Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

If it's in a Container it's Secure Right? Scott Coulton, AutoPilot HQ


Published on

If it's in a Container it's Secure Right?

Audience: Beginner

Topic: Cloud Security

Abstract: In the talk we will look at the different layers of security that can be applied to a container eco system and the different teams responsibility in the eco system to deliver security.

From the sysadmins point of view how do i make sure the container daemon is secured, what official hardening guides are out there to follow. From an application developers point of view, how does secomp/appapparmor work? To make sure that only the process from the application have access to the host machine. Now that we have the local container secured, how do we make sure our deployments follow the same structure and security profiles. Can we add security checks to our container CD pipeline like we would quality gates? Lastly we will look at from the point of the security team. How can they have input to all the steps we have taken from beginning of the process and not the end. Allowing all the teams to work together breaking down silo to deliver a solution.

Speaker Bio: Scott Coulton, AutoPilot HQ

Scott Coulton is a solutions architect with 10 years of experience in the managed services and hosting space. He has extensive experience in architecture, and rolling out systems and network solutions for national and multinational companies with a wide variety of technologies, including AWS, Puppet, Docker, Cisco, VMware, Microsoft and Linux. His design strengths are in cloud computing, automation and the security space.

OpenStack Australia Day Government - Canberra 2016

Published in: Technology
  • Be the first to comment

If it's in a Container it's Secure Right? Scott Coulton, AutoPilot HQ

  1. 1. If it’s in a container it’s secure right ? A guide to container security by @scottcoulton
  2. 2. About me. Platform engineering lead @
  3. 3. Does the traditional infosec toolchain work efficiently in a world where a container’s average lifespan is 2 days?
  4. 4. 1. Intro What we will cover ➔ How is container security different ? Does traditional security fit ? ➔ How to protect our container Protecting from the inside out ➔ Security and CD Can the 2 worlds live together ➔ Live demo
  5. 5. The way that traditional infosec works is Reactive Containers allow you to be Proactive in your approach to infosec
  6. 6. 2. Examples Here are a few comparable examples: ➔ Traditional Nessus, AV, HIDS ➔ New school AppArmor, Clair, Notary
  7. 7. The risks. ● DoS the host (CPU, Memory or Disk) ● Fork Bomb ● Kernel modification ● Privilege Escalation
  8. 8. Let’s look @ protecting the engine. Docker 1.12 Benchmark
  9. 9. Some sane defaults. ● Don’t run --pid host or --net host (without knowing the risks) ● Don’t bind your daemon to tcp:// ● Don’t use aufs as your storage driver ● Use TLS for all daemon traffic
  10. 10. Just one! That’s all you need. (I am talking about process inside your container !!!)
  11. 11. If you know the process then apply AppArmor.
  12. 12. AppArmor example.
  13. 13. Infosec and continuous delivery. The myth ...
  14. 14. Add security to the pipeline Enter
  15. 15. Sign our images with Notary.
  16. 16. The full continuous delivery pipeline.
  17. 17. 3. Live Demo We are going to test what we have learnt today and run a standard Nginx image We will them use the Dirtyc0w vulnerability to write to a file owned by root, then privilege escalate to root for a standard user : ➔ Without AppArmor All exploits will work ➔ With AppArmor Our container will be safe
  18. 18. The code from the live demo is available @ /scotty-c
  19. 19. Any Questions ?