►
Description
KCD Brasil 2022 - Esta palestra tem como objetivo apresentar os resultados da pesquisa analisando todas as vulnerabilidades relatadas em auditorias de segurança anteriores em ferramentas cloud native e vulnerabilidades publicamente conhecidas relatadas por terceiros diretamente aos mantenedores do projeto. Reunimos e analisamos todas essas vulnerabilidades de muitos projetos diferentes, como Kubernetes, Helm, etcd, gRPC, CodeDNS e muitos outros. O objetivo é entender os problemas mais comuns e os riscos mais críticos encontrados nessas ferramentas. Além disso, queríamos saber por que eles acontecem, tentar evitar que aconteçam no futuro e, ao mesmo tempo, conscientizar os usuários e organizações que usam esses projetos sobre os riscos associados ao uso dessas ferramentas em seu ambiente. Um relatório em PDF com todos os dados e descobertas será lançado para o público com esta apresentação.
A
A
A
If
my
lecture
I
don't
meet
your
requirements
there,,
but
the
idea
is
to
bring
up
a
conversation
a
little
bit
about
what
the
bird
mentioned
in
her
lecture
on
safety
about
the
importance
Indy
on
the
internet
is
not
safe
the
standard
and
talk
a
little
bit
to
you,
right
about
the
importance
of
security
within
these
projects,
not
good
Before
I
started
practically
for
the
Extreme
Palace
to
present
here,.
My
name
is
Magno
Logan
I'm
involved
there
with
the
community,
right,
of
ubernet,
I
used
more
or
less
two
years
when
I
started
working
at
the
service.
A
I
live
here
in
Canada
and
basically
helping
a
Scandian
product,.
The
first
ability
images
in
containers,
plus
the
product
practically
worked
in
Uberlândia,
right,,
so
I
had
to
learn
Kubernetes
there
and
then
my
interest
in
technology
began,.
Then
I
switched
a
little
to
decision
research.
Now
I
want
to
learn,
you
know,.
How
is
the
security
of
this
business,?
How
does
kubernet
security
work,
specifically,
everything
else,
right?,.
A
A
We
have
one
of
them,
I,
think
we
are
working
on
the
Portuguese
version
that
should
be
coming
out
soon,,
so
my
area
What,
is
basically
this
is
my
R
development
background
and
then
I
changed
to
the
application
security
area,
right
in
Itaguaí
there
I
have
a
personal
blog
called
katana
sec.com,
where
you
can
find
all
my
lectures,
my
personal
information
there,
contacts
and
social
networks.
If
you
want
to
check
it
out
from
time
to
time,
I
can
post
some
articles
there
too,
just
so.
A
A
Here
is
an
idea
of
a
project
that
I
had,
right,
discussing
it
with
several
people
in
the
community
during
the
NC
meetings,,
the
security
group,
I,
don't
know
if
you
know,,
but
there
are
some
security
audits
for
these
projects,.
So
I
think
only
if
they
are.
maintained
by
the
cnsf
they
go
through
a
certain
criteria,.
You
don't
have
to
accept
an
acceptable
level
of
security
risk.
So
there
are
some
audits
that
are
carried
out
there
on
them,
right?
A
gather
all
the
audit
results,
regardless
of
each
project
and
bring
a
more
general
view
of
the
garbage,.
The
current
situation
of
the
security
of
these
projects
and
comment
on
we
can
improve
from
now
on,
right
ok,.
So
the
idea
of
the
project
is:
if
we
have
one,
right,
the
CNC
This
one
she
does,,
she
does
it
and
sponsors
it,
right,.
She
invests
hiring
renowned
companies
in
the
company
with
high
security,
consulting
standards,.
A
Then
she
will
audit
the
projects
from
here
on
Wednesday
100cf
Usually,
when
they
are
graduating,
right,,
passing
a
phase
to
another
over
there
sandbox
or
to
graduate
to
have
right.
So
they
are
required
to
undergo
a
security
audit
by
an
independent
company.
Not
a
consulting
company
focused
on
application
testing
and
someone
just
does
code
review
everything
else
right.
