The document provides an overview of security considerations related to serverless architectures, microservices, and containers, emphasizing the importance of vulnerability management and penetration testing. It discusses the isolation benefits of containerization and the challenges posed by potential vulnerabilities and exploitation methods. The presentation outlines key security features necessary for container deployments and suggests steps for improving security practices in cloud environments.

1. t
Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000
Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008
ABN 14 098 237 908
1300 922 923 NATIONAL
+61 (2) 9290 4444 SYDNEY
+61 (3) 8376 9410 MELBOURNE
info@senseofsecurity.com.au
Presented by
Microservices, Containers
& CaaS –
How Safe Are You?
Murray Goldschmidt, Chief Operating Officer
12 June 2019

2. t
Agenda
16/6/19© Sense of Security Pty Ltd 2019 2
1. Serverless, Microservices and Container Security
2. Key Implications for Penetration Testing Programs
3. Key Security features for Container Deployments
4. CI/CD Integration for Automated Security & Vuln Mgt
Agenda

3. t
Are Containers As Good as it Gets?
The key thing to recognize with cloud containers is that they are designed to virtualize a single application
3
*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-
they-work
© Sense of Security Pty Ltd 2019 16/6/19

4. t
As Good as it Gets?
e.g., you have a MySQL container and that's all it does, provide a virtual instance of that application.
4
*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-
they-work
© Sense of Security Pty Ltd 2019 16/6/19

5. t
As Good as it Gets?
Containers ***SHOULD*** create an isolation boundary at the application level rather than at the server level.
5
*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-
they-work
© Sense of Security Pty Ltd 2019 16/6/19

6. t
As Good as it Gets?
This isolation ***SHOULD*** mean that if anything goes wrong in that single container (e.g., excessive
consumption of resources by a process) it only affects that individual container and not the whole VM or whole
server.
6
*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-
they-work
© Sense of Security Pty Ltd 2019 16/6/19

7. t
7© Sense of Security Pty Ltd 2019 16/6/19

8. t
8
Container Security – Tech Neutral
© Sense of Security Pty Ltd 2019 16/6/19

9. t
Monolithic vs Microservices Architecture
© Sense of Security Pty Ltd 2019 16/6/19 9

10. t
Monolithic vs Microservices Architecture
© Sense of Security Pty Ltd 2019 16/6/19 10

11. t
Monolithic vs Microservices Architecture
© Sense of Security Pty Ltd 2019 16/6/19 11

12. t
Monolithic vs Micro Services (API Centric)
https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/
© Sense of Security Pty Ltd 2019 16/6/19 12

13. t
Monolithic vs Micro Services (API Centric)
https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/
© Sense of Security Pty Ltd 2019 16/6/19 13

14. t
Monolithic vs Micro Services (API Centric)
https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/
© Sense of Security Pty Ltd 2019 16/6/19 14

15. t
Example: Microsoft eShop Reference
Architecture
© Sense of Security Pty Ltd 2019 16/6/19 15

16. t
Example: Microsoft eShop Reference
Architecture
© Sense of Security Pty Ltd 2019
16/6/19 16

17. t
VM vs. Containers (where the abstraction occurs)
VM
c
o
n
t
.
C
o
n
t
.
C
o
n
t
.
C
o
n
t
.
C
o
n
t
N
c
o
n
t
.
C
o
n
t
.
C
o
n
t
.
C
o
n
t
.
C
o
n
t
N
Hardware
Hypervisor 1
V
M
V
M
V
M
V
M
V
M
Hardware
Host OS
V
M
V
M
V
M
V
M
V
M
Hypervisor 2
Hardware
Host OS
c
o
n
t
1
C
o
n
t
2
C
o
n
t
3
C
o
n
t
4
C
o
n
t
N
Container Engine
Dep 1 Dep 2
Guest OS
Dependencies
Application
Container
App. Deps.
Application ABC
Virtualisation Containerisation
Type1 – Bare Metal Type 2
© Sense of Security Pty Ltd 2019 16/6/19 17

