Friday, May 9, 2025 — Meeting Recap

Cloud Security Office Hours Introduction

In the meeting, Shawn and Neil discussed the upcoming Cloud Security Office Hours. They also welcomed new attendees and encouraged them to introduce themselves. Stryker shared a personal project he had been working on, which involved using AI to create song lyrics. The team was amused by this and Stryker was happy to share his creation. The conversation ended with Neil suggesting that the discussion could be recorded and edited for future reference.

Neil's Transition and Vulnerability Management

Neil Carpenter discussed his recent transition from Orca Security to an early-stage startup called Minimus. He also shared his experiences in the vulnerability management space, highlighting the importance of meaningful approaches to managing vulnerabilities in container images. Neil emphasized the significance of relationships in career development and shared his journey from working in the marketing organization to sales and go-to-market roles. He also discussed the challenges and opportunities in the vulnerability management space, particularly in the context of container images.

Container Image Vulnerability Management

Neil Carpenter discussed the concept of container images and their vulnerability management. He explained that container images are built in layers, with each layer adding, removing, or modifying files. He used a Docker file to demonstrate how an image is built, starting with a base image and adding layers for each command. Neil also discussed the challenges of vulnerability management in containers, as each container is a copy of the gold image and cannot be patched individually. He emphasized the need for developers to patch, update, and fix vulnerabilities, rebuild the container, retest it, and redeploy it everywhere. Neil also mentioned the importance of scanning containers for vulnerabilities and the need to triage and manage them. He recommended using free scanning tools like Trivia, but noted that paid tools may be necessary for larger projects.

Vulnerability Exploitation and Reachability Discussion

Neil discussed the importance of understanding the likelihood of vulnerabilities being exploited, with about 10% of vulnerabilities being more than 2% likely to be exploited. He also mentioned the concept of reachability, where only about 10% of vulnerable code in containers is actually reachable. Neil suggested focusing on the most critical vulnerabilities and minimizing the amount of code being introduced to reduce the number of vulnerabilities to be addressed. He also mentioned the idea of fixing multiple vulnerabilities at once with minimal impact.

Building Resilient Container Images for Vulnerability Management

Neil Carpenter discussed the process of building and hardening container images for vulnerability management. He explained the use of multi-stage docker builds to create a more resilient and efficient image. Neil demonstrated how to build an image from a dev image, removing unnecessary components and reducing the image size significantly. He emphasized that the primary benefit of this approach is not just reducing vulnerabilities, but also reducing the workload throughout the entire life cycle. Neil also mentioned the use of Minimistio for testing and registering images.

Mini Cooper Drawing and Security Updates

The meeting discusses the upcoming drawing for a Mini Cooper, which Neil explains is actually a skills-based contest to comply with California regulations. Neil then provides information about Minimus, a company that offers minimal container images to reduce vulnerabilities. He explains that while this approach doesn't solve all security problems, it significantly reduces unnecessary issues and allows teams to focus on managing vulnerabilities they actually own. The group also discusses upcoming presentations, including one on AI and law, and mentions several upcoming security conferences that may be of interest to attendees.