Presented at
BSidesSF 2019,
March 4, 2019, 3:30 p.m.
(30 minutes).
In this talk, Maya and Dan will cover what changes in your patch management story if you use containers instead of virtual machines in production. Containers are meant to be immutable and short-lived—so they're frequently redeployed. Rather than pushing individual code changes, you rebuild and redeploy the whole container image. Processes that take place passively, like patching, can be going on constantly, with the latest images kept in your image registry. As a result, the new container image is fully patched and can be rolled out or rolled back as one unit, so that the patch rollout process becomes the same as your (obviously very frequent) code rollout process, with monitoring, canarying, testing, and lots of SREs in tight black ripped jeans. No more Sunday 2am patching windows!
You’ll learn what containers are, why patching is different for containers, best practices for maintaining your container images and patches as part of an image registry, how Google has used a containerized infrastructure to its advantage to patch critical vulnerabilities like Spectre with no downtime, and that despite trying we can’t make jean jackets cool again.
Presenters:
-
Maya Kaczorowski
- Tailscale
Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, encryption at rest and encryption key management. Prior to Google, she was an Engagement Manager at McKinsey & Company, working in IT security for large enterprises.
Maya completed her Master's in mathematics focusing on cryptography and game theory. She is bilingual in English and French.
Outside of work, Maya is passionate about ice cream, puzzling, running, and reading nonfiction.
-
Dan Lorenc
- Chainguard
Dan has been working on and worrying about containers since 2015 as an engineer and manager.
He started projects like [Minikube](https://github.com/kubernetes/minikube), [Skaffold](https://skaffold.dev/), and [Kaniko](https://github.com/GoogleContainerTools/kaniko) to make containers easy and fun, then got so worried about the state of OSS supply-chains he partnered up with Kim and others to found the [Tekton](https://tekton.dev/) and [Sigstore](https://sigstore.dev/) projects to make it easier to build and use containers securely; as well as [SLSA](https://slsa.dev/) to create a common language for software security and supply chain integrity. He has been involved with the [Cloud Native Computing Foundation](https://cncf.io/), chaired the [Continuous Delivery Foundation](https://cd.foundation/) technical oversight committee, and sits on the governing board and technical advisory committee for the [Open Source Security Foundation](https://openssf.org/).
Links:
Similar Presentations: