1. S U M M I T
Pragmatic Container
Security
Paul Hidalgo
Solutions Architect
Trend Micro
2. S U M M I T
It worked on my machine
…every developer ever
3. S U M M I T
The problem
It’s hard to deploy an
application with all of it’s
dependencies
4. S U M M I T
The problem
It’s hard to deploy an
application with all of it’s
dependencies
The solution
Containers package the app and
it’s dependencies in a portable
format
6. S U M M I T
Containers accelerate the
developer experience
7. S U M M I T
Containers provide the
ability to package and run
an application in a loosely
isolated environment
Docker Inc. on the goal of containers
8. S U M M I T
…loosely isolated…
Docker Inc. on the goal of containers
17. S U M M I T
ATTACKS ARE POCs
The following features stunts performed by
either professionals or under the supervision of
professionals
DO NOT TRY THIS AT HOME
19. S U M M I T
• Check the environment for other assets
• Look at file and network activity,
• Look at Credentials
• Did the user have any other credentials to database
• Plant a Callback to control the container
• To learn application activity if files are being downloaded
• Use as a launching pad to exploit other vulnerable applications
• Knowing applications, servers and credentials, it would be easier to jump and look for data
• Exfiltration Point
• Connect to a Data Dump Server
The guy has root access to the container, what can he do
The bad guy was able to go in, Now what?
25. S U M M I T
EC2
• Patch regularly
• Software updates often contain critical security patches and should be applied as quickly as possible
• Restrict the IAM role
• Apply the principle of least privilege
• Add critical security controls like application control, integrity monitoring,
anti-malware
• Using an “allow list” for applications that can be run on the host is highly effective given their specific workloads.
Similar integrity monitoring and anti-malware controls make sure any changes to the host are expected and not
malicious
Specific areas of focus
26. S U M M I T
ECS
• Same as EC2 for any AMI that meets the Amazon ECS AMI specification
• Use one of the AWS provided AMIs as a starting point
Specific areas of focus
27. S U M M I T
Fargate
• IAM policies and roles
• Runs on AWS-managed infrastructure, no Amazon EC2
instances to manage
Specific areas of focus
33. S U M M I T
Code
• IAM roles and permissions
• Make sure to restrict access appropriately. No “Full Access” policies!
• Add scanning and sanity checks at appropriate stages
• Automating security steps like static code analysis, vulnerability scanning, malware scanning and secrets management is key
• Add security tests alongside integration and unit tests
• Never assume, always verify. Adding security tests makes it simple to validate your security assumptions each time a build is
deployed
• If you are running your own pipeline, apply the same principles as the EC2
section to those systems
Specific areas of focus
34. S U M M I T
• Deploy strong endpoint controls to developers workstations
• Phishing accounts for 92% of all malware infections and attackers are shifting focus to attack developers in
order to compromise the systems they build
• Educate developers on strong security coding practices and help
breakdown the barriers between teams
• Security traditionally struggles with getting controls built in and settles for “bolt on” controls which are
more expensive and less effective. Anything you can do to reduce the divide between teams will benefit
everyone involved
Specific areas of focus
Builders
35. S U M M I T
Containers accelerate the developer experience
Security makes sure they stay on track
36. S U M M I T
Container Security
6 areas to focus on…
37. S U M M I T
Container-aware protection for your
EC2 instances and ECS container hosts
Deep Security
Deep Security
Smart Check
Automated container image scanning
to detect vulnerabilities, malware, and
exposed secrets
Available on AWS
Marketplace