Docker container security
Jul. 2, 2020•0 likes•874 views
Download to read offline
Report
Software
The continued adoption of containers for deployments has introduced a new path for security issues. In this talk, we will cover the most common areas of vulnerabilities, the challenges in securing your containers, some good practices to help overcome these issues and how to run container security scanning as part of your deployment pipeline.
ThoughtworksFollow
More Related Content
What's hot
Azure dev opsVishwas N
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
Hacking into your containers, and how to stop it!Eric Smalling
DCSF19 Containerized Databases for Enterprise ApplicationsDocker, Inc.
Csa container-security-in-aws-dwCloud Security Alliance, UK chapter
Kubernetes securityThomas Fricke
Similar to Docker container security
Testing Docker Images SecurityJose Manuel Ortega Candel
Docker Containers SecurityStephane Woillez
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
Docker Security and Content Trustehazlett
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
Docker best Practicesjeetendra mandal
More from Thoughtworks
Design System as a ProductThoughtworks
Designers, Developers & DogsThoughtworks
Cloud-first for fast innovationThoughtworks
More impact with flexible teamsThoughtworks
Culture of InnovationThoughtworks
Dual-Track AgileThoughtworks
Recently uploaded
Salesforce @AXA.pdfPatrickYANG48
Citi Tech Talk Disaster Recovery Solutions Deep Diveconfluent
Kubernetes with Cilium in AWS - Experience Report!QAware GmbH
The Next Era of CRM.pdfPatrickYANG48
Database Storage Engine InternalsAdewumiSunkanmi
ROAD TO NODES - Intro to Neo4j + NeoDash.pdfNeo4j
Docker container security
- 1. © 2020 ThoughtWorks Exploring Docker container security: Risks and good practices Marina Kjaer & Mónica Calderaro
- 2. Mónica Calderaro © 2020 ThoughtWorks Software Developer Marina Kjaer Software Developer @MonicaCRey
- 3. Security is a HUGE topic © 2020 ThoughtWorks
- 4. © 2020 ThoughtWorks The main challenges are that Containers are complex, the lack of isolation and the complexity of the ecosystem.
- 5. Build Ship Run Container lifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 6. Image Development Safety Use a Dockerfile linter Add a linter into your workflow to catch common security mistakes early Build Ship Run
- 7. Image Development Safety Identify and find any known vulnerabilities that may be present in an image. Docker image security scanning Build Ship Run
- 8. Image Development Safety Multistage builds Keep your image in production a small as possible by creating 2 or more containers. The first one uses all tools and libraries to build the application, the second just runs the output from the first. Build Ship Run
- 9. Image Development Safety Use a trusted image Use a minimal base image With the bare minimum that's needed for your app, for example Distroless. Build Ship Run
- 10. Image Development Safety Choose more specific tags as opposed to latest. Use fixed tags for immutability Build Ship Run
- 11. Image Development Safety Signatures allow client-side or runtime verification of the integrity and publisher of specific image tags. Verify Images to be signed Build Ship Run
- 12. Build Ship Run Container lifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 13. Image reliability Signing Images Trusted sources could include Official Docker Images, or User trusted sources signed with Docker Content Trust. Build Ship Run
- 14. Restrict Resources Build Ship Run Set resource quotas Resource quotas allow you to limit the amount of memory and CPU resources that a container can consume.
- 15. Restrict access Role Based Access Control Based on teams function, assigns no access, view only, restricted control, or full control permissions. Build Ship Run
- 16. Build Ship Run Container lifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 17. Limit Privileges Isolate containers with a user namespace Namespaces provide isolation for running processes, limiting their access to system resources without the running process being aware of the limitations. Build Ship Run
- 18. Limit Privileges Control groups They provide many useful metrics, but they also help ensure that each container gets its fair share of resources. Build Ship Run
- 19. Limit Privileges Rootless mode Run the Docker daemon as a non-root user. Build Ship Run
- 20. Protect resources API and network security Docker containers typically rely heavily on APIs and networks to communicate with each other. Build Ship Run
- 21. © 2020 ThoughtWorks Demo time © 2020 ThoughtWorks
- 22. Build Ship Run Let’s recap With the bare minimum and from trusted sources With controlled resources With the right permissions
- 23. Resources ● https://docs.docker.com/ ● https://resources.whitesourcesoftware.com/blog-w hitesource/docker-container-security-challenges-an d-best-practices ● https://www.trendmicro.com/ ● https://snyk.io/ ● https://neuvector.com/ ● https://containerjournal.com/ ● https://www.redhat.com/en/topics/security/contain er-security © 2020 ThoughtWorks ● https://docs.mirantis.com/docker-enterprise/v3.0/d ockeree-products/ucp.html ● https://sysdig.com/blog/7-docker-security-vulnerabil itie ● https://washraf.gitbooks.io/the-docker-ecosystem/c ontent/Chapter%201/Section%203/Control%20Grou ps.html
- 24. Continue the conversation on Slack © 2020 ThoughtWorks XConfEurope2020 xconfeurope2020.slack.com #talk2-docker-container-security #XConfOnline