Only
that
then
right
each
project
they
go
through
an
rfp
there's
a
selection,
right?.
A
This
security
mind
access
is
a
report
in
PDF,
right,.
It's
a
PDF
there
with
a
specific
format.
A
layout
has
no
specific
claim
of
the
company
detailing
the
women
skills,
right,.
So
if
you
want
to
know
what
were
the
women
skills
found
in
each
of
these
projects,
there
that
were
tested,
you'll
have
to
go
there
and
look
for
the
link
to
the
PDF
download.
The
pdf
I
took
the
results.
It
wins
that
purpose.
It
was
corrected
or
not,
if
the
criticism
or
not
and
everything
else
right.
So
it's
a
bit
of
work,
right.
A
That's
what
I,
did,
right,
I!
Basically
my
this
one.
If
I
join
it,
if
I
manage
to
get
the
results
of
all
these
reports
in
PDF
from
several
companies
in
several
formats
and
try
to
unify,
to
form
a
single
database
of
vulnerabilities
in
claudinete
applications,,
then,
basically
that's
what
I
did.
I
downloaded
the
PDFs
and
it
is
not
necessary
to
create
a
repository
in
the
kit,.
There
is
a
repository
in
my
specific
Ruby
kit
and
I
did
a
pass
on
these
reports
to
get
the
most
important
information.
A
The
name
of
the
vulnerability,
Severity
Impact
right
What
file
is
the
point
affected
by
the
vulnerability
from
more
to
give
a
more
general
study,
that
is,,
what
are
the
biggest
security
problems,
that
is,?
What
are
the
items
we
have
to
focus
on
in
terms
of
security
in
relation
to
these
projects
as
a
whole,
I'm,
not
just
focusing
on
kubernetes
I'm,
not
focusing
on
a
specific
tool,,
but
all
these
applications,
there,
claudinete,
right
well,,
so
I
spoke
here
about
Neves'
security
audits,,
which
are
independent,
I,
said
a
little
bit.
A
record
of
the
first
security
audits.
So
it's
something
relatively
recent,
right,
and
the
result
is
a
PDF
that
is
difficult
for
you
and
you
work
to
handle
it,.
If
you
want
to
enter
and
use
it
for
something
for
research,,
you
'll
have
to
walk
around,
it
doesn't
have
to
where
to
run
each
one
will
have
a
different
template.
A
So
that's
it,,
that's
what
I
did,
the
methodology
was.
This
It
was
to
gather
this
information
to
create
a
specific
database
of
vulnerabilities
for
each
project.
And
then
analyze
these
results,
right,.
It's
not
something
very
complex,
but
I
thought
that
it
was
an
interesting
job
from
that
one
I
did
what,
in
the
result
of
all
the
bases,
I
did
analysis
right.
Which
project
has
more
malleability.
What
is
the
type
of
purpose
more
end.
The
ring,
where
is
the
biggest
type
of
problem?
A
Where
is
the
we
have
to
improve,
not
only
to
bring
security
recommendations
for
100cf,
but
for
those
who
are
starting,
right
for
those
who
are
also
starting
with
these
projects
that
to
choose
which
to
evaluate
better,
right
There
are
some
projects
that
have
similar
functionalities
and
you
can
choose
one
of
them.
The
other
one
goes
to
him,
right,.
So
it's
to
help
not
only
cn7,
but
the
community
as
well.
A
Part
of
the
dependencies
right
from
the
libraries
of
women
skills
in
independence
that
have
been
growing
more
and
more
is
more
important
there
nowadays,
especially
at
the
end
of
the
year
right
who
didn't
miss
a
weekend
there
with
the
vulnerability
of
the
blog
forjei
right
then
a
little
bit
about
this
is
also
good
there
in
the
research,
result,
right?
The
issue
of
vulnerabilities,
there,
analysis
of
the
projects,
right?
What
are
the.
A
Most
vulnerable?
lines
of
code
there,
so
there
are
more
chances
and
there
is
more
vulnerability.
It
is
a
proportion
there.
