Docker, Inc., profile picture
Uploaded byDocker, Inc.
PDF, PPTX763 views

Building a Secure App with Docker - Ying Li and David Lawrence, Docker

The document outlines best practices for building secure Docker applications, emphasizing the importance of user authentication, dependency management, and image signing through Docker Content Trust (DCT). It advocates for proactive security measures, such as vulnerability scanning and the use of least privilege configurations to enhance security in production environments. Key recommendations include validating upstream sources, signing artifacts, and deploying immutably to safeguard sensitive workloads.

Embed presentation

Download as PDF, PPTX
David Lawrence Sr. Security Engineer Docker Ying Li Security Engineer Docker Building a Secure Docker App
The Pipeline
Docker Content Trust Service
Development
“... tech giant Juniper Networks revealed in a startling announcement that it had found “unauthorized” code embedded in an operating system running on some of its firewalls.” - wired.com
Where did it come from?
User Authentication • Multi-Factor Authentication • Key Based Authentication Sign your commits • Use hardware like Yubikeys Secure your source
Pin your dependencies • Include the list with the source • (golang) vendor.conf, Godeps.json • (python) requirements.txt • (ruby) Gemfile • (node) package.json Validate your upstreams
Pin your dependencies • Include the list with the source • Use checksums Validate your upstreams requires == 2.13 --hash=sha256:2cf24dba5fb0a30e26e83… golang.org/x/crypto 5bcd134fee4dd1475da17714aac19c0a…
Pin your dependencies • Include the list with the source • Use checksums • Use publisher keys when available Validate your upstreams
Test & Build
Verify everything on ingress • commit signatures • dependency checksums • dependency signatures • Docker Content Trust (DCT) signatures of base images CI is an island
Be minimal, be disciplined • do build minimal images • do not embed secret/ sensitive data in images • do sign built images with Docker Content Trust (DCT) CI is ascetic
Registry Services
Find Common Vulnerabilities and Exposures (CVEs) • stop being reactive, get proactive • make compliance easier Get notified about new CVEs • automate the auditing of existing applications Docker Security Scanning (DSS)
Docker Trusted Registry (DTR) and Docker Hub/Cloud come with DCT metadata hosting • you can start signing now • provides trust from publisher to consumer • no need to trust the middleman Docker Content Trust (DCT)
Going to Production
• use Docker Content Trust to only deploy signed artifacts • use Docker EE Signing Policies to guarantee applications meet your acceptance criteria What are you deploying?
Use the absolute minimum privilege set necessary! Don’t: docker run --privileged ... Do: docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ... Least Privileged Microservices
Zero Trust Networks
Defense in Depth • isolate sensitive workloads to their own nodes • use docker secrets Least Privileged Nodes
Mitigate entire classes of compromise • run read-only containers • use Docker Editions for <your platform here> Immutable Infrastructure
1. Secure & sign your source 2. Pin & verify your dependencies 3. Sign your artifacts with Docker Content Trust 4. Leverage Docker Security Scanning 5. Deploy onto immutable infrastructure … 6. … with Least Privilege configurations In Summary
Thank You! Questions? @docker #dockercon

More Related Content

PDF
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
byDocker, Inc.
 
PDF
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
byDocker, Inc.
 
PDF
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
byDocker, Inc.
 
PDF
What’s New in Docker - Victor Vieux, Docker
byDocker, Inc.
 
PDF
Troubleshooting Tips from a Docker Support Engineer
byJeff Anderson
 
PDF
What Have Namespaces Done for you Lately? Liz Rice, Aqua Security
byDocker, Inc.
 
PDF
Escape From Your VMs with Image2Docker Jeff Nickoloff, All in Geek Consulting...
byDocker, Inc.
 
PDF
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
byDocker, Inc.
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
byDocker, Inc.
 
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
byDocker, Inc.
 
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
byDocker, Inc.
 
What’s New in Docker - Victor Vieux, Docker
byDocker, Inc.
 
Troubleshooting Tips from a Docker Support Engineer
byJeff Anderson
 
What Have Namespaces Done for you Lately? Liz Rice, Aqua Security
byDocker, Inc.
 
Escape From Your VMs with Image2Docker Jeff Nickoloff, All in Geek Consulting...
byDocker, Inc.
 
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
byDocker, Inc.
 

