Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Practical Steps For Securing Containers - Liz Rice


Published on

Security is a key concern for application developers and operations teams, as well as security professionals. What do I need to do in the face of new threats like Meltdown and Spectre? What happens when the next big issue comes along? What should my priorities be? How do containers help? In this talk we’ll demonstrate some common attacks live, and show how you can effectively defend your container deployment against them, using a combination of best practices, configuration, and tools.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Practical Steps For Securing Containers - Liz Rice

  1. 1. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved. @lizrice | @aquasecteam Liz Rice (with credits to Justin Cormack at Docker) Practical steps for securing containers
  2. 2. 2@lizrice | @aquasecteam Bad headlines
  3. 3. 3@lizrice | @aquasecteam
  4. 4. 4@lizrice | @aquasecteam
  5. 5. 5@lizrice | @aquasecteam ObserveCode HostsTest Build Run Pipeline
  6. 6. 6@lizrice | @aquasecteam ObserveHostsBuild RunTestCode Code quality Security testing Security policies Minimal attack surface Least privilege Defence in depth Principles
  7. 7. ObserveCode HostsTest Build Run Code quality Security starts in development
  8. 8. 8@lizrice | @aquasecteam
  9. 9. 11@lizrice | @aquasecteam Static analysis Code review Code quality
  10. 10. ObserveCode HostsTest Build Run Security testing Catch problems early
  11. 11. 13@lizrice | @aquasecteam “(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, . Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage. ” REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT such as encryption GDPR compliance
  12. 12. 15@lizrice | @aquasecteam
  13. 13. 16@lizrice | @aquasecteam Automated testing is not just for functions Security testing
  14. 14. ObserveCode HostsTest Build Run Security policies Always be in compliance
  15. 15. 18@lizrice | @aquasecteam 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied installed. Deploy critical patches within a month of release. 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Risk rankings should be based on industry best practices and guidelines. Ranking vulnerabilities is a best practice that will become a requirement on July 1, 2012. Payment Card Industry Data Security Standard version 2.0 security patches Ranking vulnerabilities PCI compliance
  16. 16. 20@lizrice | @aquasecteam FROM wordpress:demo COPY microscanner /microscanner RUN chmod +x /microscanner ARG token RUN /microscanner --html ${token} > /ms-out.html docker build -f Dockerfile.wp --build-arg=token=$TOKEN . MicroScanner
  17. 17. 21@lizrice | @aquasecteam MicroScanner
  18. 18. 22@lizrice | @aquasecteam Scanning tools Image admission controls Security policies
  19. 19. ObserveCode HostsTest Build Run Host configuration Don’t make it easy for attackers
  20. 20. 24@lizrice | @aquasecteam Files directly on host machine(s) Files in container images Host vulnerabilities
  21. 21. 25@lizrice | @aquasecteam Host vulnerabilities
  22. 22. 27@lizrice | @aquasecteam CIS Docker Benchmark CIS Kubernetes Benchmark Host configuration
  23. 23. 29@lizrice | @aquasecteam
  24. 24. ObserveCode HostsTest Build Run Least privilege Only give what you need
  25. 25. 31@lizrice | @aquasecteam
  26. 26. 34@lizrice | @aquasecteam Minimize bind mounts Set USER in Dockerfile Avoid --privileged Least privilege
  27. 27. ObserveCode HostsTest Build Run Runtime protection Spot unexpected behaviour
  28. 28. 36@lizrice | @aquasecteam
  29. 29. 39@lizrice | @aquasecteam Seccomp / AppArmor Commercial tools New runtimes Runtime protection
  30. 30. 40@lizrice | @aquasecteam Runtime protection Static analysis Minimal container OS TLS checks Automated scanning Read-only, limit privileges Actions
  31. 31. 41@lizrice | @aquasecteam Runtime protection Minimal container OS Automated scanning Read-only, limit privileges TLS checks Static analysis Code quality Security testing Security policies Minimal attack surface Least privilege Defence in depth Principles
  32. 32. 42@lizrice | @aquasecteam
  33. 33. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved. @lizrice | @aquasecteam