It
is
kind
of
equivalent
more
lines
of
code.
That
more
chance
does
not
mean
more
vulnerable
here,
but
there
is
a
greater
chance
of
having
more
problems.
It
is
complex,
right
and
there
may
be
more
So
problems
with
the
internet
start
to
skyrocket,.
A
There's
also
been
more
auditing,
if
there's
been
an
audit
last
year
or
in
It
should
be
starting
this
year
to
do
another
audit,
also
on
the
Kubernetes
bracelet,
the
project,
that's
more
representative
of
more
usefulness
there
for
the
community,
too
Oh
okay,.
But
what
about
the
types
of
vulnerabilities?
What?
Are
you
going
to
do
with
these
types?
What
are
they?
What.
Do
we
have
to
focus
on?.
A
A
A
list
of
the
most
common
or
most
impactful
vulnerabilities
and
durability,
and
risks,
right
for
web
applications,,
right,
last
year,,
I
think,,
also
a
non-profit
foundation
for
the
public,.
The
new
version
of
the
hospital
has
2021,
I
recommend
taking
a
look,
right?
here
the
companies
that
made
the
others,
they
have
a
category
in
this
little
table,.
A
It
was
from
the
company's
own
report
saying
how
they
classify
the
vulnerabilities
they
found,
right,,
so
ok,
I
got
their
classification
and
some
news
that
this
classification,
others
that
were
made
by
other
companies,
I
didn't
have
it
I
tried
to
understand
the
concept,
the
skill,
it's
really
doing.
It
's
an
access,
control
problem,
an
input,
validation,
problem,
denial
of
service
And,
then
I
also
put
in
some
vulnerabilities
that
didn't
there
was
the
classification
I,
classify
them
there
too,
to
be
able
to
measure
everything
in
a
more
equal
way
there
and
So.
What
is
the
classification?
A
The
category
of
vulnerability
that
occurs
most
in
these
projects
that
was
most
identified
is
the
first
one
is
validation
of
input
data
evaluation,
that
is,
the
big
problem
with
the
code
of
your
applications
and
input,
validation,
input,
validation
that
something
we've
been
talking
about
for
a
long
time,
right
input,
validation
receives
a
parameter.
You
don't
know
where
it
comes
from.
You
don't
trust
it,
but
the
validation,
you
know,.
We
have
several
types
of
input.
Validation,,
we
have
validation,,
it's
halal,
the
China
narghile
list,,
which
was
an
old
Blacklist
whitelist,.
A
We
have
syntactic
validation,
semantic
validation,
sure,.
We
have
validation
on
the
client,
side,
validation
on
the
server
side,
I
have
several
types
of
variation
that
can
be
complex
many
times.
The
developer
is
not
mainly
if
someone
is
starting
right,
so
remember
to
validate
data
right
as
soon
as
you
receive.
It
is
one
of
the
basic
things
and
some
problems
that
still
cause
a
greater
number
of
vulnerabilities.
In
e.
There
are
claudinete
applications,,
then
after
that
comes
the
configuration
part,.
We
know
that
configuration
problem.
Misconfiguration
is
a
big
problem
for
a
cloudless
environment,.
A
So
if
you
don't
configure
the
tool
correctly,,
not
setting
the
security
settings
is
also
a
serious
problem,
right
and,
and
one
third
place
is
for
the
natal
service
denial
of
service,,
so
some
vulnerability
that
causes
a
very
large
consumption
of
memory
or
crashes.
The
program
that
can
impact,
stop
every
application
in
which
they
are
considered
a
denial
of
service,.
So
it
is
very
important
for
us
to
take
a
look
on
this
second
one,
to
come
here
in
these
active
types,
in
fact,,
it's
more
common
to
understand
how
they
occur,
right?
It's,
the
buffer
overflow,.
A
There
are
also
some
cases
there,.
There
are
some
tests
that
were
done
in
the
applications
that
were
Frozen
tests,
right
?,
where
we
are
going
to
try
to
cause
an
error
cause
this.
The
voice
of
the
application
was
also
not
identified.
Some
input,
validation,
problems,
1
the
beauty
just
Following
here
for
us,
right,
to
conclude
a
little,
right,.
This
part
of
the
report,
right,
is
to
leave
a
little
calmer.
Despite
having
already
talked
about
security,
vulnerabilities,
leaving
people
a
little
calmer.
A
Is
the
following,
right,
the
severity
of
these
vulnerabilities,,
not
like
that
city
with
the
problem,?
How
is
that,
right,
and
from
the
analysis
of
the
result
of
the
classification,?
This
classification
was
given
by
the
own
companies
that
found
the
second
skill
right
in
the
projects
that
I
analyzed
most
of
the
modalities
are
connected
low
level.
It
is
not
considered
the
long
level.
Next
is
second
in
the
medium
level.
So
that
means
that
the
big
ones
exist,
but
they
are
not
as
customers
with.
A
There
are
some
errors
there
that
can
be
easily
corrected
and
corrected,
and
most
of
them
have
already
been
corrected
there
within
these
projects,
right
Mainly,
because
they
need
to
correct
these
problems
to
move
on
to
graduate
there
and
be
promoted
there
within
the
within
the
CNC
format.
There,
right,.
So
it's
not
something
that
critical,
but
we
need
to
think
about
the
security
of
these
projects
too.
A
And.
That's
the
second
part
of
the
research,
right,.
It
was
to
analyze
the
issue
of
dependency.
Vulnerabilities,
right?
What
are
the
dependencies
of
this
project.
How
much
is
it.
These
libraries
are
up
to
date,
right?
You're,
using
the
dependency
library
in
the
latest
version.
So.
This
library
has
some
publicly
known
vulnerability.
So
I
tried
to
do
this
analysis
of
these
projects
of
all
projects
that
not
all
rcf
projects,
but
all
projects
that
had
a
report.
It's
an
audit
of
a
test
previously
published
right.
That's
what
I
did
I
put
all
the
projects
together.
A
I
put
it
in
a
dependency
analysis
tool
called
open
source
title
in
it's
based
on
the
other
product,
you
know,.
We
have
a
partnership
with
the
smic
tool
that
it
is
a
great
tool
for
analyzing
libraries,
so
from
Alegre
Oi
to
the
pen
partner
So.
You
want
to
use
it
to
analyze
any
code
that
is
free.
That
is
someone
only.
If
you
have
a
public
repository,
you
can
do
it
for
free
So.
Ok,
then
I
uploaded
these
projects.
A
There
I
did
an
analysis
and
I
started
to
analyze
it,
and
we
can
see
by
the
image
there,
the
number
of
libraries
with
vulnerabilities,
right,,
so
there's
a
critical
CD,
HD
High,,
high,
Medium
and
Lou
low,
right,,
and
that's
taking
the
Nutri
project
as
it's
there.
In
the
first
place,
because
it
has
a
critical
vulnerability,
right
at
the
time
of
the
expression,,
it's
kubernetes
in
the
first
place,
right,
in
number
of
pro
lens
number
of
libraries
and
consequently
number
of
vulnerabilities
And.
A
A
Kubernetes
was
exactly
what
happened
in
the
situation
of
the
forged
log,
right?
At
the
end
of
last
year,.
Many
applications
came
to
the
blog
for
people
library,,
but
they
didn't
call
them
directly,.
If
I'm
not
mistaken,,
they
did
the
research
there
from
700
to
seventy
percent
of
the
applications
that
used
the
Ford
logo
and
used
an
indirect
dependency
a
transient
dependency.
Then
you
already
had
a
library
called
the
logo
and
Ford
there.
A
So
if
I
didn't
have
a
tool
to
analyze
this,
to
do
this
analysis
of
software
composition,,
you
know
what
we
call
s
in
And,
then
I
would
have
no
way
of
knowing.
If
I
was
using
the
library,,
they
were
just
nervous
or
not
good.
So
that
is
still
keeping
these
libraries
up
to
date
to
support
the
project
to
update.
