#security (2024-11)

Archive: https://archive.sweetops.com/security/

2024-11-26

Ayman avatar

Hi folks, what is everyone doing to get keep their ECR images updated and free of vulns? Looking for new ideas for image pipeline, esp for nervous engineers.

Darren Cunningham avatar
Darren Cunningham

one account for all new builds and a separate account for all PROD images, only promote to prod automatically for clean scans or when manually triggered (to allow for CVE exceptions)

george.m.sedky avatar
george.m.sedky

Better image scanning: the built in ECR scanner is not so good. last time I checked it was Clair, which misses a lot of packages. use something like trivy instead.

Minimal images: if you scan you’ll find hundreds of vulns and very little time to fix / upgrade. one way to get around this with lower friction with devs is to prepare a set of minimal base images for the frameworks devs use (alpine based images with the framework version they use and common runtime dependencies) then keep releasing new base images every couple of months with the latest patches. but be careful this might break apps that depend on runtime or OS packages but will slash hunderds of vulnerabilities and make the secure. option for devs the path of least resistance

you can also give cloud native buildpacks a shot

Darren Cunningham avatar
Darren Cunningham

I haven’t used them, but https://www.chainguard.dev/ looks really interesting

Secure Your Containers with Chainguardattachment image

Discover Chainguard’s hardened, vulnerability-free container images designed to keep your infrastructure secure and efficient.

1
Alanis Swanepoel avatar
Alanis Swanepoel

You need to consider all aspects of your container and app lifecycle. Take a look at https://www.deepfence.io for runtime scanning. I wrote a short article mentioning some of the areas to consider. https://ctrltilde.com/container-security-101/

CNAPP - Trusted Cloud Security Solutions - Deepfenceattachment image

Secure your most critical cloud workloads and applications with a unified cloud-native application protection (CNAPP) and security observability platform.

Container security 101attachment image

Understanding the Basics of Securing Containers

By now, it’s apparent to cybersecurity teams everywhere that the ­proverbial container genie is out of the bottle. Developers have widely embraced containers because they make building and deploying so-called cloud native applications simpler than ever. Not only do containers eliminate much of

2024-11-28

    keyboard_arrow_up