Developers want to move fast to build new features, fix bugs, and provide better user and customer experiences. However, there is a constant struggle between developers, who want to leverage various open source libraries and frameworks and may not be able to keep up with all their updates, and security teams, who want to ensure they are minimizing risk. While containers help provide consistent environments across the entire software development lifecycle, there's thought and process needed to maximize their benefits.

In this hands-on workshop, attendees will start by diving in and understanding images, setting the stage for creating organizational base images that make it easier for your developers to meet security and organizational policies. From there, we'll talk about understanding what's in your images and fixing issues as they are found, both at initial creation and later when they are running in production. We'll dive into SBOMs, scanning, and remediating issues and how Docker Scout makes this easy for developers. We'll wrap up with methods to ensure non-compliant images are caught in CI/CD build systems and prevented from running in production environments.

Intended audience:

Security Engineers, Product Security, Platform Folks, Developers

• Modeling your software development life cycle: Learn how to model your entire software development process holistically when improving your security.
• Balancing Dev and Security: Learn the principles of combining dev speed with robust security measures
• Keep up with environment changes: learn how Docker Scout helps you keep up with both existing and newly discovered vulnerabilities

Topics to be covered:

• Elements of a secure supply chain
• Remediating CVEs in development with Docker Desktop
• Integrating Docker Scout into CI/CD

Agenda

8:00–8:15 Welcome and setup (latest Docker Desktop, Docker Hub)

8:15–8:30 Talk: CVEs, dependencies, and base images

8:30–9:00 Hands-on: Remediating vulnerabilities 9:00–9:15 Talk: Understanding the software supply chain

9:15–9:30 Break

9:30–10:00 Hands-on: Using Docker Scout to connect your data model

10:00–10:15 Talk: Docker Image Provenance and SBOM

10:15–10:45 Hands-on: Explore and add provenance and SBOMs using Buildkit and Docker Scout

10:45–11:00 Break time

11:00–11:15 Talk: Maintaining Security with Policy: First, do no harm

11:15–11:45 Hands-on: Getting back into compliance with Docker Scout

11:45–12:00 Talk: What's next and Q&A

Anticipated resources/takeaways:

• Understand and verify how your applications are built.
• Quickly and easily identify problems with your software supply chain and remediate them.
• Use policies to encourage best practices across your organization without blocking fixes getting to production.
• Provide visibility into the security stance of your software to others within your organization.