18. t
© Sense of Security Pty Ltd 2019 16/6/19 18

19. t
© Sense of Security Pty Ltd 2019 16/6/19 19

20. t
© Sense of Security Pty Ltd 2019 16/6/19 20

21. t
© Sense of Security Pty Ltd 2019
16/6/19
21

22. t
© Sense of Security Pty Ltd 2019
16/6/19
22

23. t
Developers
© Sense of Security Pty Ltd 2019 16/6/19 23

24. t
Hackers
© Sense of Security Pty Ltd 2019 16/6/19 24

25. t
HookingLowestWins
© Sense of Security Pty Ltd 2019 16/6/19 25

26. t
North-South&East-WestAttacks
andPivots
https://neuvector.com/network-security/securing-east-west-traffic-in-container-based-data-center/
16/6/19© Sense of Security Pty Ltd 2019 26

27. t
Break-In
© Sense of Security Pty Ltd 2019 16/6/19 27

28. t
Entry Point is usually a “Pin Hole” issue
Break-In
For example a known application issue
© Sense of Security Pty Ltd 2019 16/6/19 28

29. t
14-Sep-18of Security Pty Ltd 2019 16/6/19 29

30. t
Containers – The “Contained” Challenge
IFyou can Break-
In
You then Need to
Break-Outhttp://www.marvinfrancismaninacage.com/
© Sense of Security Pty Ltd 2019 16/6/19 30

31. t
Break-Out
<goWest goEast>
© Sense of Security Pty Ltd 2019 16/6/19 31

32. t
Either Find a Container Vuln & Exploit
© Sense of Security Pty Ltd 2019
16/6/19
32

33. t
• https://brauner.github.io/2019/02/12/privileged-containers.html
Recent Container Vulnerabilities
© Sense of Security Pty Ltd 2019 16/6/19 33

34. t
• https://brauner.github.io/2019/02/12/privileged-containers.html
Recent Container Vulnerabilities
© Sense of Security Pty Ltd 2019 16/6/19 34

35. t
Recent Container Vulnerabilities
© Sense of Security Pty Ltd 2019 16/6/19 35

36. t
Or - Living off the Land
Attacker now has to “live off the land”
Relying on misconfiguration, ability to use native tools, or download new and execute
© Sense of Security Pty Ltd 2019 16/6/19 36

37. t
14-Sep-18Sense of Security Page 31

38. t
14-Sep-18Sense of Security Page 32

39. t
e of Security Pty Ltd 2019 16/6/19 39

40. t
© Sense of Security Pty Ltd 2019 16/6/19 40

41. t
Content Slide Layout
16/6/19Sense of Security Page 41

42. t
Content Slide Layout
16/6/19Sense of Security Page 42

43. t
How to Upgrade your Vuln Mgt Program
What to expect
from a Pen Test
Implications for
CaaS
Supply Chain
Risk
DevSecOps
© Sense of Security Pty Ltd 2019 16/6/19 43

44. t
14-Sep-18 Page 42
Pen Test – Spray & Hope vs Knowledge &
Finesse
© Sense of Security Pty Ltd 2019

45. t
Monolithic vs Microservices Architecture
© Sense of Security Pty Ltd 2019 16/6/19 45

46. t
© Sense of Security Pty Ltd 2019 16/6/19 46

47. t
© Sense of Security Pty Ltd 2019 16/6/19 47

48. t
© Sense of Security Pty Ltd 2019 4816/6/19

49. t
16/6/19 49
https://neuvector.com/run-time-
container-security/
© Sense of Security Pty Ltd 2019

50. t
© Sense of Security Pty Ltd 2019 16/6/19 50

51. t
© Sense of Security Pty Ltd 2019 16/6/19 51

52. t
© Sense of Security Pty Ltd 2019 16/6/19 52

53. t
Load Balancing
Perimeter Public
Functions
© Sense of Security Pty Ltd 2019
16/6/19
53

54. t
16/6/19 54© Sense of Security Pty Ltd 2019

55. t
16/6/19 55
Hack Transformation
© Sense of Security Pty Ltd 2019

56. t
https://neuvector.com/networ
k-security/next-generation-
firewall-vs-container-firewall/
© Sense of Security Pty Ltd 2019 16/6/19 56

57. t
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Networking (SDN, SecGroups)
Clustering/Orchestration (CaaS, Swarm, Kubernetes)
Operating System (Linux, Windows)
Process BackEnd (Container, database)
Process App (Container, application processing)
Core Infrastructure
Cloud Platform
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2019

