Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The How and Why of
Container Vulnerability
Management
OpenShift Commons
#whoami – Tim Mackey
Current roles: Senior Technical Evangelist; Occasional coder
• Former XenServer Community Manager in ...
Understanding the
Attacker Model
Vulnerability Management Implies Data Breach Management
 89% of data breaches had a
financial or espionage motive
 Legal...
Attackers Decide What’s Valuable …
But security investment is often not aligned with actual risks
Anatomy of a New Attack
Potential Attack
Iterate
Test against platforms
Document
Don’t forget PR department!
Deploy
Control
Domain
NetworkingCompute Storage
Hypervisor
Container
VM
Minimal OS
Understanding Scope of Compromise – Protect Fr...
Exploiting a
Vulnerability
CLOSED SOURCE COMMERCIAL CODE
• DEDICATED SECURITY RESEARCHERS
• ALERTING AND NOTIFICATION INFRASTRUCTURE
• REGULAR PATCH ...
Knowledge is Key. Can You Keep Up?
glibc
Bug
Reported
July 2015
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based
buffer ...
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
May 2008
glibc
Bug
Reported
July 2015
CVE-2015-
7547
CVE
Assigned...
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
May 2008
CVE-2015-
7547
CVE
Assigned
Feb 16-2016
glibc
Bug
Report...
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
National
Vulnerability
Database
Vuln
Published
You
Find It
May 20...
Understanding Vulnerability Impact
0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
O...
Container Production Growth Continues
Securing the
Container
Contents and
Environment
Baseline to Limit the Scope of Compromise
• Enable Linux Security Modules
• SELinux
• --selinux-enabled on Docker engine, ...
Red Hat Enterprise Linux Atomic Host 7
• What is Atomic Host?
• Optimized RHEL7 variation designed for use with Docker
• U...
Container Source Trust
Red Hat Atomic Host
AtomicApp
AtomicApp
AtomicApp
Red Hat Registry
MySQL
Redis
Jenkins
Docker Hub
D...
OpenSCAP vs. Black Duck Hub
OpenSCAP
• Profile driven compliance policy engine
• Vendor vulnerability data is but one comp...
A DONATION HAPPILY GIVEN
TO THE DEMO GODS
Risk Mitigation Shrinks Scope of Compromise
Open source license compliance
• Ensure project dependencies are understood
Us...
7 of the top 10
Software Companies
(44 of the top 100)
6 of the top 8
Mobile Handset Vendors
6 of the top 10
Investment Ba...
8,500
WEBSITES
350
BILLION LINES OF CODE
2,400
LICENSE TYPES
1.5
MILLION PROJECTS
76,000
VULNERABILITIES
• Largest databas...
Black Duck Hub Security Architecture
Hub Scan1 File and Directory Signatures2 Open Source
Component Identified
3
Hub Web A...
We Need Your Help
Knowledge is power
• Know what’s running and why
• Define proactive vulnerability response process
• Don...
Free Black Duck Container Tools
Free Docker Container Security Scanner
• https://info.blackducksoftware.com/Security-Scan....
Know Your Code®
Upcoming SlideShare
Loading in …5
×

The How and Why of Container Vulnerability Management

706 views

Published on

As presented at OpenShift Commons Sept 8, 2016.

Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.

In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.


Published in: Internet
  • Be the first to comment

  • Be the first to like this

The How and Why of Container Vulnerability Management

  1. 1. The How and Why of Container Vulnerability Management OpenShift Commons
  2. 2. #whoami – Tim Mackey Current roles: Senior Technical Evangelist; Occasional coder • Former XenServer Community Manager in Citrix Open Source Business Office Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
  3. 3. Understanding the Attacker Model
  4. 4. Vulnerability Management Implies Data Breach Management  89% of data breaches had a financial or espionage motive  Legal costs and forensics dominate remediation expenses Source: Verizon 2016 Data Breach Report
  5. 5. Attackers Decide What’s Valuable …
  6. 6. But security investment is often not aligned with actual risks
  7. 7. Anatomy of a New Attack Potential Attack Iterate Test against platforms Document Don’t forget PR department! Deploy
  8. 8. Control Domain NetworkingCompute Storage Hypervisor Container VM Minimal OS Understanding Scope of Compromise – Protect From the Inside Container Container Container Container VM Minimal OS Container Container Container SecurityService Container
  9. 9. Exploiting a Vulnerability
  10. 10. CLOSED SOURCE COMMERCIAL CODE • DEDICATED SECURITY RESEARCHERS • ALERTING AND NOTIFICATION INFRASTRUCTURE • REGULAR PATCH UPDATES • DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE • “COMMUNITY”-BASED CODE ANALYSIS • MONITOR NEWSFEEDS YOURSELF • NO STANDARD PATCHING MECHANISM • ULTIMATELY, YOU ARE RESPONSIBLE Who is Responsible for Code and Security?
  11. 11. Knowledge is Key. Can You Keep Up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  12. 12. Knowledge is Key. Can You Keep Up? glibc Vuln Introduced May 2008 glibc Bug Reported July 2015 CVE-2015- 7547 CVE Assigned Feb 16-2016 Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  13. 13. Knowledge is Key. Can You Keep Up? glibc Vuln Introduced May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 glibc Bug Reported July 2015 National Vulnerability Database Vuln Published Feb 18-2016 Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  14. 14. Knowledge is Key. Can You Keep Up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  15. 15. Understanding Vulnerability Impact
  16. 16. 0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software KnowledgeBase, NVD Vulnerability Disclosures Trending Upward
  17. 17. Container Production Growth Continues
  18. 18. Securing the Container Contents and Environment
  19. 19. Baseline to Limit the Scope of Compromise • Enable Linux Security Modules • SELinux • --selinux-enabled on Docker engine, --security-opt=“label:profile” • Apply Linux kernel security profiles • grsecurity, PaX and seccomp protections for ALSR and RBAC • Adjust privileged kernel capabilities • Reduce capabilities with --cap-drop • Beware –cap-add and –privileged=false, and CAP_SYS_ADMIN • Use a minimal Linux host OS • Red Hat Enterprise Linux Atomic Host 7 • Reduce impact of noisy neighbors • Use cgroups to set CPU shares and memory
  20. 20. Red Hat Enterprise Linux Atomic Host 7 • What is Atomic Host? • Optimized RHEL7 variation designed for use with Docker • Uses SELinux for safeguards • Provides atomic upgrade and rollback capabilities via rpm-ostree • Pre-installed with Docker and Kubernetes • Atomic App and Atomic Nulecule • Provides a model for multi-container application definition • Supports Docker, Kubernetes, OpenShift and Mesos • OpenShift artifacts run natively or via atomic provider • Provides security compliance scan capabilities
  21. 21. Container Source Trust Red Hat Atomic Host AtomicApp AtomicApp AtomicApp Red Hat Registry MySQL Redis Jenkins Docker Hub DockerContainer DockerContainer DockerContainer DockerContainer DockerContainer Third Party and Custom Problem: Who to trust, and why? • Trusted source? • Unexpected image contents • Locked application layer versions (e.g. no yum update) • Layer dependencies (monolithic vs micro-services) • Validated when?
  22. 22. OpenSCAP vs. Black Duck Hub OpenSCAP • Profile driven compliance policy engine • Vendor vulnerability data is but one component of policy • Integrated directly with Red Hat Atomic • Usage: atomic scan --scanner openscap {container id} Black Duck Hub integration with Red Hat Atomic • Broad vulnerability data for most open source components • Covers vulnerability, license compliance and operational risk • Integrated with Red Hat Atomic • Rich tooling integration for development teams • Installed via: atomic install blackducksoftware/atomic • Usage: atomic scan --scanner blackduck {container id}
  23. 23. A DONATION HAPPILY GIVEN TO THE DEMO GODS
  24. 24. Risk Mitigation Shrinks Scope of Compromise Open source license compliance • Ensure project dependencies are understood Use of vulnerable open source components • Is component a fork or dependency? • How is component linked? Operational risk • Can you differentiate between “stable” and “dead”? • Is there a significant change set in your future? • API versioning • Security response process for project
  25. 25. 7 of the top 10 Software Companies (44 of the top 100) 6 of the top 8 Mobile Handset Vendors 6 of the top 10 Investment Banks 24 Countries 250+ Employees 1,800Customers Who is Black Duck Software? 27Founded 2002
  26. 26. 8,500 WEBSITES 350 BILLION LINES OF CODE 2,400 LICENSE TYPES 1.5 MILLION PROJECTS 76,000 VULNERABILITIES • Largest database of open source project information in the world. • Vulnerabilities coverage extended through partnership with Risk Based Security. • The KnowledgeBase is essential for identifying and solving open source issues. Comprehensive KnowledgeBase
  27. 27. Black Duck Hub Security Architecture Hub Scan1 File and Directory Signatures2 Open Source Component Identified 3 Hub Web Application Black Duck KnowledgeBase On Premises Black Duck Data Center
  28. 28. We Need Your Help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Focus attention on vulnerability remediation Together we can build a more secure data center
  29. 29. Free Black Duck Container Tools Free Docker Container Security Scanner • https://info.blackducksoftware.com/Security-Scan.html 14 Day Free Trial to Black Duck Hub • https://info.blackducksoftware.com/Demo.html • Red Hat Atomic Host Integration (Requires Black Duck Hub) 1. atomic install blackducksoftware/atomic 2. atomic scan --scanner blackduck [container]
  30. 30. Know Your Code®

×