Open Source Summit North America 2023

The Department of Defense’s security group, Platform One, maintains a centralized hardened container registry called Iron Bank. This DevSecOps initiative ensures containers meet strict safety and security requirements for use across DoD infrastructure. DoD engineers have been building automated container hardening pipelines. Container vulnerability counts have reduced as much as 95%, averaging 70% across the board. Despite the significant reduction in container footprint and software packages, they are fully-functional and exceed Iron Bank security specs. In this talk, cybersecurity engineer David Dooley will walk through the methodologies being used to instrument, harden, test, and optimize these containers. Learn how the DoD employs container vulnerability scanning, testing, reduction, automation, and other open source technologies. For example, Iron Bank NGINX pre- and post-hardening: Size: 261.18MB => 24.74MB (91%) Vulnerabilities: 102 => 25 (75%) Packages: 225 => 73 (68%) Iron Bank Redis pre- and post-hardening: Size: 287.32MB => 39.3MB (86%) Vulnerabilities: 98 => 5 (95%) Packages: 220 => 5 (98%)