Title: Why should developers care about container security? Abstract: Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests (i.e. Kubernetes config's) before you commit your code. Speaker: Eric is a 30+ year enterprise software developer, architect, and consultant with a focus on CI/CD, DevOps, and container-based solutions over the last decade. He is a Docker Captain, is certified in Kubernetes (CKA, CKAD, CKS), and has been a Docker user since 2013. As a Senior Developer Advocate at Snyk, Eric helps developers implement proactive and scalable security practices with a focus on container and cloud-native technologies. Catch the video: https://youtu.be/lBNcUBdY-VM

1. Why should developers care
about container security?
Eric Smalling | Sr. Developer Advocate @ Snyk
@ericsmalling

2. Eric Smalling
● Senior Developer Advocate @ Snyk
● Based in Dallas/Fort Worth, Texas
● 20+ years enterprise software development
● 10+ years build/test/deploy automation (CI/CD)
● Docker user since 2013 (v0.6)
● 2018 Jenkins Ambassador
● Docker Captain
● CKA, CKAD & CKS Certified
about.me/ericsmalling

3. Agenda
Devops vs Security
Container Challenges
Demo
01
02
03
04 Conclusions

4. DevOps

5. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Get public & private artifacts
SDLC Pipeline

6. DevSecOps

7. Container Challenges
Historically, developers have owned
the security posture of their own
code and the libraries used.
Containers add security concerns
at the operating-system level such
as base-image selection, package
installation, user and file
permissions, and more.
Increased Scope of
Responsibility
These additional technologies used
to be owned by other teams such
as system engineers or middleware
teams. Many developers have
never had to deal with securing
these layers of the stack.
Lack of Expertise
While shifting security left adds
responsibilities to developer teams,
the business owners have
expectations that pipeline velocity
will not be negatively impacted.
Maintaining Velocity

8. Ownership of
developers
What does my service contain?
● Source code of my app
● 3rd party dependencies
● Dockerfile
● IaC files (eg. Terraform)
● K8s files

9. Enough Slides.
Demo Time!

10. Kubernetes Cluster
Namespace: todolist
Pod: todolist
Service: todolist
Log4Shell: What just happened?!?!

11. Kubernetes Cluster
Namespace: todolist
Pod: todolist
Service: todolist
Log4Shell: We expected this…

12. Kubernetes Cluster
Namespace: todolist
Pod: todolist
ldap.darkweb
Evil Object Server
Service: todolist
Log4Shell: What actually happened

13. Kubernetes Cluster
Namespace: todolist
Pod: todolist
ldap.darkweb
Evil Object Server
$ whoami
root
Service: todolist
Log4Shell: What actually happened

14. DevOps Feedback Loop
Empowering developers to build applications
securely within the entire development process

15. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes

16. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Minimize Footprint
Don’t give hackers more tools to expand their exploits
Layer Housekeeping
Understand how layers work at build and run-time
Build strategies
Multi-Stage, repeatable builds, standardized labeling,
alternative tools
Secure Supply Chain
Know where images come from.
Only CI should push to registries.

17. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Don’t run as root
You probably don’t need it.
Privileged Containers
You almost definitely don’t need it.
Drop capabilities
Most apps don’t need even Linux capabilities;
dropping all and allow only what’s needed.
Read Only Root Filesystem
Immutability makes exploiting your container harder.
Deploy from known sources
Pull from known registries only.

18. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Secrets
Use them but make sure they’re encrypted and have
RBAC applied
RBAC
Hopefully everybody is using this.
SecurityContext
Much of the Runtime practices mentioned can be
enforced via SC
Network Policy
Start with zero-trust and add allow rules only as
necessary.
Enforcement
Use OPA (Gatekeeper), Kyverno, etc

19. Key Takeaways
Just like unit tests, fast, actionable
security feedback is critical.
Working security into a developer’s
workflow without slowing them
down drives adoption.
Feedback Loop
Giving developers tools that
provide actionable information can
allow them to deal with security
issues as they are introduced.
Empower developers
to be proactive
Implementing known secure
practices for building and running
your container images and IaC
configurations can mitigate
vulnerabilities that slip into
deployments as well as zero-day
vulnerabilities that may exist.
Defence in depth

20. References:
● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K
● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices
● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build
● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs
● Kyverno: https://kyverno.io
● PodSecurityPolicy Deprecation: Past, Present, and Future:
https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future
● CNCF Certification Curriculum: https://github.com/cncf/curriculum
● Snyk Kubernetes “Quick hit” videos:
https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g-
Thank you!
about.me/ericsmalling
Special thanks for cloud resources provided by

21. Additional References (added after the call):
● Books
○ Production Kubernetes (free e-book) Josh Rosso, Rick Lander, Alexander Brand, John Harris
○ Acing the Certified Kubernetes Administrator Exam Chad Crowell
■ K8s book club currently going through this book
○ Container Security Liz rice
○ Securing the Software Supply Chain (pre-release) Michael Lieberman, Brandon Lum
● YouTube channels:
○ https://www.youtube.com/@_JohnHammond
○ https://www.youtube.com/snyksec
Thank you!
about.me/ericsmalling
Special thanks for cloud resources provided by