Successfully reported this slideshow.
Your SlideShare is downloading. ×

[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam

[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam

Docker containers are a fast-growing technology that has become hugely popular in the software industry nowadays. It offers amazing benefits but also presents the developer with lots of security challenges. This talk will give you an introduction to Docker as well basic security best practices. But don’t worry, we will also do some live hacking :).

Docker containers are a fast-growing technology that has become hugely popular in the software industry nowadays. It offers amazing benefits but also presents the developer with lots of security challenges. This talk will give you an introduction to Docker as well basic security best practices. But don’t worry, we will also do some live hacking :).

More Related Content

Similar to [DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam

More from DevDay.org

Related Books

Free with a 30 day trial from Scribd

See all

[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam

  1. 1. München Aachen Bamberg Berlin Boswil Đà Nẵng Dresden Grenoble Hamburg Köln Leipzig Nürnberg Prag Stuttgart Washington Zug Docker Security Phạm Hồng Khánh Are your containers safe? Do you dockerize?
  2. 2. 08.04.2019 2 Graduated from DUT Web Application Security Engineer at mgm security partners 5 years IP Networking 3 years Infrastructure Operations whoami Phạm Hồng Khánh khanh.hong.pham@mgm-sp.com
  3. 3. 08.04.2019 3 Slow deployment times Huge costs Wasted resources Difficult to scale Difficult to migrate Dark Ages - One Application - One Server
  4. 4. 08.04.2019 4 Benefits One physical machine divided into multiple virtual machines Limitations Resources An entire Guest OS Hypervisor-based Virtualization
  5. 5. 08.04.2019 5 Containers vs. Virtualization lightweight & flexible A docker container is minimal task specific isolated reproducible Docker Overview
  6. 6. 08.04.2019 6 Docker
  7. 7. 08.04.2019 7 Docker
  8. 8. 08.04.2019 8 Let‘s try something! Build, Ship, Run
  9. 9. 08.04.2019 9 HOST RESOURCES CONTAINERS IMAGES REGISTRY
  10. 10. 08.04.2019 10 Dockerfile
  11. 11. 08.04.2019 11 “It doesn‘t matter how many locks are on your door if your window is open“
  12. 12. 08.04.2019 12 Know your threat model and your attack surface!
  13. 13. 08.04.2019 13 HOST RESOURCES CONTAINERS IMAGES REGISTRY Docker Attack Surfaces
  14. 14. 08.04.2019 14 Images are the basis of a docker container, so we just use them all, don‘t we? Docker Image Security IMAGES
  15. 15. 08.04.2019 15 Let‘s try something! Crypto Mining Container
  16. 16. 08.04.2019 16  17 cryptomining containers on Docker Hub  Active for almost a year  Made around $90,000 = 2 Billion VND in Bitcoins Docker Image Security
  17. 17. 08.04.2019 17 Use official repositories as parent images Scan images! Micro Badger Sign images / verify signatures Do not put secrets in images! What can we do to have a safe image?
  18. 18. 08.04.2019 18 Private Registry Security Cheap, under your control You have to think about everything yourself! Hosted AWS or Google or DockerHub More features Privacy! Costs! A secure Docker Registry REGISTRY
  19. 19. 08.04.2019 19 Secure defaults Docker Container Security Can be more robust CONTAINERS
  20. 20. 08.04.2019 20 Let‘s try something! Privileged Container
  21. 21. 08.04.2019 21 Best Practices Least Privilege! Do not use --privileged Docker runs as root by default! docker run --user 1001 <img> Use security policies! Seccomp (default profile) AppArmour, SELinux Limit resources! What can we do to have a safe container? docker run -it --memory=2G --memory-swap=1G ubuntu bash
  22. 22. 08.04.2019 22 Docker is only as secure as the underlying host! Best Practices Make sure your system is patched and monitored! Use minimal systems designed for this purpose as base system Docker itself should be configured securely Docker Host Security HOST
  23. 23. 08.04.2019 23 https://github.com/docker/docker-bench-security Docker Bench Security
  24. 24. 08.04.2019 24  Know your attack surface!  Docker: okay by default  Solution: Harden your Containers! Test and audit regularly Keep everything up to date Tips: “How to be safe“! HOST CONTAINERS REGISTRY IMAGES
  25. 25. 08.04.2019 25 Interested in Security?
  26. 26. 08.04.2019 26 Thank you! Questions?
  27. 27. 08.04.2019 27 Innovation Implemented. mgm technology partners Vietnam 07 Phan Chau Trinh, Đà Nẵng Tel.: +49 (89) 35 86 80-0 Fax: +49 (89) 35 86 80-288 www.mgm-tp.com PragMünchen Berlin Hamburg Köln NürnbergGrenoble LeipzigDresdenBamberg ZugĐà NẵngAachen WashingtonStuttgart

Editor's Notes

  • The more VMs you run, the more resources you need
    Guest OS means wasted resources
    Application portability not guaranteed
  • Explain again

    Containers virtualize at the operating system level, Hypervisors virtualize at the hardware level.
    Hypervisors abstract the operating system from hardware, containers abstract the application from the operation system.
    Hypervisors consumes storage space for each instance. Containers use a single storage space plus smaller deltas for each layer and thus are much more efficient.
    Containers can boot and be application-ready in less than 500ms and creates new designs opportunities for rapid scaling. Hypervisors boot according to the OS typically 20 seconds, depending on storage speed.
  • Interact with audience: questions? Do you dockerize How many of you know docker
  • Image
    The basis of a Docker container. The content at rest.
    Container
    The image when it is ‘running.’ The standard unit for app service
    Engine
    The software that executes commands for containers. Networking and volumes are part of Engine. Can be clustered together.
    Registry
    Stores, distributes and manages Docker images
  • Shorten image
  • Base image security
    What to use!
    How to protect
  • https://microbadger.com/images/dalareo/wordpress-ldap

    https://hub.docker.com/explore/ -> security scans

    export DOCKER_CONTENT_TRUST=0
    docker pull smakam/mybusybox
  • SSL
    Authentication (Basic Auth -> without permission or Token -> more complex)
    Google and Docker Hub EE even have security scans

  • kubectl exec -it shell-demo -- /bin/bash


    curl -sk https://10.1.0.1:10250/runningpods/

    Install kubectl
    kubectl get pods --all-namespaces -o wide


    curl -sk https://$KUBERNETS_PORT_443_TCP_ADDR:443
    kubectl get secrets --all-namespaces | grep default
    kubectl get secret -n kube-system default-token-mstnh -o yaml
    Or
    cat /var/run/secrets/kubernetes.io/serviceaccount/token


  • Host configuration
    Docker daemon configuration
    Docker daemon configuration files
    Container images and build files
    Container runtime
    Docker security operations
  • Host configuration
    Docker daemon configuration
    Docker daemon configuration files
    Container images and build files
    Container runtime
    Docker security operations
  • Cluster
    Containers
    Software
    Cluster
    Containers
    Applications
  • Cluster
    Containers
    Software
    Cluster
    Containers
    Applications

×