Cloud Foundry Day at KubeCon + CloudNativeCon 2018

A dive into what's easy - and what's not so easy - about finding and patching security vulnerabilities in droplets and containers

When a vulnerability, like the recent Meltdown, gets disclosed, the race is on to patch your code - and in a containerized deployment like PCF or PKS, you may have many thousands of instances that need updating. Typically, organizations use an image scanner to identify affected droplets or containers.

At first glance vulnerability scanning seems as though it should be a simple matter of cross-referencing a list of software packages with a list of known vulnerabilities, such as the National Vulnerability Database. This talk dives into why identifying vulnerabilities is a harder problem than you might at first imagine. We'll cover questions such as:

 * How does droplet scanning work?

 * Why does your Linux distribution(s) matter for vulnerability detection?

 * What's the difference between detecting vulnerabilities and malware?

There will be examples of false positives, how they get generated and what you can do about them.

If you have ever wondered how image scanners work, or if you're concerned about keeping your droplets and containers up-to-date with the latest patches, this talk is for you.