Using Static Analysis to Catch Configuration Vulnerabilities (DockerCon 2023)

Containers and Infrastructure as Code (IaC) have changed the way organizations build and deploy their applications. Gone are the days when hardware had to be manually provisioned and managed in person. However, this doesn’t mean that these technologies can’t present security risks to your organization. If you’re not careful, misconfigurations can lead to exposed secrets, data leaks, unauthorized access, or DDoS attacks. Getting your configurations right the first time to minimize the risk of these issues is important. In this talk, we cover the importance of shifting left and trying to find vulnerabilities early in the SDLC. We look at Dockerfiles and how you can accidentally introduce poor practices and security vulnerabilities to your configurations. We explain what Static Analysis and Software Composition Analysis are and how they help you secure your code and dependencies. And we show how to set up a Static Analysis in your IDE to scan your Dockerfiles for issues, get suggested fixes for resolving them, and how to block critical issues using gating mechanisms.

Presentation: Securing the Software Supply Chain: Using Static Analysis to Catch Configuration Vulnerabilities
Speaker: Borja Burgos, Director of Product Management, DataDog

Resources:

Join the conversation!

ABOUT DOCKER: Docker provides a suite of development tools, services, trusted content, and automations, used individually or together, to accelerate the delivery of secure applications.

#docker #devops #softwaresupplychain