The goal of this talk is to walk through how vulnerability scanners operate in general and specifically focusing on container vulnerability scanning, so people can better understand how they work and how the information they provide can be interpreted. I think this is an interesting area to explore as these scanners can be seen as a bit of a black box and it leads to people perhaps placing too much reliance on their output
We’ll be looking at a couple of areas :-
- CVSS scoring. How are scores arrived at and some examples of where the CVSS score may not actually indicate real-world issue severity.
- Scanning trade-offs. There are trade-offs in how vulnerability scanners work, some may optimize for fewer false positives, others for fewer false negatives and this may be configurable, depending on the scanner.
- Data sources. Where do scanners actually get the information about what constitutes a vulnerability.
This talk was delivered at Container Days 2021. There’s a link to the recording from that conference here