当前位置:首页 > 报告详情

你的基础镜像有多安全?对热门开源容器进行实时安全测试.pdf

上传人: 竿*** 编号:982092 2025-11-29 18页 1.48MB

1、#SECTORCA BlackHatEventsHow Secure Is Your Base Image?A security test of popular OSS containersJohn Amaral CTO and Co-Founder,Root.IO#SECTORCA BlackHatEventsJohn AmaralFounder,CTO at root#SECTORCA BlackHatEventsWhy this matters now?Attacker TimelineHoursExploit timelines compressed to hours.Zero-day

2、 to weaponization is rapid.Faster than most organizations can detect or react.Defender TimelineWeeksProcess-driven timelines.Fixes need testing,staging,approval.Involves multi-org coordinationKEV Git(CVE-2025-48384)serves as our example of this timing mismatch,highlighting why it drives compliance d

3、eadlines for security teams.#SECTORCA BlackHatEventsPopular SecureConvenience over Security:Popular base images are chosen for ease of use,not security.Daily CVE Accumulation:Widespread trust creates blind spots as vulnerabilities emerge constantly.Insights:See whats inside and how to secure these c

4、ontainers today.Observed in Enterprise:Tools to find these images prevalent in production environments.#SECTORCA BlackHatEventsThe Three Subjectsgolang:1.24-bookwormPrimary Issue:CISA KEV Git vulnerability in runtimeSecondary Issues:Massive linux-libc-dev vulns(no fix)Dev toolchains shipped to produ

5、ctionArchitecture Flaw:Builder image used as runtime containerpython:3.10-bookwormPrimary Issue:linux-libc-dev/glibc critical findings(no fix)Secondary Issues:Dev headers&build tools in final imageArchitecture Flaw:Single-stage build:dev&runtime mixedmcp-gateway:v2Primary Issue:Go stdlib CVE(require

6、s 1.24.6+for fix)Secondary Issues:Root userDIND patternsAttack toolsUnpinned installationsArchitecture Flaw:Dangerous permissions+powerful toolingAll three images are real-world CI and application images teams are commonly running in production environments today.#SECTORCA BlackHatEventsScan:golang:

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据文章内容,以下是全文主要内容的简明概括: - **安全挑战**:流行的开源容器镜像存在大量安全漏洞,如golang:1.24-bookworm有1,115个CVE,python:3.10-bookworm有1,654个CVE。 - **时间差异**:攻击者利用漏洞的速度远快于组织检测和反应的速度。 - **问题镜像**:golang, python, mcp-gateway:v2等镜像存在关键漏洞,如Git CVE-2025-48384和`linux-libc-dev`漏洞。 - **解决方案**:采用多阶段构建、更新工具链、移除不必要组件等方法来减少漏洞。 - **安全最佳实践**:实施CI/CD管道中的安全策略,生成SBOM和VEX,进行持续漏洞修复。 - **关键数据**:1,115个CVE(golang),1,654个CVE(python),5个CVE(mcp-gateway:v2)。
如何评估基础镜像?" 常见漏洞揭秘" 如何构建更安全的镜像?"
客服
商务合作
小程序
服务号
折叠