Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13


Published on

Data and policy driven approach for container security and compliance using open-source Anchore. Presented at Docker Meetup LA 2/13/2017 including demos

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13

  1. 1. Open-Source Tools for Security and Compliance with Docker Zach Hill Principal Engineer, Anchore Inc. 2/13/2016
  2. 2. Containers require an updated approach
  3. 3. Lots of external inputs October 2016: 6 Billion pulls from Docker Hub Over 375,000 public images and growing ... 3
  4. 4. Image Scanning source: 4
  5. 5. Several vendors offer image scanning as part of their solution: registry providers, SDLC infrastructure, Security solutions, etc. Typically a secondary feature that focuses on CVE Scanning Image Scanning Space 5
  6. 6. Image scanning: What’s in that container? 6 ● Application container? Are you sure? ● Simplest: packages and CVEs ● ADD? COPY? ● Dockerfile? ● Gems, NPMs, jars ● id_rsa? .aws/credentials?
  7. 7. Analysis and reporting on operating system packages: - required packages - blacklisted packages - non-official packages - required package versions - available updates that address non-security bugs Artifacts that should not be present in your image such as source code, secrets (API keys, passwords, etc) Images may contain many 3rd party components not provided by the operating system vendor such as - Node.js NPM, - Ruby GEMs - Python PIP - PERL CPAN - Java Archives. Configuration files for the operating system, middleware and application components Image configuration such as the Dockerfile should be validated to ensure that it complies with best practices and your corporate standards. Any element in the image can be checked including file permissions, presence of unpackaged files that are not part of standard packages or libraries.
  8. 8. Image Signing? 8 necessary < signing < sufficient
  9. 9. “Compliance”? Traditional Def • Externally defined, externally audited • PCI, HIPAA, etc General compliance: your org’s requirements • Driven by your ops and environment requirements • Best-practices audits and enforcement Define your criteria and enforce/monitor them • How image is constructed & final output image • Block usage or just notify? Your choice • Integrate where it makes sense for your workflow • No registry or platform requirements 9
  10. 10. Open-Source Analysis and Policy for container images • Policy-Driven • Deep inspection of container image • General framework, not just security • Only depends on Docker • Open-Source and Extensible • Easily add your own scripts to any stage • Similar to SystemV Init Scripts: drop code in the right place and it just works Ecosystem monitoring and alerting • Navigate and keep track of the image ecosystem: online Navigator for UI and notification of public images Anchore Overview 10
  11. 11. Anchore Overview 11 Anchore Navigator: Anchore CLI Tools: ● pip install anchore ● docker run anchore/cli Jenkins Plugin Image Discovery Notifications Monitor dependent images Local analysis, policy, gates Build local db Local policy enforcement and definition Public Registries
  12. 12. Why does Open-Source Matter for Security? 1 2 Trust, but verify
  13. 13. Gates: Analysis + Policy • Use analysis output and gate modules to define and detect trigger conditions • Evaluate trigger conditions against user policy to emit actions (GO|WARN|STOP) Queries: Examine analysis data directly at any time • Query modules run against the analysis db only • Diffs, multi-image queries, statistics, etc Anchore Engine Flow 13 Analysis: Extract Image Metadata and Data • Examine the image itself and extract data like files, pkgs, etc • Includes Dockerfile analysis • No actions
  14. 14. Navigator:
  15. 15. CLI:
  17. 17. CI/CD: Jenkins Plugin