AWS Summit Singapore 2019 | Pragmatic Container Security
•
1 like•342 views
Speaker: Paul Hidalgo, Solution Architect, Trend Micro (Singapore)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to AWS Summit Singapore 2019 | Pragmatic Container Security
Similar to AWS Summit Singapore 2019 | Pragmatic Container Security (20)
More from AWS Summits
More from AWS Summits (20)
AWS Summit Singapore 2019 | Pragmatic Container Security
- 1. S U M M I T Pragmatic Container Security Paul Hidalgo Solutions Architect Trend Micro
- 2. S U M M I T It worked on my machine …every developer ever
- 3. S U M M I T The problem It’s hard to deploy an application with all of it’s dependencies
- 4. S U M M I T The problem It’s hard to deploy an application with all of it’s dependencies The solution Containers package the app and it’s dependencies in a portable format
- 5. S U M M I T Local On-premises Cloud
- 6. S U M M I T Containers accelerate the developer experience
- 7. S U M M I T Containers provide the ability to package and run an application in a loosely isolated environment Docker Inc. on the goal of containers
- 8. S U M M I T …loosely isolated… Docker Inc. on the goal of containers
- 9. S U M M I T
- 10. S U M M I T CVE-2019-5736runC container to host exploit
- 11. S U M M I T only as intended…and only as intended Make sure that systems work as intended The goal of cybersecurity
- 12. S U M M I T Container Environment Tactics • Securing the Host • Securing the Container • Securing the Pipeline Specific areas Agenda
- 13. S U M M I T The Environment
- 14. S U M M I T Our Applications
- 15. S U M M I T Development Environment
- 16. S U M M I T How Containers Can be Exploited
- 17. S U M M I T ATTACKS ARE POCs The following features stunts performed by either professionals or under the supervision of professionals DO NOT TRY THIS AT HOME
- 18. S U M M I T
- 19. S U M M I T • Check the environment for other assets • Look at file and network activity, • Look at Credentials • Did the user have any other credentials to database • Plant a Callback to control the container • To learn application activity if files are being downloaded • Use as a launching pad to exploit other vulnerable applications • Knowing applications, servers and credentials, it would be easier to jump and look for data • Exfiltration Point • Connect to a Data Dump Server The guy has root access to the container, what can he do The bad guy was able to go in, Now what?
- 20. S U M M I T
- 21. S U M M I T Investigation
- 22. S U M M I T Secure the Host
- 23. S U M M I T
- 24. S U M M I T Securing Production
- 25. S U M M I T EC2 • Patch regularly • Software updates often contain critical security patches and should be applied as quickly as possible • Restrict the IAM role • Apply the principle of least privilege • Add critical security controls like application control, integrity monitoring, anti-malware • Using an “allow list” for applications that can be run on the host is highly effective given their specific workloads. Similar integrity monitoring and anti-malware controls make sure any changes to the host are expected and not malicious Specific areas of focus
- 26. S U M M I T ECS • Same as EC2 for any AMI that meets the Amazon ECS AMI specification • Use one of the AWS provided AMIs as a starting point Specific areas of focus
- 27. S U M M I T Fargate • IAM policies and roles • Runs on AWS-managed infrastructure, no Amazon EC2 instances to manage Specific areas of focus
- 28. S U M M I T Secure the Pipeline
- 29. S U M M I T Automation is the key being able to deliver quickly & consistently
- 30. S U M M I T Containers can be…
- 31. S U M M I T
- 32. S U M M I T Securing Pipeline
- 33. S U M M I T Code • IAM roles and permissions • Make sure to restrict access appropriately. No “Full Access” policies! • Add scanning and sanity checks at appropriate stages • Automating security steps like static code analysis, vulnerability scanning, malware scanning and secrets management is key • Add security tests alongside integration and unit tests • Never assume, always verify. Adding security tests makes it simple to validate your security assumptions each time a build is deployed • If you are running your own pipeline, apply the same principles as the EC2 section to those systems Specific areas of focus
- 34. S U M M I T • Deploy strong endpoint controls to developers workstations • Phishing accounts for 92% of all malware infections and attackers are shifting focus to attack developers in order to compromise the systems they build • Educate developers on strong security coding practices and help breakdown the barriers between teams • Security traditionally struggles with getting controls built in and settles for “bolt on” controls which are more expensive and less effective. Anything you can do to reduce the divide between teams will benefit everyone involved Specific areas of focus Builders
- 35. S U M M I T Containers accelerate the developer experience Security makes sure they stay on track
- 36. S U M M I T Container Security 6 areas to focus on…
- 37. S U M M I T Container-aware protection for your EC2 instances and ECS container hosts Deep Security Deep Security Smart Check Automated container image scanning to detect vulnerabilities, malware, and exposed secrets Available on AWS Marketplace
- 38. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Paul Hidalgo paul_hidalgo@trendmicro.com