What's hot

PDF
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
byDocker, Inc.
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PDF
DockerCon 2017 - General Session Day 1 - Solomon Hykes
byDocker, Inc.
 
PDF
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
byDocker, Inc.
 
PPTX
How to be successful running Docker in Production
byDocker, Inc.
 
PDF
DockerCon SF 2015: Docker Security
byDocker, Inc.
 
PPTX
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
byDocker, Inc.
 
PDF
Browser Testing with Docker - Craig Huber
byDocker, Inc.
 
PDF
Networking Overview for Docker Platform
byAditya Patawari
 
PDF
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
byDocker, Inc.
 
PDF
DCSF19 CMD and Conquer: Containerizing the Monolith
byDocker, Inc.
 
PPTX
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
PDF
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
byDocker, Inc.
 
PDF
It takes a Village to do the Impossible - Jeff Lindsay
byDocker, Inc.
 
PDF
Securing your Containers
byRiyaz Faizullabhoy
 
PDF
Secure Substrate: Least Privilege Container Deployment
byDocker, Inc.
 
PDF
DockerCon EU 2015: The Latest in Docker Engine
byDocker, Inc.
 
PDF
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
byDocker, Inc.
 
PPTX
Docker Bday #5, SF Edition: Introduction to Docker
byDocker, Inc.
 
PDF
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
byDocker, Inc.
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
byDocker, Inc.
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
DockerCon 2017 - General Session Day 1 - Solomon Hykes
byDocker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
byDocker, Inc.
 
How to be successful running Docker in Production
byDocker, Inc.
 
DockerCon SF 2015: Docker Security
byDocker, Inc.
 
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
byDocker, Inc.
 
Browser Testing with Docker - Craig Huber
byDocker, Inc.
 
Networking Overview for Docker Platform
byAditya Patawari
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
byDocker, Inc.
 
DCSF19 CMD and Conquer: Containerizing the Monolith
byDocker, Inc.
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
byDocker, Inc.
 
It takes a Village to do the Impossible - Jeff Lindsay
byDocker, Inc.
 
Securing your Containers
byRiyaz Faizullabhoy
 
Secure Substrate: Least Privilege Container Deployment
byDocker, Inc.
 
DockerCon EU 2015: The Latest in Docker Engine
byDocker, Inc.
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
byDocker, Inc.
 
Docker Bday #5, SF Edition: Introduction to Docker
byDocker, Inc.
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
byDocker, Inc.
 

Similar to Building a Secure App with Docker - Ying Li and David Lawrence, Docker

PDF
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
PPTX
Docker Security workshop slides
byDocker, Inc.
 
PPTX
Docker Roadshow 2016
byDocker, Inc.
 
PDF
Docker Security and Content Trust
byehazlett
 
PPTX
Docker Security Overview
bySreenivas Makam
 
PDF
Securing the Container Pipeline at Salesforce by Cem Gurkok
byDocker, Inc.
 
PDF
Docker EE Deep Dive
byDocker, Inc.
 
PDF
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
byDocker, Inc.
 
PDF
Docker Security Deep Dive by Ying Li and David Lawrence
byDocker, Inc.
 
PDF
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
byJérôme Petazzoni
 
PDF
Docker security
byJanos Suto
 
PDF
Testing Docker Images Security -All day dev ops 2017
byJose Manuel Ortega Candel
 
PDF
Testing Docker Images Security
byJose Manuel Ortega Candel
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
bySysdig
 
PDF
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
byNETWAYS
 
PDF
Docker security: Rolling out Trust in your container
byRonak Kogta
 
PPTX
DockerCon EU 2015 Barcelona
byRoman Dembitsky
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures
byVMware Tanzu
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
byJérôme Petazzoni
 
Docker Security workshop slides
byDocker, Inc.
 
Docker Roadshow 2016
byDocker, Inc.
 
Docker Security and Content Trust
byehazlett
 
Docker Security Overview
bySreenivas Makam
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
byDocker, Inc.
 
Docker EE Deep Dive
byDocker, Inc.
 
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
byDocker, Inc.
 
