" is_json="true" %}125118142497{% end_module_attribute %}{% module_attribute "path" is_json="true" %}"ghost-hs/punch/modules/text"{% end_module_attribute %}{% module_attribute "schema_version" is_json="true" %}2{% end_module_attribute %}{% module_attribute "smart_objects" is_json="true" %}[]{% end_module_attribute %}{% module_attribute "smart_type" is_json="true" %}"NOT_SMART"{% end_module_attribute %}{% module_attribute "tag" is_json="true" %}"module"{% end_module_attribute %}{% module_attribute "type" is_json="true" %}"module"{% end_module_attribute %}{% module_attribute "wrap_field_tag" is_json="true" %}"div"{% end_module_attribute %}{% end_module_block %} {% module_attribute "child_css" is_json="true" %}{}{% end_module_attribute %}{% module_attribute "content" is_json="true" %}"Let’s break this down layer by layer, from an attacker perspective. Why do certain changes in the way images are built produce wildly varying results? Can the flexibility in how container images are built and distributed be used to alter or prevent scanning tools from being able to fully understand what's in a container? How might clever image builders use these tricks to avoid scrutiny from these tools?"{% end_module_attribute %}{% module_attribute "css" is_json="true" %}{}{% end_module_attribute %}{% module_attribute "definition_id" is_json="true" %}null{% end_module_attribute %}{% module_attribute "field_types" is_json="true" %}{"content":"richtext","el_alignment":"group","el_animation":"group","el_meta":"group","el_parent_meta":"group","el_responsive":"group","el_sizing":"group","el_spacing_layout":"group"}{% end_module_attribute %}{% module_attribute "label" is_json="true" %}null{% end_module_attribute %}{% module_attribute "module_id" is_json="true" %}125118142497{% end_module_attribute %}{% module_attribute "path" is_json="true" %}"ghost-hs/punch/modules/text"{% end_module_attribute %}{% module_attribute "schema_version" is_json="true" %}2{% end_module_attribute %}{% module_attribute "smart_objects" is_json="true" %}[]{% end_module_attribute %}{% module_attribute "smart_type" is_json="true" %}"NOT_SMART"{% end_module_attribute %}{% module_attribute "tag" is_json="true" %}"module"{% end_module_attribute %}{% module_attribute "type" is_json="true" %}"module"{% end_module_attribute %}{% module_attribute "wrap_field_tag" is_json="true" %}"div"{% end_module_attribute %}{% end_module_block %} {% module_attribute "child_css" is_json="true" %}{}{% end_module_attribute %}{% module_attribute "content" is_json="true" %}"Join the hacker crew known as SIG-Honk, and let’s have some fun! Brad Geesaman, Ian Coldwater, Duffie Cooley, and Rory McCune will demonstrate some creative ways to intentionally bypass container image analysis and admission control detection.
Attendees will walk away with a greater understanding of the limitations of tooling used to validate images, and learn how to create better security policies in their own environments. The results may surprise you!"{% end_module_attribute %}{% module_attribute "css" is_json="true" %}{}{% end_module_attribute %}{% module_attribute "definition_id" is_json="true" %}null{% end_module_attribute %}{% module_attribute "field_types" is_json="true" %}{"content":"richtext","el_alignment":"group","el_animation":"group","el_meta":"group","el_parent_meta":"group","el_responsive":"group","el_sizing":"group","el_spacing_layout":"group"}{% end_module_attribute %}{% module_attribute "label" is_json="true" %}null{% end_module_attribute %}{% module_attribute "module_id" is_json="true" %}125118142497{% end_module_attribute %}{% module_attribute "path" is_json="true" %}"ghost-hs/punch/modules/text"{% end_module_attribute %}{% module_attribute "schema_version" is_json="true" %}2{% end_module_attribute %}{% module_attribute "smart_objects" is_json="true" %}[]{% end_module_attribute %}{% module_attribute "smart_type" is_json="true" %}"NOT_SMART"{% end_module_attribute %}{% module_attribute "tag" is_json="true" %}"module"{% end_module_attribute %}{% module_attribute "type" is_json="true" %}"module"{% end_module_attribute %}{% module_attribute "wrap_field_tag" is_json="true" %}"div"{% end_module_attribute %}{% end_module_block %} {% module_attribute "child_css" is_json="true" %}{}{% end_module_attribute %}{% module_attribute "content" is_json="true" %}"This presentation will take place on Friday April 21, 2023 at 14:00 - 14:35 CEST in the Auditorium Center | Auditorium + Balcony. Event registration is required in order to view this session. Both inperson and virtual options are available. For more details and registration, visit: https://kccnceu2023.sched.com/event/1Hybu\nIf you aren’t able to attend in person or virtually, be sure to check the CNCF YouTube Channel after the event for the session recording.\nHope to see you there!"{% end_module_attribute %}{% module_attribute "css" is_json="true" %}{}{% end_module_attribute %}{% module_attribute "definition_id" is_json="true" %}null{% end_module_attribute %}{% module_attribute "field_types" is_json="true" %}{"content":"richtext","el_alignment":"group","el_animation":"group","el_meta":"group","el_parent_meta":"group","el_responsive":"group","el_sizing":"group","el_spacing_layout":"group"}{% end_module_attribute %}{% module_attribute "label" is_json="true" %}null{% end_module_attribute %}{% module_attribute "module_id" is_json="true" %}125118142497{% end_module_attribute %}{% module_attribute "path" is_json="true" %}"ghost-hs/punch/modules/text"{% end_module_attribute %}{% module_attribute "schema_version" is_json="true" %}2{% end_module_attribute %}{% module_attribute "smart_objects" is_json="true" %}[]{% end_module_attribute %}{% module_attribute "smart_type" is_json="true" %}"NOT_SMART"{% end_module_attribute %}{% module_attribute "tag" is_json="true" %}"module"{% end_module_attribute %}{% module_attribute "type" is_json="true" %}"module"{% end_module_attribute %}{% module_attribute "wrap_field_tag" is_json="true" %}"div"{% end_module_attribute %}{% end_module_block %}