If
there
is
any
problem,
we
need
to
see
if
this
can
really
be
exploited
by
someone
internally,
the
project,
right?.
A
A
's
something
you
have
to
be
in
constant
monitoring
and
always
updating
there
and
obviously
to
update
this
dependency.
You
need
to
have
a
series
of
tests,
right,,
regressive
ones
there
to
guarantee
that
your
application
will
continue
working
after
updating,
right
that
there
are
a
lot
of
people
who
are
afraid,
greater
fear
from
the
developer,.
That's
breaking
the
application,
right,,
so
don't
touch
something
that's
running,
and
we
have
to
have
this,
it's
losing
yourself
and
always
trying
to
update
to
fix
these
problems.
A
I
did
at
the
end
of
last
year
is
the
following
these
projects,
these
analyzes
they
are
not.
They
are
not
periodic.
They
do
not
follow
a
certain
flow
or
every
six
months
every
year.
Something
like
that
right.
They
are
sporadic
and
you
did
one
and
it
ended
right.
Then
they
analyze
the
project.
At
that
specific
moment,
And
then,
after
some
time
has
passed,
the
project
has
improved
or
deteriorated
in
terms
of
security.
A
.
Here
is
the
analysis
of
creating
bucket
programs.
Bucket
is
not
reward
programs
just
a
project
of
all
sncf.
There
is
a
reward
program
right,
a
good
debate
program
that
is
kubernetes
So.
If
you
go
there
on
Raquel
amm's
platform,
you
found
one
vulnerability
on
the
Internet.
You
can
go
there
and
report
this
one
when
friendship
exists,
I
pay
the
amount
in
dollars
depending
on
Happiness.
There
are
all
the
criteria
there
for
vulnerability,
but
only
kubernetes,
the
others.
A
The
third
problem
I
came
across
is
that
the
process
is
for
selecting
companies,
I
do
n't
know.
If
you
noticed
on
the
slides,
there
is
practically
two
or
three
companies.
They
are
the
ones
that
most
did
the
safety
tests
there
of
all
the
projects,
right.
So
this
company
selection
process
is
often
a
little
for
me.
It
didn't
appear
a
bit
obscure.
It
lacked
disclosure
more.
A
A
Kubernetes
security,
audit,
I
tried
to
publicize
more,,
calling
some
Brazilian
companies
to
participate
in
that
so
I
think
promoting
this
respect.
More
is
interesting
not
only
to
serve
more
for
the
community
as
a
whole
and
finally,
right.
Ah,
I
think
that
one
right
there
would
be
a
complaint,
I
think
that
in
the
world
of
security
and
in
the
world
that
we
are
living
with
devops,,
it
must
be
here,.
Look.
I
did
it,
it's
difficult
for
us
to
treat
it's
a
place,
skills,
right
if
and
we're
Alert
receiving
everything
there.
A
A
There
also
make
it
easier
for
people
to
correct
these
problems,
so
there's
a
more
easier
way
to
interpret
receiving
these
results,
something
that
can
be
consumed
by
the
community
by
the
open-source
community
by
CNC
F,
to
help
in
the
analysis
and
interpretation
in
the
monitoring
of
results
of
any
and
whether
or
not
some
sky
or
not
cs-bl
of
life
for
us
to
work.
I
think
it
would
be
interesting
right,
yes,
obviously,
to
focus
in
these
problems,.
We
saw
that
there
were
several
problems
of
vulnerabilities
in
libraries
in
salinense
independence
projects.
A
A
A
A
A
as
an
outsider
and
I
'm
going
to
say
no.
This
here
is
the
estimate.
This
one
here
is
8
hours
to
4:00.
It
doesn't
exist
right
who's
going
to
say
who
has
to
say
what
has
to
be
changed
right.
It
could
be
just
a
line
in
my
vision,
but
this
alteration
of
mine
can
affect
other
components,.
So
it's
hard
to
say
how
long
it
will
take,
right?
It's
each
collection.
A
Questions
are
now
appearing
a
lot.
