►
From YouTube: A Security State of Mind: Compliance and Vulnerability Audits for Containers by Chris Van Tuin
Description
A Security State of Mind: Compliance and Vulnerability Audits for Containers - Chris Van Tuin, Red Hat
"A Security State of Mind: Compliance and Vulnerability Audits for Containers
Data breaches are on the rise and placing increased pressure on Enterprise IT to protect the business. With the rise of DevOps and as hackers takes advantage of known vulnerabilities on unpatched or misconfigured systems, Enterprise IT increasingly needs to automate vulnerability management, security management, and compliance checking. OpenSCAP is an opensource tool for automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.
In this presentation, you'll learn about:
* How Containers enable DevOps, Container Technology, and the security risks with deploying containers in the enterprise
* Security vulnerability (CVEs) and Configuration issues (CCEs) notifications and checks
* Automating vulnerability management, security management, and compliance checking with OpenSCAP
* Scanning online and offline Containers and Virtual Machines with OpenSCAP
* Generating and understanding OpenSCAP audit reports
* Customizing OpenSCAP profiles
Join Chris Van Tuin, Chief Technologist, West at Red Hat, as he walks through the inherent security risks of deploying containers in the enterprise and how OpenSCAP can help protect and secure the business."
About Chris Van Tuin
Chris Van Tuin, Chief Technologist for the West Region NA at Red Hat, has over 20 years of experience in IT and Software. Since joining Red Hat in 2005, Chris has been architecting solutions for strategic customers and partners with a focus on emerging technologies including IaaS, PaaS, and DevOps. He started his career at Intel in IT and Managed Hosting followed by leadership roles in services and sales engineering at Loudcloud and Linux startups. Chris holds a Bachelors of Electrical Engineering from Georgia Institute of Technology.
Join us for KubeCon + CloudNativeCon in Barcelona May 20 - 23, Shanghai June 24 - 26, and San Diego November 18 - 21! Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.
A
And,
ultimately,
the
discussion
typically
leads
to
how
we
can
move
applications
quicker
from
dev
tests
in
the
production
with
adopting
DevOps
and
adopting
containers
and
leveraging
Kuber
Nettie's
to
enable
that
transformation,
and
one
of
the
key
topics
also
is
around
security
in
that
type
of
environment.
So
today
we're
going
to
drill
down
into
some
of
the
security
aspects,
in
particular
around
container
images
and
how
you
can
scan
them
for
vulnerabilities
and
compliance
to
your
security
policy,
as
well
as
some
best
practices
in
from
a
security
context.
A
But
first
from
an
industry
perspective,
you
know
about
20
years
ago,
Andy
Grove
talked
about
how
only
the
paranoid
survive
and
that's
not
just
about
security.
His
context
of
that
was
really
about
strategic
inflection
points
and
how
there
are
moments
of
massive
change
and
companies
have
a
decision.
They
can
either
adapt
and
thrive
or
fall
by
the
wayside,
and
certainly,
as
you
look
across
many
different
interest
industries
across
the
globe,
you
see
a
transformation
happening.
Here's
an
example
of
one:
does
anybody
recognize
what
this
is
a
photo
of
right?
A
This
is
the
Tesla
automobile
factory
and
the
reason
I
show
this
is
software
is
having
a
transformational
effect,
not
just
on
the
production
of
these
vehicles
in
the
factory.
But
long
after
you
leave
the
dealer
lot.
The
car
actually
gets
better
over
time,
because
three,
six
nine
months
down
the
road
they
can
send
software
updates
over
the
wire,
improving
zero
to
sixty
time
battery
efficiency
or
the
applications
in
the
actual
automobile
and
who
has
not
read
about
a
vehicle
recall
lately.
A
When
it
comes
up
to
that
in
some
cases,
they
can
actually
deliver
an
update
to
rectify
that
issue
as
well
saving
a
millions
of
dollars
over
the
competition.
So
a
lot
of
pressure
on
IT
to
keep
up
and
not
become
the
bottleneck
right.