Docker Security Deep Dive by Ying Li and David Lawrence
byDocker, Inc.
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
byJérôme Petazzoni
 
Docker security
byJanos Suto
 
Testing Docker Images Security -All day dev ops 2017
byJose Manuel Ortega Candel
 
Testing Docker Images Security
byJose Manuel Ortega Candel
 
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
CI / CD / CS - Continuous Security in Kubernetes
bySysdig
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
byNETWAYS
 
Docker security: Rolling out Trust in your container
byRonak Kogta
 
DockerCon EU 2015 Barcelona
byRoman Dembitsky
 
Security Patterns for Microservice Architectures - SpringOne 2020
byMatt Raible
 
Security Patterns for Microservice Architectures
byVMware Tanzu
 

More from Docker, Inc.

PDF
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
PDF
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
PDF
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
PDF
Hands-on Helm
byDocker, Inc.
 
PDF
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
PDF
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
PDF
Monitoring in a Microservices World
byDocker, Inc.
 
PDF
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
PDF
Predicting Space Weather with Docker
byDocker, Inc.
 
PDF
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
PDF
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
PDF
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
PDF
Kubernetes at Datadog Scale
byDocker, Inc.
 
PDF
Labels, Labels, Labels
byDocker, Inc.
 
PDF
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
PDF
Developing with Docker for the Arm Architecture
byDocker, Inc.
 
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
Hands-on Helm
byDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
Monitoring in a Microservices World
byDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
Predicting Space Weather with Docker
byDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
Kubernetes at Datadog Scale
byDocker, Inc.
 
Labels, Labels, Labels
byDocker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
Developing with Docker for the Arm Architecture
byDocker, Inc.
 

Recently uploaded

PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
final.pdf
byomarbishtawi04
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
final.pdf
byomarbishtawi04
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Workflow and decision Automation with Flowable
bychakib ch
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 

Building a Secure App with Docker - Ying Li and David Lawrence, Docker

  • 1.
    David Lawrence Sr. SecurityEngineer Docker Ying Li Security Engineer Docker Building a Secure Docker App
  • 2.
  • 3.
  • 4.
  • 5.
    “... tech giantJuniper Networks revealed in a startling announcement that it had found “unauthorized” code embedded in an operating system running on some of its firewalls.” - wired.com
  • 6.
    Where did itcome from?
  • 7.
    User Authentication • Multi-FactorAuthentication • Key Based Authentication Sign your commits • Use hardware like Yubikeys Secure your source
  • 9.
    Pin your dependencies •Include the list with the source • (golang) vendor.conf, Godeps.json • (python) requirements.txt • (ruby) Gemfile • (node) package.json Validate your upstreams
  • 10.
    Pin your dependencies •Include the list with the source • Use checksums Validate your upstreams requires == 2.13 --hash=sha256:2cf24dba5fb0a30e26e83… golang.org/x/crypto 5bcd134fee4dd1475da17714aac19c0a…
  • 11.
    Pin your dependencies •Include the list with the source • Use checksums • Use publisher keys when available Validate your upstreams
  • 12.
  • 13.
    Verify everything oningress • commit signatures • dependency checksums • dependency signatures • Docker Content Trust (DCT) signatures of base images CI is an island
  • 14.
    Be minimal, bedisciplined • do build minimal images • do not embed secret/ sensitive data in images • do sign built images with Docker Content Trust (DCT) CI is ascetic
  • 21.
  • 22.
    Find Common Vulnerabilitiesand Exposures (CVEs) • stop being reactive, get proactive • make compliance easier Get notified about new CVEs • automate the auditing of existing applications Docker Security Scanning (DSS)
  • 25.
    Docker Trusted Registry(DTR) and Docker Hub/Cloud come with DCT metadata hosting • you can start signing now • provides trust from publisher to consumer • no need to trust the middleman Docker Content Trust (DCT)
  • 26.
  • 27.
    • use DockerContent Trust to only deploy signed artifacts • use Docker EE Signing Policies to guarantee applications meet your acceptance criteria What are you deploying?
  • 28.
    Use the absoluteminimum privilege set necessary! Don’t: docker run --privileged ... Do: docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ... Least Privileged Microservices
  • 29.
  • 30.
    Defense in Depth •isolate sensitive workloads to their own nodes • use docker secrets Least Privileged Nodes
  • 31.
    Mitigate entire classesof compromise • run read-only containers • use Docker Editions for <your platform here> Immutable Infrastructure
  • 37.
    1. Secure &sign your source 2. Pin & verify your dependencies 3. Sign your artifacts with Docker Content Trust 4. Leverage Docker Security Scanning 5. Deploy onto immutable infrastructure … 6. … with Least Privilege configurations In Summary
  • 38.