What
is
the
name
of
the
Scanner
of
a
severity
that
I
used
the
real
scanner
that
I
used
for
part
of
the
dependencies,,
the
other
one
was
just
to
analyze
the
reports
and
this
year
to
learn
pending
issues,
I
used
the
open
source
Security
from
Trend
micro
plus,
it
is
based
on
snick,
snick.
Oh,,
or
it
has
a
free
version
or
for
the
super
project,.
Just
let
me
see
it
here,,
assuming
the
questions
here,,
because
it
's
a
map,.
You
think
it
brings
more
vulnerability
to.
A
And
being
a
person
thinks,
you're
saying
in
the
issue
of
kubernetes,
there's
a
API
is
Pein's
vulnerability,.
It
will
be
more
the
question
of
if
you
watched
the
press
exposed,
so,
for
example,
that
the
baby
serves
them
in
the
case
of
Kubernetes
is
already
exposed
to
the
internet.
This
is
already
a
problem
if
you
don't
have
a
type
of
authentication
for
authorization,
make
requests
so
that
it
also
asks
for
a
problem
to
do
a
limit.
A
Reti
work,
too,
right,
so
one
of
the
most
basic
security
recommendations
for
the
sorry
complex
is
not
to
expose
yours
among
the
herbs
right
on
your
kubernetes
nickname
server,
our
body,
the
internet.
If
there
is
no
need
here
is
one
more
cloud.
Customer
products,
for
example,
Microsoft
descend
with
Quality,
do
a
series
of
verification
of
units.
Do
you
know
if
the
solution
presented
even
has
any
similarity
with
tools
embedded
in
the
players?
I
did
not
get
to
test
this
Microsoft
defender
from
Qualy,
right,,
I.
A
A
And
it
was
just
important
for
you
to
test
the
security
of
your
costs.
It's
not
your
environment
claudinette.
He
was
happy
right.
The
first
is
a
scan
of
images
of
containers
there,
so
it
can
be
a
Claire
of
life.
A
crisis
is
not
another
tool.
There
make
you
scanning
the
image
of
your
understanding
before
it
goes
into
production.
You
can
also
have
an
analyzer,
it's
not
an
Inter
of
Doc
files
for
even
before
you
rotate
the
image
you
see
if
I
give
that
it's
easy,
creating
a
vulnerable
container
running
the
container
like
Rute.
A
Something
like
that.
You
can
have
this
right.
This
is
a
pre-stage
right,
let's
say
the
second
tool
that
I
think
is
important,
for
you
is
one,
is
a
type
of
one
admitted
in
control
right
that
we
had
the
Maybe
it
takes
off
this
one.
Now
it's
become
a
new
version.
You
can
proceed
to
what
is
the
security,
the
raccoon
panel
with
the
control?
It
will
control
admission
of
the
images
in
the
cluster
right.
So
it's
that
nightclub
security-
that
will
say
this
container
of
yours
was
forwarded
right.
This
is
the
container.
A
Ok,
the
women
have
some
critical
gravity.
No,
they
don't
have
the
beauty,
they
can
join
the
clan,
otherwise
they
can't
enter
the
clan.
There
are
other
solutions,
besides
being
able
to
feel
it
is
native
to
kubernetes.
You
have
Caio
vento
You
have
Opa
right,
who
is
the
UPA
Gate
Keeper,
so
you
can
implement
your
own
policies
there
for
joining
the
clan
and
the
third
item.
The
third
tool
that
I
think
is
important
is
to
advance
insecurity,
right
to
analyze,
the
one-time
after
that,
your
contains
were
not
running
there
in
the
resulting
visibility.
A
What
happens
to
them?
If
someone
manages
to
execute
some
remote
code
execution,
they
are
downloading
a
tool
to
install
Cleiton
Mayer.
It
is
not
that
what
happens
most
in
these
environments
is
the
installation
of
Bitcoin
cryptocurrencies,
and
you
managed
to
detect
this
then
in
the
tool,
as
a
Falcão
da
vida
would
help
there,
right,
in
detecting
these
problems
of
advantage,,
okay,
shampoo,
post
here,
a
General
post,
the
link
to
this
smith.io
survey.
