SlideShare a Scribd company logo

Devopsdays london: Let’s talk about security

J
Justin Cormack

How to approach security in a devops environment. By Justin Cormack, Docker Inc.

Software
1 of 28
Download to read offline
DevOpsDays London: Let’s talk about Security Justin Cormack
Justin Cormack Cambridge based developer at Docker @justincormack   2
Co-author of Docker in the Trenches: Successful Production Deployment 3
Let’s talk about Security
Security“NO!”
A Conversation
Ops“please,developers,can you write secure code?” Devs“please,ops,can you secure the environment for our code?” 7
DevOps“This service needs to do these things and access these other services” DevOps“Ok,I will restrict its access in test and production to those actions” 8
To get to this we need a domain specific manifest of types of actions a program can do,and a way to restrict it to just these. We want defence in depth –a single way of imposing restrictions only needs a single circumvention. 9
Examples
11
Android permissions and intents were a good early model •  Certainly conversational... •  Good apart from the bit where the user clicks “Allow” 12
13
pledge(2) •  System call to reduce ability to do things, grouped into different classes •  stdio rpath wpath cpath dpath tmppath fattr flock inet dns unix sendfd recvfd proc getpw tty ioctl prot_exec exec settime ps vminfo id pf audio 14
if (pledge("stdio rpath wpath cpath", NULL) == -1) { perror("pledge"); exit(2); } 01. 02. 03. 04. 15
Usability •  Within 6 months it had been introduced to over 400 programs •  Not a typical coding community, true •  Not the sole means of defence, adds defence in depth. •  There are only 8000 SELinux profiles on github after 18 years, and most are the same ones. 16
Doesn’t Apply to Me
•  Probably you are not writing Unix commands for OpenBSD •  Very domain specific rules eg exactly which files can be read •  Some of the specifics are less of a concern •  However, microservices are modelled on the Unix process model 18
Content Security Policy for Web Applications •  Content headers for browsers limiting actions, defines none, urls or local only, or similar •  default-src script-src object-src style-src img-src media-src frame-src font-src connect-src form-action sandbox script-nonce plugin-types reflected-xss report-uri •  http://w3c.github.io/webappsec-csp/ •  Creating a CSP Policy from Scratch 19
Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self' https://www.slideshare.net; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'none'; base-uri diogomonica.com www.diogomonica.com; report-uri https://report-uri.io/report/59e303e8e117668e8e166508913a6d1d;" 01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11. 20
Containers
Docker supports lots of security mechanisms •  Namespaces, capabilities, SELinux, Apparmor, seccomp, iptables, networks (Linux likes different security subsystems) •  The defaults are really good, and work for almost everyone •  Containers are a very secure environment to run code. 22
Not so friendly {"name": "accept4", "action": "SCMP_ACT_ALLOW", "args": []}, deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, docker run --cap-drop=sys_admin 01. 02. 03. 23
Next steps •  Make the customisation easier for your use cases •  Increase uniformity •  Correlate the different types of option, so set different options in lockstep 24
Types of role for microservices •  Client, server, or both •  Connects to specified hosts outside local network •  May not connect to certain types of host (finance, production) •  Must use encrypted connections to these hosts •  Document clear contracts about what is allowed 25
Summary •  First talk about what your application needs to do •  Human readable and understandable •  Machine readable, testable and debuggable. •  Declarative •  Domain specific 26
Talk!
Questions? •  @justincormack •  justin.cormack@docker.com •   docker pull justincormack/devopsdays2016   28

Recommended

Docker container security
Docker container securityDocker container security
Docker container securityThoughtworks
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Build your first DApp using Substrate Framework - Part I
Build your first DApp using Substrate Framework - Part IBuild your first DApp using Substrate Framework - Part I
Build your first DApp using Substrate Framework - Part IKnoldus Inc.
 
JS digest. November 2017
JS digest. November 2017JS digest. November 2017
JS digest. November 2017ElifTech
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
EVE Microservices Platform
EVE Microservices PlatformEVE Microservices Platform
EVE Microservices PlatformAlaa Qutaish
 
Neues aus dem Docker-Universum
Neues aus dem Docker-UniversumNeues aus dem Docker-Universum
Neues aus dem Docker-UniversumNicholas Dille
 

Recommended

Docker container security
Docker container securityDocker container security
Docker container securityThoughtworks
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Build your first DApp using Substrate Framework - Part I
Build your first DApp using Substrate Framework - Part IBuild your first DApp using Substrate Framework - Part I
Build your first DApp using Substrate Framework - Part IKnoldus Inc.
 
JS digest. November 2017
JS digest. November 2017JS digest. November 2017
JS digest. November 2017ElifTech
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
EVE Microservices Platform
EVE Microservices PlatformEVE Microservices Platform
EVE Microservices PlatformAlaa Qutaish
 
Neues aus dem Docker-Universum
Neues aus dem Docker-UniversumNeues aus dem Docker-Universum
Neues aus dem Docker-UniversumNicholas Dille
 
Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaKatherine Golovinova
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiKatherine Golovinova
 
Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017Gianluca Arbezzano
 
WebAssembly with Rust
WebAssembly with RustWebAssembly with Rust
WebAssembly with RustKnoldus Inc.
 
Ecossistema Python Para Web
Ecossistema Python Para WebEcossistema Python Para Web
Ecossistema Python Para WebAllisson Azevedo
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Katherine Golovinova
 
GROOVY ON GRAILS
GROOVY ON GRAILSGROOVY ON GRAILS
GROOVY ON GRAILSziyaaskerov
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.shChandrapal Badshah
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
Nodejs
NodejsNodejs
NodejsBhushan Patil
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
Nodejs
NodejsNodejs
NodejsAkhil Gopan
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
Quarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniquesQuarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniquesRed Hat Developers
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDDBasav Nagur
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Binu Ramakrishnan
 
Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding PracticesAll Things Open
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics TheCreativedev Blog
 
RHSA BES Show 01
RHSA BES Show 01RHSA BES Show 01
RHSA BES Show 01Robert Strickland
 
Introduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacionalIntroduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacionaljupamova235
 

More Related Content

What's hot

Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaKatherine Golovinova
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiKatherine Golovinova
 
Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017Gianluca Arbezzano
 
WebAssembly with Rust
WebAssembly with RustWebAssembly with Rust
WebAssembly with RustKnoldus Inc.
 
Ecossistema Python Para Web
Ecossistema Python Para WebEcossistema Python Para Web
Ecossistema Python Para WebAllisson Azevedo
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Katherine Golovinova
 
GROOVY ON GRAILS
GROOVY ON GRAILSGROOVY ON GRAILS
GROOVY ON GRAILSziyaaskerov
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
Quarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniquesQuarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniquesRed Hat Developers
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDDBasav Nagur
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Binu Ramakrishnan
 
Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding PracticesAll Things Open
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 

What's hot (20)

Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro Lahoza
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
 
Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017
 
WebAssembly with Rust
WebAssembly with RustWebAssembly with Rust
WebAssembly with Rust
 
Ecossistema Python Para Web
Ecossistema Python Para WebEcossistema Python Para Web
Ecossistema Python Para Web
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
 
GROOVY ON GRAILS
GROOVY ON GRAILSGROOVY ON GRAILS
GROOVY ON GRAILS
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
 
Nodejs
NodejsNodejs
Nodejs
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
Nodejs
NodejsNodejs
Nodejs
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
 
Quarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniquesQuarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniques
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
 
Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding Practices
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics
 

Viewers also liked

Introduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacionalIntroduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacionaljupamova235
 
Presentación en power point de Montserrat Moreno Flores
Presentación en power point de Montserrat Moreno FloresPresentación en power point de Montserrat Moreno Flores
Presentación en power point de Montserrat Moreno FloresMontserrat Moreno Flores
 
Renaissance Dallas
Renaissance DallasRenaissance Dallas
Renaissance DallasJosh Johnson
 

Viewers also liked (6)

RHSA BES Show 01
RHSA BES Show 01RHSA BES Show 01
RHSA BES Show 01
 
Introduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacionalIntroduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacional
 
Reflexion modulo 1
Reflexion modulo 1 Reflexion modulo 1
Reflexion modulo 1
 
educacion
educacion educacion
educacion
 
Presentación en power point de Montserrat Moreno Flores
Presentación en power point de Montserrat Moreno FloresPresentación en power point de Montserrat Moreno Flores
Presentación en power point de Montserrat Moreno Flores
 