58. t
Finesse
© Sense of Security Pty Ltd 2019 16/6/19 58

59. t

60. t
There are Pen Tests & There are Pen Tests!
© Sense of Security Pty Ltd 2019 16/6/19 60

61. t
Blue Team: Key Steps to App Container
Security
1 End-to-End Vulnerability
Management
2 Container Attack Surface Reduction
3 User Access Control
4 Hardening the Host OS & the
Container
5 SDLC Automation (DevOps)
© Sense of Security Pty Ltd 2019 16/6/19 61

62. t
Solutioning
1 End-to-End Vulnerability
Management
62© Sense of Security Pty Ltd 2019 16/6/19

63. t
Automated Vuln Mgt
Build
• API’s & Plug-ins
• Third Party
Components
• Vuln Mgt
Automation
Registry
• Automated
Scan of
Pub/Priv
Registry
Host
• Compliance
Scanning
• OS
• CaaS
Runtime
• Audit logging
• Event logging
SHIFT LEFT
Image adapted from Qualys materials
© Sense of Security Pty Ltd 2019 16/6/19 63

64. t Container Security Lifecycle Management &
Compliance Summary
Develop / Build Test / Modify Release /
Production
Use Trusted Images
Sign & Verify Images
Reduce Attack Surface
Privileged Access & Auth Mgt
Ongoing SecOps
Advanced Security Controls
Vulnerability Management
Third Party Components Mgt (SCA)
Network Segmentation
User Authentication
Vulnerability Scanning
Harden the OS
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
© Sense of Security Pty Ltd 2019 16/6/19 64

65. t
65© Sense of Security Pty Ltd 2019 16/6/19

66. t
Solutioning
2 Container Attack Surface
Reduction
66© Sense of Security Pty Ltd 2019 16/6/19

67. t
Solutioning
3 User Access Control
67© Sense of Security Pty Ltd 2019 16/6/19

68. t
Solutioning
4 Hardening the Host OS & the
Container
See NIST SP 800-190 and various others incl https://www.cisecurity.org/benchmark/docker/
68© Sense of Security Pty Ltd 2019 16/6/19

69. t
Solutioning
5 SDLC Automation (DevOps)
69© Sense of Security Pty Ltd 2019 16/6/19

70. t
Agenda
16/6/19© Sense of Security Pty Ltd 2019 70
1. Serverless, Microservices and Container Security
2. Key Implications for Penetration Testing Programs
3. Key Security features for Container Deployments
4. CI/CD Integration for Automated Security & Vuln Mgt
Agenda Recap

71. t
Apply What You Have Learned Today –
Exec/Procurement
• Next week you should:
- Reset your review criteria for Penetration Testing
- Explicitly incorporate testing of Cloud Technologies into your Vuln Mgt Program
• In the first three months following this presentation you should:
- Review suppliers’ capability to test Cloud Technologies
- Develop the Blue Team side of the equation
- Have A functional Shift Left feature in your Vuln Mgt Program for Cloud
• Within six months you should
- Have performed an effective Penetration Test on your Cloud investment
- Fine tune your blue team response to cloud technology attacks
71© Sense of Security Pty Ltd 2019 16/6/19

72. t
Apply What You Have Learned Today – Pen
Testers
• Next week you should:
- Shortlist all the relevant cloud technologies in use by your clients
- Re-calibrate your approach to test PaaS and Container
• In the first three months following this presentation you should:
- Demonstrate the ability to breakout of containers
- Demonstrate the ability to live off the land
• Within six months you should
- Perfect methods for persistence in highly dynamic environments
- Determine how to integrate Pen Test with client Blue Team (Purple Team)
72© Sense of Security Pty Ltd 2019 16/6/19

73. t
Do you have
any questions?
16/6/19 73© Sense of Security Pty Ltd 2019
Murray Goldschmidt
COO
murrayg@senseofsecurity.com.au

74. t
Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000
Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008
ABN 14 098 237 908
Contact us to discuss how our
security solutions can help protect
your most vital assets.
1300 922 923 NATIONAL
+61 (2) 9290 4444 SYDNEY
+61 (3) 8376 9410 MELBOURNE
info@senseofsecurity.com.au
senseofsecurity.com.au