Keeping Up with CVEs: Finding Needles in Haystacks - Practical Vulnerability Assessment

Explore the challenges and solutions in vulnerability management for container images in this conference talk. Learn how vulnerability scanners work, their limitations, and practical approaches to assess product security beyond raw vulnerability numbers. Discover strategies for implementing effective vulnerability management using Kubernetes images as an example. Gain insights into reducing false positives, focusing on code execution paths, and creating automated processes for vulnerability detection. Understand the complexities of container images and how to balance security concerns with practical solutions that allow engineers to work efficiently.

Introduction
Welcome
Why is the graph looking like this
Example
Vulnerability Scanner
Vulnerability Analysis
Image Scanners
Vulnerability Impact
Kubernetes
Release Engineering
Kubernetes Enhancement Proposal
Distroless
Base
Bash Static
QProxy
Not a perfect solution
Container images are complex
Imperfect solutions have benefits
Reduce churn
Vulnerability detection
How Kubernetes maintainers feel
Focus on code execution path
Give engineers breathing space
Create a list of images
Automated jobs
Questions