How
does
I.t
become
a
strategic
differentiator,
rather
than
viewed
as
a
cost
center
right,
enabling
the
business
to
deliver
applications
and
new
capabilities
and
innovation
when
they
need?
A
It
is
certainly
one
way
and
IT
must
adjust,
must
transform
to
stay
ahead
and
there's
a
shift
in
how
applications
are
being
developed,
the
application
architecture
and
in
the
underlying
infrastructure
on
which
these
applications
run
in
terms
of
application
development
process,
a
movement
away
from
the
waterfall
method
that
takes
months
or
years
to
release
new
applications
to
one
around
DevOps
breaking
the
walls.
It
typically
lie
between
the
developers
in
the
operations
right,
enabling
you
to
deliver
applications
quickly
in
a
matter
of
minutes
or
hours
into
production
from
development.
A
Also
microservices,
you
know
the
architecture
of
the
application
needs
to
be
redesigned,
so
that's
small
components
of
services
that
are
decoupled
that
can
evolve
independently,
can
rapidly
be
started
up
and
down
and
can
reduce
the
amount
of
risks
you're
taking.
As
you
enter,
a
new
change
into
production
right,
don't
bet
the
whole
business
on
that
monolithic,
app
update,
I
decompose
it
into
a
micro
service,
reduce
that
risk.
Also,
you
know:
how
do
you
deliver
those
applications?
A
A
lot
of
folks
talk
about
how
easy
it
is
to
install
an
application
on
your
mobile
phone
or
to
update
it.
Why
is
it
so
difficult
to
roll
out
applications
in
the
enterprise
right
and
that's?
The
promise
of
containers
is
to
simplify
and
to
be
able
to
package
your
application
once
in
the
software
factory
and
then
deploy
anywhere,
whether
its
private
public
cloud,
physical
virtual
in
I
ernment
in
a
matter
of
minutes,
and
so
DevOps
is
certainly
a
big
part
of
this.
But
what
about
security?
It's
often
forgotten
right.
A
First
also
adjusting
your
processes,
your
continuous
integration,
your
continuous
deployment
methodology
to
incorporate
security
right
and
also
from
a
technical
perspective,
choosing
those
platforms
that
can
enable
you
to
simply
define
policy
and
enforce
that
policy,
whether
it's
dev
tests,
production,
public
or
private
cloud,
and
so,
as
you
see
this
transition
into
a
CI
CD
container
world
around
DevOps,
you
know
there.
Many
security
concerns,
there's
new
processes,
etc
and
in
regards
to
container
images.
There's
new
security
implications
there
as
well,
and
so
in
this
talk
will
talk
about
those
moving
forward.
A
But
typically
you
know,
a
container
image
starts
out
with
a
docker
file,
maybe
in
source
code
repository
and
then
you
go
ahead
and
build
that
container
image,
and
then
you
put
that
Emmett,
maybe
with
a
build
image
who
will
leverage
a
base,
r,
l,
7
image
and
your
base
middleware
and
then
output
that
artifact
and
store
that
so
that
you
package
it
once
and
then
deploy
into
all
of
your
environments.
Right,
you
don't
rebuild
or
reconfigure
as
you
move
into
a
different
environment,
so
whether
it's
Deb
you
80
or
production.
A
You
always
go
back
to
your
repository
and
fetch
that
image
that
was
built
and
tested,
and
so
let's
talk
a
little
bit
more
about
container
images.
You
know
when
it
comes
to
containers,
there's
a
lot
of
different
security
concerns
and
areas
to
focus
on
here's,
just
a
list
of
maybe
some
of
the
highlights
of
the
tenant
in
a
kubri,
Nettie's
type
of
environment.
In
this
talk,
we're
going
to
focus
on
the
top
half
those
around
securing
container
images,
the
ones
that
are
most
relevant
around
you
know
what.
A
How
do
you
ensure
that
your
content
is
secure
from
a
container
image
perspective?
How
do
you
ensure
that
you're
providing
secure
images
across
your
environment
from
your
registry?
Also?
How
are
you
incorporating
security
into
the
build
process
of
your
CI
and
how
about
the
CD?
How
are
you
ensuring
that
you're
deploying
secure
images
out
there
in
your
environment
and
then
the
host
that
you're
running
on
ultimately
as
well,
and
the
basic
premise
of
a
life
cycle
of
a
container
based
environment,
is
that
you
build
ship
and
run
right?
You
build
from
the
docker
file.
A
You
then
share
it
via
a
public
or
private
registry,
and
then
you
run
it
on
physical,
virtual,
private
or
public
cloud,
and
so
one
of
the
first
things
to
note
about
containers
is
really
to
treat
them
as
immutable
right.
This
is
a
best
practice
and
to
make
your
life
a
lot
easier
to
separate
the
code
from
the
configuration
and
the
data.
A
So
as
you
view
for
applications
that
you
want
to
container
eyes,
it's
great
to
architect
your
image
to
have
the
code
in
the
base
image
and
then
separate
your
configuration,
you
know,
store
it
in
a
data,
store,
use,
environment,
variables,
etc,
pass
it
outside
of
the
the
image
and
stored
outside
and
then,
of
course,
leverage
external
volumes
for
your
data
or
external
data
sources
and
inside
the
image
you
know
what
goes
inside
is
the
application,
as
well
as
your
immediate
dependency.
So
when
you
build
a
image,
it
will
pull
in.
A
For
instance,
AC
application
will
pull
in
bash
and
G
Lib
C
or
your
Java
app
will
pull
in
the
JRE
as
well,
and
the
nice
thing
about
docker
image
is,
it
can
be
for
any
language
right,
similar
to
analogy
would
be
in
the
Java
world.
You
have
your
war
ear
file,
and
then
you
have
the
JVM
as
your
runtime.
Likewise,
in
a
container
world,
you
have
your
container
image
and
then
you
have
your
container
runtime
environment.
A
Now
from
a
security
perspective,
as
you
build
these
images,
you
need
to
be
aware
of.
What's
going
inside
the
image
right,
there,
security
concerns
about
these
dependencies
that
are
being
pulled
in
and
here's
a
an
example
showing
you
of
those
components
that
were
pulled
in
right.
The
developer
didn't
develop
these,
and
so
the
JRE,
for
instance,
and
the
second
one
got
pulled
in
for
that
java
application
and
what
you
may
not
be
able
to
see
in
that
triangle
is
the
number
66
right.
This
represents
66
security
notification.
A
Since
r
l
7
was
released
for
the
JRE.
What
does
that
mean?
That
means,
while
I
need
to
be
paying
attention
to
what's
going
inside
to
the
container,
I
need
to
understand
how
am
I
to
get
security
notifications
for
these
components
right,
who's
to
be
tracking,
that
and
just
because
I
pull
it
down
and
it
doesn't
have
a
security
issue
at
that
time
doesn't
mean
over
the
life
cycle
of
that
application.
A
Now
also
in
terms
of
sharing
right
registry
security,
one
of
the
things
you
may
not
know
took
a
scan
around
docker
hub,
but
there's
a
lot
of
security
issues
in
public,
provided
images
and
developers
continually
download
these
images
into
the
enterprise.
Well,
you
need
to
be
aware
of
what
you're
pulling
in
right,
and
so
there
were
sixty
four
percent
had
medium
or
high
security,
gnome
security
vulnerabilities
at
the
time
of
this
research,
and
so
what
do
you
do
as
an
enterprise
right?
So
one
choice
is,
rather
than
just
rely
strictly
on
public
open
repositories.
A
Bring
in
a
private
registry
build
that
out,
whether
you
host
it
externally
or
internally
really,
but
set
that
up.
So
your
developers
can
push
their
code
with
they
have
the
access
to,
as
well
as
the
operations
teams
and
the
middleware
team,
etc,
can
push
standard
images,
and
you
can
form
a
security
process
around
that,
as
well
as
access
and
authorization
control.
A
How
about
the
container
build
process
right
so
in
the
existing
world?
You
know
you
have
these
individual
roles
that
typically
you
have
a
core
build,
or
the
operations
folk
building
out
that
base
image,
and
then
you
have
the
middleware
team
layering
on
navy,
Tomcat
or
jboss,
and
then
you
have
the
developer,
adding
on
their
code
right
three
distinct
areas.
How
does
that
carry
over
into
the
container
world
right?
Well,
the
dockerfile
normalizes
the
language
everyone's
speaking
right
no
longer
is
it
kick-start
files,
tar
balls
and
war
files.
A
Rather,
it's
a
docker
file
for
the
base
build
for
the
middleware
layer
as
well
as
the
application
developer,
so
that
makes
it
a
lot
easier
to
collaborate
and
work
together,
which
is
a
key
principle
around
DevOps,
but
also
you
know
in
terms
of
security
responsibilities.
You
know
just
because
a
developer
is
now
building
it
with
a
docker
file
doesn't
mean
they're
responsible
for
the
whole
stack
in
tracking
all
these
security
issues
all
right.
A
Nor
would
you
want
to
do
that
because
the
time
is
best
spent
developing
on
a
business
logic,
and
so
as
a
developer
builds
an
application.
It
depends
on
that
tomcat
image.
That
in
turn
depends
on
a
rel
7
image
right.
You
can
layer
that
in
docker
and
then,
if
one
of
those
layers
gets
updated,
you
could
have
a
process
that
triggers
an
automated
rebuild
right,
and
why
would
that
image
be
updated?
Well,
a
security
issue
right.
A
The
operations
team
is
tracking
those
issues.
They
subscribe
to
a
security
notification
and
they
may
rebuild
the
base
image
over
time
when
there
are
issues
or
bug,
fixes
or
enhancements
that
need
to
be
go
out
going
out
there
and
then
update
the
registry
with
that
image
and
then,
therefore,
because
of
the
dependency
chain,
they
can
automatically
trigger
a
rebuild
of
any
application
that
was
depending
on
that
particular
image,
and
so
that's
the
best
practice
there.
Also
in
terms
of
security
scanning,
you
know
waiting
to
scan
and
production.
It's
too
late.
All
right!
A
A
As
you
wait
further
down
the
road
to
address
these
security
issues,
it
gets
more
expensive
to
address
and
resolve
and
so
take
a
security
first
approached
by
incorporating
in
your
continuous
integration.
Now
in
terms
of
post
security,
you
want
to
be
sure
that
these
images
are
running
on
a
secure
and
hardened
host.
A
There's,
certainly
a
lot
of
technologies
within
your
container
hosts
that
provides
security,
cgroups,
providing
quality
of
service
namespace,
providing
that
nice
isolation
and
selinux
enforcing
mandatory
access
control,
so
that
processes
only
can
access
what
explicitly
stated
and
inset
com
providing
a
filtered
set
of
colonel
capabilities
to
the
process.
So
you
reduce
that
footprint
of
attack,
also
in
terms
of
best
practices,
you
know,
don't
run
your
container
processes
as
root.
A
Therefore,
you
know
having
all
sorts
of
issues
in
terms
of
if
a
security
vulnerability
is
their
limit
sssh
access,
I
use
the
exec
command
from
cube
control.
If
you
need
to
get
in,
there
also
make
sure
you're
using
namespaces
so
that
you
have
the
proper
isolation
when
it
matters
between
different
applications
or
environments
and
make
sure
you're
using
resource
quotas
for
these
images,
in
terms
of
when
they're
instantiated
as
an
instance
in
terms
of
disk
and
memory,
CPU,
etc,
and
then
also
enable
logging
and
have
a
best
practice
around.
A
A
Prod
mist,
as
I
mentioned,
provides
a
set
of
standards
and
content
and
data.
They
have
a
database
that
provides
vulnerability
lists,
as
well
as
a
compliance
checklist
for
the
various
operating
systems
and
providing
best
practices
in
terms
of
security,
configure
station
and
setting
a
typical
common
vulnerability
and
exposure
notification
for
a
vulnerability
is
released
when
it's
known
it
talks
about
what
the
flaw
is.
A
So
as
a
system
administrator
or
a
developer,
I
can
understand,
you
know
why
it's
important,
why
it
may
impact
my
systems
and
whether
I
should
actually
update
my
systems
as
well
based
on
the
criticality
and
then
this
common
configuration
enumeration
is
one
of
these
checklist
items.
From
a
security
perspective
around
policy
enforcement
and
an
example
is
they
have
a
best
standard?
A
So
the
open
SCAP
is
much
more
than
just
a
a
single
scanning
tool.
There's
also
a
library
and
a
CLI.
You
can
leverage
an
open
SCAP
base,
there's
also
the
open,
SCAP
damon,
a
service
that
runs
in
the
background,
evaluates
machines
and
containers
according
to
a
scheduled
period,
and
then
also
you
can
use
the
open,
scat
workbench
to
use
a
graphical
tool
to
divine
your
own
policies.
A
If
you
want
a
secure
environment
from
day
day
one
there
and
then
let's
go
through
some
of
the
use
cases
of
how
you
may
use
the
open
SCAP
tool.
First
off
is
you
might
watch
for
compliance.
Our
password
quality
requirements
set
are
obsolete
services
and
abled
such
as
you
know,
telnet.
You
don't
want
that
and
is
openssh
properly
configured
it
/
temp
on
a
separate
partition.
A
So
these
might
be
some
typical
compliance
policies
that
you
want
to
enforce
and
what
you
can
do
is
you
can
run
the
Oh
SCAP
a
tool
and
specify
your
policy
and
run
it
against
your
particular
in
this
case
a
host
and
it
will
generate
a
list
of
results,
pass
or
fail
for
every
individual
rule
within
your
checklist.
So
it'll
go
down
there,
such
as,
in
this
case,
ssh
root.
Login
was
not
disabled
on
this
particular
host.
A
All
right,
so
there's
a
complete
laundry
list
of
different
rules
in
the
standard
checklist
and
you
can
add
or
subtract
from
that
depending
on
your
particular
environment.
But
once
the
scan
is
done,
you
also
get
a
report
for
that
particular
target
and
you
can
see
at
a
high
level
the
results
in
terms
of
compliance,
so
34
of
the
checks,
past
and
33
failed,
and
you
can
see
the
severity
level
as
well.
A
So
this
one
has
quite
a
few
issues
and
then
I
could
actually
drill
down
and
see
a
complete
list
of
the
failures
and
passes
alright,
so
I
can
see
the
password
minimum
length
a
lot
of
issues
around
that
on
this
particular
system.
But
even
nicer
is
that
I
can
then
remediate
the
issue
right,
so
it
provides
the
logic
and
a
script.
A
You
can
see
that
script
I
can
cut
and
paste
it
and
run
it
on
the
particular
host
or
I
could
actually
just
press
a
button
and
it
would
run
it
against
it
as
well,
and
so
this
is
a
nice
way
to
remediate
the
particular
security
issues.
It's
identified
on
the
host,
the
virtual
machine
or
in
the
container
alright.
So
another
use
case
is
to
scan
for
known
vulnerabilities
right.
You
know
what
RPM
needs
updating.
What
is
the
criticality
of
the
vulnerability?
A
If
you
need
to
keep
track
of
that
in
your
particular
environment
and
I,
can
drill
down
and
see
a
line
by
line
of
every
failed,
known
vulnerability.
That's
on
this
system
and
I
can
see
in
the
red
there.
There's
a
few
issues
on
this
particular
target
and
I
could
actually
drill
down
and
I
can
apply
a
particular
update
for
my
operating
system
to
rectify
that
particular
issue.
A
So
there's
a
couple
use
cases
if
you
know
is
the
docker
image
compliant
is
the
docker
image,
patch,
etc,
and
so
I
can
actually
run
this
tool
using
the
docker
add-on
and
it'll
go
ahead
and
run
the
scan
against
the
target
and
I
can
run
the
scan
against
the
image
at
rest
or
a
live
running
container
instance
in
my
environment,
so
I
have
that
option
of
either
or
another
use
case
I
may
want
to
use
is
integrating
it
into
my
CI
CD
pipeline
right.
How
do
I
rapidly
deploy
security
fixes
at
scale?
A
I
have
a
thousand
host
environment
with
ten
thousand
containers
and
there's
a
security
issue
right
in
a
CI
CD
world,
I'm
adding
to
go
out
and
patch
all
10,000
of
those
containers
that
has
never
been
tested
right.
I
want
to
go
back
to
the
factory.
Have
my
developers
run
a
CI
test
with
that
updated
version
that
addresses
the
security
issue
and
then
leverage
my
continuous
deployment
pipeline
to
rapidly
deploy
and
roll
that
out
whether
I
use
a
rolling
update?
A
You
know,
Bluegreen
deployment
and
I
might
want
to
do
some
a/b
testing
to
see
what
the
impact
of
that
is
to
some
live
traffic
before
I
go
all
in
in
deploying
that,
and
so
those
are
some
of
the
capabilities
and
advantages.
I
could
leverage
with
in
Coober
Nettie's
to
leverage
my
continuous
deployment
capabilities,
and
so
here
you
have
an
example
of
the
cic
d
pipeline
so
again
I'm
not
to
go
and
patch
my
production
hosts
or
my
product
I'm.
A
But
I
also
want
to
be
concerned
about
the
host
said
it's
running
on
two
in
production
right,
so
I'm
not
just
running
the
scan
when
I
build
my
images,
but
also
out
in
production
under
run
the
scan
on
host
as
well
to
see
if
the
any
known
issues
as
well
so
having
a
policy
around
production
environment
running
as
well
as
a
part
of
my
build
factory.
So
you
want
to
address
both
in
the
tool
can
can
handle
both
types
of
environments
and
here's
just
an
example
of
my
CI
pipeline.
A
Oh
I
may
want
to
enhance
it.
So
my
current
pipeline
is
build.
Deploy
but
I
want
to
add
a
step
around
security,
scans,
right
and
so
I
can
modify
my
Jenkins
pipeline
to
integrate
the
security
scan
and
that
could
call
out
a
open
SCAP
instance
and
run
a
scan
as
a
part
of
my
Jenkins
job.
And
if
it
doesn't
pass,
then
that
would
flag
as
a
failure
and
not
continue
on
to
the
deployment
phase.
A
A
It
didn't
pass
a
third
of
my
security
checks,
where's
the
pass
with
a
it
passed,
almost
one
hundred
percent
there,
and
if
you
want
to
manage
open
scape
at
scale,
there's
a
lot
of
management
solutions
now
that
integrate
open
scape
as
their
scanner
to
run
across
your
environment.
Foreman
is
one
upstream
project
to
manage
host
systems
at
scale.
It
integrates
open.
Scap,
you
know
manage
IQ
is
another
project
as
well.
That's
integrating
open
SCAP
in
leveraging
that
now
we
have
a
little
bit
of
time.
B
B
A
So
I
just
ran
the
OC
cluster
up
on
my
system.
That
brings
up
an
open
shift
cluster
that
I'm
using
and
so
open
shift
is
our
communities,
distribution
from
Red
Hat,
and
what
that
does
is
it
sets
up
a
registry?
It
sets
up
an
API
server,
as
well
as
a
small
cluster
on
my
laptop
that
I'm
running
here
locally
and
I
can
go
ahead
and
log
into
my
cluster
portal,
so
I
want
to
go
ahead
and.
A
Alright,
well,
unfortunately,
the
the
Wi-Fi
is
down.
So,
let's,
let's
go
back
here.
What
I
was
going
to
show
you
is
when
I
login
I
could
actually
import
custom
pipelines
that
my
developers
would
build
and
define,
and
then
I
could
actually
incorporate
that
security.
Skin
I
would
actually
as
an
operations.
Folks
I
would
build
out
a
open
SCAP
instance
load
that
and
incorporate
that
with
my
Jenkins
server,
the
Jenkins
server
would
actually
run
with
in
Coober
Nettie's,
so
that
could
scale
out
nicely
as
well
as
additional
load
is
hit
on
it.
A
Also
I
could
have
an
individual
Jenkins
instance
to
carry
out
this
security,
scan
/
developer
or
per
project
running
on
Kuber
Nettie's.
So
if
you're
worried
about
all
the
security
scans,
add
extra
length
or
amount
of
time
to
this
process,
I
could
actually
leverage
that
capability
to
be
a
lot
more
efficient
and
in
the
CI
process.
Well,
that's
all
I
had
in
terms
of
the
demonstration
and
the
presentation
today
so
want
to
open
it
up.
A
A
Oh
sure,
so
you
know,
kuber
Nettie's
is
running
container
images,
certainly
that
scale,
and
you
want
to
make
sure
that
those
container
images
are
secure
and
don't
have
any
known.
Security,
vulnerabilities
and
kuber
Nettie's
provides
an
easy
way
to
rapidly
deploy
updates
out
to
your
production
environment,
and
so
you
want
to
leverage
a
scanner
early
on
in
the
process
in
your
CI
process
and
then
be
able
to
leverage
Cooper
Nettie's
to
quickly
deploy
those
scans
out
into
production.
A
You
can
use
things
like
rolling
up
updates
so
that
incrementally
you
roll
out
that
new
security
fix
and
you
make
sure
that
it
doesn't
bring
down
the
site.
You
could
also
leverage
blue
green,
where
you
update
the
green,
the
new
version
and
switch
the
router
over
to
that
new
environment
and
then
also
coober
nannies
can
help
you
test
and
see
if
there's
a
negative
impact
by
this
change
by
doing
a
be
testing.
So
an
a/b
testing,
you
have
a
hundred
percent
of
your
traffic
going
to
version
a
well
that
has
a
security
issue.
A
Let's
package
up
version
b,
roll
that
out
into
the
production
environment,
but
I
don't
want
to
go
all
in
I
want
to
test
it
out.
Maybe
twenty
percent
of
the
traffic
so
I
route,
twenty
percent
of
it
via
kuber,
Nettie's
and
then
I
see
what
the
impact
is
like
did.
My
click
through
rate
go
down.
Did
my
conversion
rate
from
a
sales
perspective
trend
down,
so
maybe
there's
some
functional
impact
or
experience
impact
that
that
security,
fixed
may
may
have
had
a
side
effect
on,
and
so
I
want
to
try
that
out.
A
A
You
know
it's
kind
of
the
whole
analogy:
hey
I
package,
my
container
in
the
warehouse
I,
don't
wait
until
it's
out
on
the
shipyard,
because,
if
there's
an
issue,
I
have
to
go
all
the
way
back
to
the
factory
to
get
a
replacement
and
then
put
it
back
into
the
container.
Likewise,
from
a
security
perspective,
I
don't
want
to
identify
security
issues
once
it's
already
in
production.
I
want
to
identify
that
issue
at
build
time,
and
so
I
think
that's
how
it
integrates
with
a
is
complementary
to
a
coup.
Brunette
ease
deployment.
B
A
A
D
C
A
Sure
yet
so
you
want
to
do
both
right.
You
want
to
be
scanning
as
a
part
of
your
build
process,
but
you
also
want
to
be
monitoring
your
production
environment,
so
they're
tools
like
manage
IQ
there's
also
forthcoming
it
with
in
Coober
Nettie's.
You
know
policy
so
that
when
you
start
an
image
you
can
make
sure
that
it's
signed.
You
can
make
sure
that
it's
scanned
before
it
launches
as
well.
So
you
could
have
just
in
time
checking
as
well.
A
Okay,
great,
thank
you
so
much
for
attending
today's
session.
Again,
my
name
is
chris
van
tine.
My
email
address
is
C
Vann
China
at
redhat.com,
available
on
linkedin
as
well
feel
free
to
reach
out.
If
you
have
any
questions
happy
to
answer
those
and
and
have
any
follow-up
for
you
as
well.
Thank
you
so
much.