Renaissance Dallas
Renaissance DallasRenaissance Dallas
Renaissance Dallas
 

Similar to Devopsdays london: Let’s talk about security

Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the CloudJim Driscoll
 
Custom Runtimes for the Cloud
Custom Runtimes for the CloudCustom Runtimes for the Cloud
Custom Runtimes for the CloudCloudBees
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Running Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryRunning Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryVMware Tanzu
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformForgeRock
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015WaveMaker, Inc.
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
J2EE Performance And Scalability Bp
J2EE Performance And Scalability BpJ2EE Performance And Scalability Bp
J2EE Performance And Scalability BpChris Adkin
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps ParadigmNaLUG
 

Similar to Devopsdays london: Let’s talk about security (20)

Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
Custom Runtimes for the Cloud
Custom Runtimes for the CloudCustom Runtimes for the Cloud
Custom Runtimes for the Cloud
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Running Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryRunning Java Applications on Cloud Foundry
Running Java Applications on Cloud Foundry
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock Platform
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
J2EE Performance And Scalability Bp
J2EE Performance And Scalability BpJ2EE Performance And Scalability Bp
J2EE Performance And Scalability Bp
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
 

Recently uploaded

Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 

Recently uploaded (20)

Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 

Devopsdays london: Let’s talk about security

  • 1. DevOpsDays London: Let’s talk about Security Justin Cormack
  • 2. Justin Cormack Cambridge based developer at Docker @justincormack   2
  • 3. Co-author of Docker in the Trenches: Successful Production Deployment 3
  • 7. Ops“please,developers,can you write secure code?” Devs“please,ops,can you secure the environment for our code?” 7
  • 8. DevOps“This service needs to do these things and access these other services” DevOps“Ok,I will restrict its access in test and production to those actions” 8
  • 9. To get to this we need a domain specific manifest of types of actions a program can do,and a way to restrict it to just these. We want defence in depth –a single way of imposing restrictions only needs a single circumvention. 9
  • 11. 11
  • 12. Android permissions and intents were a good early model •  Certainly conversational... •  Good apart from the bit where the user clicks “Allow” 12
  • 13. 13
  • 14. pledge(2) •  System call to reduce ability to do things, grouped into different classes •  stdio rpath wpath cpath dpath tmppath fattr flock inet dns unix sendfd recvfd proc getpw tty ioctl prot_exec exec settime ps vminfo id pf audio 14
  • 15. if (pledge("stdio rpath wpath cpath", NULL) == -1) { perror("pledge"); exit(2); } 01. 02. 03. 04. 15
  • 16. Usability •  Within 6 months it had been introduced to over 400 programs •  Not a typical coding community, true •  Not the sole means of defence, adds defence in depth. •  There are only 8000 SELinux profiles on github after 18 years, and most are the same ones. 16
  • 18. •  Probably you are not writing Unix commands for OpenBSD •  Very domain specific rules eg exactly which files can be read •  Some of the specifics are less of a concern •  However, microservices are modelled on the Unix process model 18
  • 19. Content Security Policy for Web Applications •  Content headers for browsers limiting actions, defines none, urls or local only, or similar •  default-src script-src object-src style-src img-src media-src frame-src font-src connect-src form-action sandbox script-nonce plugin-types reflected-xss report-uri •  http://w3c.github.io/webappsec-csp/ •  Creating a CSP Policy from Scratch 19
  • 20. Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self' https://www.slideshare.net; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'none'; base-uri diogomonica.com www.diogomonica.com; report-uri https://report-uri.io/report/59e303e8e117668e8e166508913a6d1d;" 01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11. 20
  • 22. Docker supports lots of security mechanisms •  Namespaces, capabilities, SELinux, Apparmor, seccomp, iptables, networks (Linux likes different security subsystems) •  The defaults are really good, and work for almost everyone •  Containers are a very secure environment to run code. 22
  • 23. Not so friendly {"name": "accept4", "action": "SCMP_ACT_ALLOW", "args": []}, deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, docker run --cap-drop=sys_admin 01. 02. 03. 23
  • 24. Next steps •  Make the customisation easier for your use cases •  Increase uniformity •  Correlate the different types of option, so set different options in lockstep 24
  • 25. Types of role for microservices •  Client, server, or both •  Connects to specified hosts outside local network •  May not connect to certain types of host (finance, production) •  Must use encrypted connections to these hosts •  Document clear contracts about what is allowed 25
  • 26. Summary •  First talk about what your application needs to do •  Human readable and understandable •  Machine readable, testable and debuggable. •  Declarative •  Domain specific 26
  • 27. Talk!