4. Container Challenges
Historically, developers have owned
the security posture of their own
code and the libraries used.
Containers add security concerns
at the operating-system level such
as base-image selection, package
installation, user and file
permissions, and more.
Increased Scope of
Responsibility
These additional technologies used
to be owned by other teams such
as system engineers or middleware
teams. Many developers have
never had to deal with securing
these layers of the stack.
Lack of Expertise
While shifting security left adds
responsibilities to developer teams,
the business owners have
expectations that pipeline velocity
will not be negatively impacted.
Maintaining Velocity
5. Get to the demo already!
https://tenor.com/view/hurry-hurry-up-go-go-on-gif-10089177
7. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Minimize Footprint
Don’t give hackers more tools to expand their exploits
Layer Housekeeping
Understand how layers work at build and run-time
Build strategies
Multi-Stage, repeatable builds, standardized labeling,
alternative tools
Secure Supply Chain
Know where images come from.
Only CI should push to registries.
8. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Don’t run as root
You probably don’t need it.
Privileged Containers
You almost definitely don’t need it.
Drop capabilities
Most apps don’t need even Linux capabilities;
dropping all and allow only what’s needed.
Read Only Root Filesystem
Immutability makes exploiting your container harder.
Deploy from known sources
Pull from known registries only.
9. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Secrets
Use them but make sure they’re encrypted and have
RBAC applied
RBAC
Hopefully everybody is using this.
SecurityContext (https://snyk.co/udUTc)
Much of the Runtime practices mentioned can be
enforced via SC
Network Policy
Start with zero-trust and add allow rules only as
necessary.
Enforcement
Use OPA (Gatekeeper), Kyverno, etc