Wolfi: A Secure-by-Default Distro for Curing Container CVE Chaos (asg2023)

Are you using container images with hundreds of known vulnerabilities? The majority of us are using images based on the Docker official images available on the Docker Hub. This includes base images – such as Debian and Ubuntu – as well as application images such as nginx and redis. Unfortunately these images often have hundreds of known vulnerabilities due to excessively large dependency trees with out-of-date packages. This security debt can lead to unnecessary security risks and slower development cycles. Wolfi (​​https://github.com/wolfi-dev/) is a new Linux distribution optimized for building minimal, secure container images. Wolfi maintainers prioritize a rolling release model built on a rapid package update cycle, which ensures that new vulnerabilities are remediated quickly. This talk not only describes the problems that motivate Wolfi but also provides hands-on knowledge to help developers take advantage of Wolfi. By the end of the talk, developers will learn about packaging techniques with apko and melange, tools specifically designed to build Wolfi packages and turn them into minimal, low- or no-vulnerability containers. Key Takeaways and Highlights Popular, off-the-shelf base images and containers often have hundreds of known vulnerabilities (“CVEs”), which can, at worst, be a security risk and, at best, be a giant time suck. Wolfi is a new secure-by-default linux distribution that prioritizes rapid package updates and, by extension, fast mean time-to-remediation for known vulnerabilities. Packages in Wolfi can form the foundation of secure, minimal base images and containers, freeing developers of tedious vulnerability management tasks and increasing security for cloud-native applications. Talk Outline The Cloud-Native Application Status Quo: Bloated, Outdated, Vulnerability-Laden Images Containers 101 Show the results of running security scanners against popular Dockerhub official images Use (grype, an open source scanner) to scan golang:latest and nginx:latest. Show via command line. Show data and analysis on package counts, package staleness, vulnerability counts of official Docker Hub images Draw on six months of daily scanning results collected by presentation team Overview of Wolfi Fast package update times Fast vulnerability mean time-to-remediation Granular packages Wolfi packages are often packaged at a more granular level than their counterparts in other distributions, which allows developers to pick and choose only the components that are essential for an image, without dragging in unnecessary functionality and attack surface. Rolling release Why not alternative approaches, either other minimal images or using other distros? Google distroless Debian-based so there can be slow update times for packages Debian - Slow package updates How to build images with Wolfi packages Explain melange and building packages Example of building a package with melange Explain apko and building images Demo of building an image with apko about this event: https://cfp.all-systems-go.io/all-systems-go-2023/talk/V9EZSS/