From 4e72b1e77832d73075714748bb9f095651ed1fd5 Mon Sep 17 00:00:00 2001 From: Marco Verleun Date: Tue, 7 Nov 2023 15:44:20 +0100 Subject: [PATCH] Add info --- slides/sbom/intro.md | 3 ++ slides/sbom/sboms.md | 83 +++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 82 insertions(+), 4 deletions(-) diff --git a/slides/sbom/intro.md b/slides/sbom/intro.md index 65094b8..27b59bb 100644 --- a/slides/sbom/intro.md +++ b/slides/sbom/intro.md @@ -9,3 +9,6 @@ - 👷🏼‍♂️ Devops/Gitops/Cloud/Container/Cluster/Linux engineer (Pick one) - 🎯 Passion: Secure K8S clusters (air-gapped) running secure containers + + +Disclaimer: The tools and applications shown in this presentation often have many alternatives that are equally good. The same applies to the opinion of the presenter. diff --git a/slides/sbom/sboms.md b/slides/sbom/sboms.md index 0eeb418..6d82245 100644 --- a/slides/sbom/sboms.md +++ b/slides/sbom/sboms.md @@ -13,11 +13,9 @@ Read them and store them.... (Create them if you have to) --- -## SBOMs help, they do +## Know what you deploy -Imagine that you download and run a Python application in your cluster do you know which software components are present in the image? And which CVE's are present? - -It does make a difference how the image was build. Which one do you prefer and why given the following `Dockerfile``: +Imagine that you download and run a Python application in your cluster. Which one do you prefer and why given the following `Dockerfile``: ```bash FROM python:latest @@ -35,8 +33,85 @@ COPY worker.py / CMD ["python", "worker.py"] ``` +And why? + --- +## The only difference is the base image + +- But the end result is quite different: + +| Base image | Image size | CVE's | +|---|---|---| +| python:latest | 888 Mb | 1114 | +| python:alpine | 73,5 Mb | 3 | + +(Scanning was done with `grype` and since the writing of this presentation the numbers have increased) + +How often do you want to scan your images? + +--- + +## Providing information about software components + +More and more organisations want to know which software components they are about to deploy in a well know format. Executive Order 14028 on Improving the Nation's Cybersecurity does the same. + +This format is known as `SBOM` with already several versions. + +Most often this is a JSON formatted file, a snippet looks like: + +```json + "artifacts": [ + { + "id": "60671fb38be80921", + "name": "Simple Launcher Executable", + "version": "1.1.0.14", + "type": "dotnet", + "foundBy": "dotnet-portable-executable-cataloger", + "locations": [ + { + "path": "/usr/local/lib/python3.11/site-packages/pip/_vendor/distlib/t32.exe", + "layerID": "sha256:cd9f081b2669b644feeada02c0071c964673c221b6e44a42c44581d28ca18e2a" + } + ], + "licenses": [], + "language": "", + "cpes": [ + "cpe:2.3:a:Simple_Launcher_Executable:Simple_Launcher_Executable:1.1.0.14:*:*:*:*:*:*:*" + ], + "purl": "pkg:nuget/Simple%20Launcher%20Executable@1.1.0.14", + "metadataType": "DotnetPortableExecutableMetadata", + "metadata": { + "assemblyVersion": "", + "legalCopyright": "Copyright (C) Simple Launcher User", + "internalName": "t32.exe", + "companyName": "Simple Launcher User", + "productName": "Simple Launcher", + "productVersion": "1.1.0.14" + } + }, +``` + + +## Foreknowledge of CVE's + +Knowing upfront which CVE's will be deployed + ## Deployment prevention Inspecting SBOM's is best done before deploying containers and friends. Prevention is always best.