One Article Review
Accueil - L'article:
Source AlienVault.webp AlienVault Blog
Identifiant 1208375
Date de publication 2019-07-16 13:00:00 (vue: 2019-07-16 18:00:28)
Titre High Risk Vulnerabilities in Docker Containers | AT&T ThreatTraq
Texte Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers.  I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq.  The video features Jonathan Gonzalez, Principal Technical Security, John Hogoboom, Lead Technology Security, AT&T and Jim Clausing, Principal Member of Technical Staff, AT&T. docker container security is not tidy like this pic of a nice refrigerator Jonathan: Twenty percent of the top 1,000 Docker images have at least one high vulnerability. Jim: Jonathan, I understand you have a story on vulnerable Docker containers. Jonathan: Yes, Jim. Thank you. Actually, I'm going back in time a little bit. Two months ago when I was last here, I brought up a story about Alpine Linux and the root account having an empty password. Well, it seems Jerry Gamblin from Kenna Security was inspired to try to figure out how many more there were. He started trying to figure out things like, "How do I scan a Docker image from Docker Hub?" Around the same time, in May, a group from Japan made an open source application called Trivy which allows you to pull a Docker image from the hub or a private registry and actually scan, run, extract the contents of it and find out what vulnerabilities are running at the OS level or even in some applications. I think they are covering Node and NPM applications and Yarn, and others. The researcher was saying, "Perfect, the tool that I need to be able to run, to find out what's going on in these images." He ran this tool through, the ~ top 10,000 most pulled images in Docker and put the results out on the web. The website is vulnerablecontainers.org. John: That might be a good thing if you're big in the Docker space and you're making your own containers and images that you use as part of your production process to identify if you have any vulnerabilities in a container that you're building or using. Jonathan: One of them he mentioned on Twitter that is a little scary is Ruby on Rails, which is very popular. There was an image called Rails that was deprecated about two years ago. Two years' worth of vulnerabilities in the OS and everything else  - and people are kinda still pulling from it. Docker officially moved it to a new image called Ruby. But if you aren’t aware that the name changed... John: That’s confusing. Jonathan: Correct. And kind of misleading, because you can get the latest tag and keep pulling the latest image, but if they haven't updated in two years... John: And they moved it to a different name… Jonathan: The researcher points out that there's no clear way for someone pulling the image to know that it's been deprecated unless you go to Docker Hub and see the description that says deprecated, right? John: Right, right. Jonathan: So hopefully, they're talking about putting something in the command line to tell you, "Hey, stop using this,"  "Rails is deprecated, grab the latest from Ruby." John: Right, right. Interesting. Jonathan: You know, millions
Envoyé Oui
Condensat  because 000 600 able about account actually ago all allows alpine amount any application applications applied are aren’t around article at&t attacker attention aware back because become been better between big bit brought build building but called can changed channel check chief clausing clear column coming command commentary community confusing considered contained container containerization containerizing containers contents correct could couple covering definitely deprecated description different docker downloads either else empty enjoy environment even every everything exploitable extract eye feature features figure find forget from gamblin get getting going gonzalez good grab group has have haven't having help helpful here hey high hogoboom hopefully hot how hub i'm i’d idea identify image images importing information infosec inspired interested interesting internet issue issues it's japan jerry jim jim: john john: jonathan jonathan: keep kenna kind kinda know knowing last latest lead least level lighter like line linux list little looked looking lot made make making many market may maybe member mentioned might millions misleading months more most mostly moved multiple name name… need new news node noticed npm office officially old one open org other others out over own part password past patch patches pay people percent perfect please points popular potential practitioners principal private process produces production pull pulled pulling pulls put putting quickly rails ran reality really recent registry released remotely researcher researchers results right risk room root ruby run running said same saying says scan scary score scores security see seems series share should shows some someone something source space specific staff started stay stop story subscribe tag taken talking technical technology tell thank thanks that'd that’s them them; there's these they're thing things think threattraq through time tool top transcript trivy try trying twenty twitter two understand unless updated updates use useful users using value version very video virtualization vulnerabilities vulnerability vulnerable vulnerablecontainers warning way web website week weight well what what's whatever when where which worried worth would yarn years years' you're your youtube
Tags Tool Vulnerability Guideline
Stories
Notes
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: