►
From YouTube: Kubernetes Security - Relevancy
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
As
Leo
didonato
tweeted
last
year,
CVA
shock
is
the
state
of
total
helplessness
facing
all
the
overwhelming
list
of
cves
returned
by
the
vulnerability
scanner
our
uncv
shock.
Well,
let's
take
a
deep
breath
and
press
on
by
the
end
of
this
webinar.
You
will
have
heard
about
a
post
solution
to
this
problem.
A
A
It
has
to
be
able
to
list
the
software
on
the
container
image,
which
is
the
extracting
of
the
Xbox.
The
second
step
is
comparing
that
s-bomb
with
well-known
published
databases
containing
information
for
each
software
package.
This
results
in
a
list
of
vulnerabilities
that
were
found
for
that
image.
A
A
Ultimately,
what
happens
is
that
teams
will
tend
towards
solving
this
by
prioritizing
vulnerabilities
with
the
scores
that
put
them
in
the
critical
and
high
brackets,
which
still
leaves
us
with
1224
high
and
critical
vulnerabilities?
In
the
example
we
gave,
and
these
still
need
to
be
remediated
and
verified.
A
A
A
So
how
can
we
detect
if
a
vulnerability
is
relevant?
If
a
software
package
is
used,
then
the
files
it
contains
are
being
used
by
the
container?
If
a
software
package
is
not
used,
it
is
not
relevant
for
for
vulnerabilities
and
can
be
removed
from
the
s-bond
list
to
compare
and
that's
the
filtered
s-bomb
that
we
create.
A
The
risk-based
approach
better
explains
why
patch
the
vulnerabilities
in
the
overlap
first,
the
source
of
vulnerabilities
with
the
most
chance
of
becoming
an
attack.
Vector
are
the
software
binaries
loaded
to
memory,
as
well
as
their
accessibility
from
the
outside,
and
this
is
where
the
relevancy
feature
comes
in
in
case,
you
were
wondering
what
happens
if
we
apply
the
concept
of
the
van
with
diagram
to
the
example,
images
of
our
security
researchers
testing.
We
can
see
a
massive
reduction
of
75
to
98
percent.
A
After
so
much
slide
where
you
probably
want
to
see
this
in
action,
remember
that
Venn
diagram
from
before
I
will
show
you
how
relevancy
manifests
itself
in
armo
platform
in
this
demo.
I
will
be
showing
you
how
the
new
best
practice
plays
out
in
on
the
platform.
I
skipped
vulnerabilities
already
just
to
shorten
the
process
and
to
get
to
the
to
get
to
the
point
quickly
as
we
can
see
in
the
cluster.
A
In
my
test,
cluster
I
have
11
453
vulnerabilities,
and
this
is
the
list
of
the
images
in
my
cluster
that
are
the
source
of
my
vulnerabilities
in
order
to
understand
exactly
how
the
new
best
practice
works.
We'll
take
one
image
post
press,
which
is
something
that
I
believe
many
of
you
use
in
order
to
understand
how
the
new
best
practice
that
overlapping
of
the
Venn
diagram
actually
helps.
You
get
the
most
bang
for
your
engineering
work
on
patching
vulnerabilities.
A
A
A
So
if
we
were
to
go
fixable,
what
we
have
is
we
are
down
to
eight,
and
that
is
not
the
end,
because
the
third
circle
of
the
Venn
diagram
describes
remote
code
execution
or
access
for
remote,
because
it
can
be
injection
as
well
as
execution,
and
then
we
go
to
yes
and
we
are
down
to
two
vulnerabilities,
and
let
me
just
recap,
so
you
understand
what
we
did
here.
We
went
from
401
vulnerabilities
to
197
relevant
vulnerabilities
to
eight
fixable
vulnerabilities
to
two
that
can
be
accessed
from
the
outside.
Our
priorities.
A
A
A
It
provides
the
vulnerability
scanners,
understanding
of
which
components
are
installed
on
the
image
when
we
scan
for
vulnerabilities,
we
also
provide
the
engine
with
a
filtered
s-bomb,
including
only
the
packages
that
relate
to
the
files
that
were
accessed
during
the
learning
period.
This
provides
us
a
filtered
list
of
vulnerabilities
that
are
more
likely
to
be
relevant.
A
In
this
webinar
we
discussed
the
new
best
practice
for
prioritizing
vulnerability
fixes.
So,
let's
put
it
all
together
now
one
scan
your
cluster
in
order
to
get
cves
two
filter
according
to
has
a
fix,
relevant
and
rce
three
plan
to
deal
with
the
vulnerabilities
in
the
overlap
of
the
three
circles.
First,.