Ok.
A
Let
me
see
if
there's
more
here,
ask
backstage
if
I
have
plaster
in
my
inner
childhood
issues,
insecurity
I
find
a
purpose
for
the
service,
like
English
What's.
The
best
way
to
report
Well
the
best
way
to
report.
Nowadays,
one
of
the
things
I
think
I
didn't
say
directly
in
the
lecture
is
the
following.
Despite
the
fact
that
CNC
FL
Tools
programs
don't
have
a
good
debate
program,
most
of
them
have
a
form
of
communication.
A
There
is
a
file
inside
the
bbb'
repository
called
the
et.net
site,,
which
is
what
the
contact
is
for
security
to
get
in
touch
with
the
maintainers,
right.
They
will
tell
you
Look
if
you
found
a
security,
vinegar
right,
If,
it's
critical
You're,
not
going
to
create
a
switch
you're
going
to
make
it
public
right,
because
I
have
attackers
who
monitor
these
videos
Branches.
Also
take
this
concept
of
vulnerability
can
start
attacking
like
what
happened
with
the
logo
and
forge
it.
So
the
idea
is
to
get
in
touch
directly
with
the
maintainers
of
the
project,.
A
Each
Ruby
kit
of
them
should
have
a
contact,,
especially
if
they
are
from
CRF.
If
you
think
it
will
regain
credibility,
soon,
I
cut
it.
There
is
another
alternative.
That's
it
I
think
this.
Is
it
a
discussion
there
a
little
bit
outside
the
lecture,
but
I
don't
know
if
it
will
come
back
yet
I
think
it's
an
important
library
for
the
Java
environment,.
A
A
Let
me
see
there
are
many
more
questions
here
and
how
do
you
do
it
when
the
tools
that
make
the
head
of
nulls
differ,
for
example,
red
red?
We
use
it
for
screen
image
and
note
fax
web
use
another,
and
there
will
always
be
a
difference
in
the
result
in
tool.
There
will
always
be
the
tools,
no
are
the
same,.
They
use
not
only
different
techniques
to
analyze
the
vulnerability,,
but
sometimes
databases
based
on
their
vulnerabilities
are
different.
For
example,.
A
A
Security
anywhere
Power
is
a
shitty
recipe
for
checking
vulnerabilities.
As
far
as
I
know,
Paulo
is
more
focused
on
WS
for
the
cloud
right,
I,
don't
know
if
it
has
rules
or
some
checks
there
for
the
varnish
right,
I
didn't
use
it
for
talk
to
Alysson
Oliveira.
You
are
a
monster
Magno
thanks
thanks
there
Davi
discovered
on
the
better
trail,
Claire
I
never
got
to
compare
the
two
right
when
I
started
testing.
We
use
Claire
just
the
last
question
here
to
finish
there
guys
let
the
next
one
pass
to
reduce
the
risk.
A
It's
best
to
create
a
minimum
of
layers
possible
and
make
use
of
Monte
3D
bilge,
bola,
João
Neto.
That's
it
not
only
the
minimum
of
layers
but
use
a
minimum
image
possible,
not
the
Small
image
of
he
calls
there.
You
can
create
a
distro
lesson
from
Scratch
right,
so
there
are
some
techniques
to
create
a
very
small
container
right
to
reduce
the
attack
surface
right.
The
less
packages
installed
in
your
container,
the
less
chances
of
having
a
vulnerability.
It
will
be
exploited
and
also
love.
Good
morning
de
there
you
said
it's
also
important,.
A
You
use
a
process
of
creating
from
the
same
image.
You
create
your
image
for
the
approval
and
production
environment.
This
is
sensational,
Alright,
I.
Think
I'm
done
with
the
questions
and
I'm
also
running
out
of
time,
and
thank
you
everyone's
participation
there
and
the
opportunity
to
be
here
for
the
Brazilian
community,
despite
being
out
of
Brazil
for
a
few
years,
and
that's
it
Thanks
guys
and
see
you
later.