SlideShare a Scribd company logo

Finding Your Way in Container Security

K
Ksenia Peguero

In the last few years, the popularity of DevSecOps and rich cloud services have been driving the adoption of containers in the software industry. Container architectures become increasingly complex, and organizations cannot escape using them. At the same time, attackers are finding new ways of exploiting containers and container architectures. Are you still new to containerization and infrastructure as code? Do you feel that your knowledge of application security suddenly doesn’t apply to the way applications are built and deployed using containers? Do you get lost in the IaC and container terminology soup? If so, this talk will help clear things up and answer your questions. We start with an introduction into container technologies, briefly go through the key terminology, explain the value that containers bring today, and why they are so popular. Then we will talk about the challenges that DevSecOps engineers have when using contains and the security aspects that they face. This presentation includes descriptions of common container threats and real-world examples of recent attacks. These threats will guide our discussion of the typical vulnerabilities and attack vectors. We will touch on well-known standards and resources for container security, such as OWASP Docker Top 10 project, Container Security Verification Standard, NIST Application Container Security Guide, and CIS Benchmarks. And we conclude with guidelines on how to secure containers and listing best practices that most organizations follow today.

Technology
1 of 28
Download to read offline
Ksenia Peguero October 20, 2022 Finding Your Way in Container Security
© 2022 Synopsys, Inc. 2 Synopsys Confidential Information whoami • Current: Sr. Manager of Research Engineering at Synopsys Software Integrity Group • Prior: Principal Consultant at Cigital/Synopsys • PhD in Computer Science • Mother • Ballroom dancing & diving • @KseniaDmitrieva
© 2022 Synopsys, Inc. 3 Synopsys Confidential Information Agenda • Introduction to container technologies • Challenges for DevSecOps engineers • Common container threats and real-world attacks • How to secure components of container infrastructure • Standards and resources for container security • Best practices to secure containers
© 2022 Synopsys, Inc. 4 Synopsys Confidential Information What is a container? • Containerization is not new. The first ones appeared in 1999 as FreeBSD Jails • Modern containers took off in 2013 (Docker) Containers is an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud. (IBM) • Containers use operating system virtualization – Uses namespaces and cgroups to isolate processes, CPU, memory, disk
© 2022 Synopsys, Inc. 5 Synopsys Confidential Information Containers vs Virtual Machines Hypervisor Hardware • Isolation of machines • Hardware virtualization Host OS Kernel Hardware • Process isolation • Operating system virtualization > Application virtualization C 1 C 2 C 3 C 4 Containers Virtual Machines VM1 OS VM2 OS VM3 OS VM4 OS
© 2022 Synopsys, Inc. 7 Synopsys Confidential Information Components of container infrastructure Container image image creation Image registry image storage and retrieval Orchestrator automating deployment, management, scaling, security management Container runtime >_ loading container images, spinning up containers, managing network, local resources Host OS running the container runtime
© 2022 Synopsys, Inc. 8 © 2022 Synopsys, Inc. 8 Synopsys Confidential Information Main benefits: • Lightweight • Portable and platform independent • Support modern development and architecture • Improve utilization of CPU and memory According to IBM report (2020), “containers are delivering real- world business benefits”: • Improved application quality • Faster time to market • Improved employee productivity • Higher customer satisfaction • Reduced application downtime https://www.ibm.com/downloads/cas/VG8KRPRM Benefits of using containers This Photo by Unknown Author is licensed under CC BY
© 2022 Synopsys, Inc. 9 Synopsys Confidential Information https://www.ibm.com/downloads/cas/VG8KRPRM Challenges of using containers (in 2020) Talent and knowledge Insufficient internal expertise Complexity of learning containerization strategies and technologies Challenges in redesigning existing on-premises enterprise application for containers Costs Uncertainty regarding the time and costs involved in container projects No clear way to assess ROI or track benefits concretely Difficulty predicting container performance, undermining confidence in meeting SLAs Management Difficulty cataloging, curating and managing containers as they proliferate across our environment Difficulty managing, sharing and securing data across containers Tooling Immaturity of internal, homegrown tools for container development and management Lack of enterprise-grade security capabilities
© 2022 Synopsys, Inc. 10 Synopsys Confidential Information Examples of Container Vulnerabilities • CVE-2014-9357 • CVE-2019-5021 • CVE-2019-15752 • CVE-2019-11246
© 2022 Synopsys, Inc. 11 Synopsys Confidential Information • Docker 1.3.2 – Used chroot sandboxing to extract archives – Victim calls docker pull to automatically unpack a malicious image or build • Attacker includes malicious xz binaries in the image or build • Victim creates a container using the malicious image or build • Privilege escalation => Attacker runs as root on the host OS • CVE severity – Critical • Vulnerability was fixed in Docker 1.3.3 CVE-2014-9357 Arbitrary code execution with root privileges
© 2022 Synopsys, Inc. 12 Synopsys Confidential Information Blank root password • Affects containers built with the Alpine Linux Docker image versions 3, 4, 5. • System credentials are typically stored in etc/shadow • Authentication mechanisms can be customized with different packages – Alpine Linux + shadow/PAM packages • Empty password for root user • Attacker hacks into container => easily switches to root • CVE Severity - Critical CVE-2019-5021 Root users on Alpine Linux containers have blank passwords.
© 2022 Synopsys, Inc. 13 Synopsys Confidential Information Trojan horse • Not the virus trojan horse • Docker Desktop Community Edition versions prior to 2.1.0.1 • Docker startup or authenticate invokes docker-credential-wincred.exe • Access controls of containing folder %PROGRAMDATA%DockerDesktopversi on-bin • Exploit: Replace the executable, keep the name • When Docker starts, the executable runs with user’s privilege (what if it was admin?) • CVE Severity - High CVE-2019-15752 Docker folder uses the default windows access control.
© 2022 Synopsys, Inc. 14 Synopsys Confidential Information • Affects Kubernetes versions older than 1.12.9, 1.13.6, and 1.14.2 • Command kubectl cp – copy files between host and containers – Packs into archive using tar – Transfers over network – Unpacks on the host • Compromised tar binary on the container => access to the host file system: – Adding malicious files – Overwriting existing files • CVE Severity - High CVE-2019-11246 Kubernetes File Manipulation
© 2022 Synopsys, Inc. 15 Synopsys Confidential Information Securing Containers: Risks and Mitigations • Container image • Image registry • Container runtime • Host OS • Orchestrator Container image Image registry Orchestrator Container runtime >_ Host OS
© 2022 Synopsys, Inc. 16 Synopsys Confidential Information Securing container images Mitigations • Use a minimalistic base OS, like Alpine Linux and Windows Nano Server • Keep the software in container images up-to-date • Periodically scan the containers for: – Known vulnerabilities / CVEs in the container layers – Misconfigurations of containers (Containerfiles/Dockerfiles) with a scanner (port misconfigurations, protocols, certificates, running as privileged users, etc.) – Malware – Hard-coded secrets • An organization should have a set of vetted images that are used across all teams • Maintain application security requirements for the code deployed on the container: – Maintain the frameworks/libraries/components up-to-date – Scan the internally-developed applications • Base OS functionality and components • Components missing critical security updates (component become outdated over time) • Configuration defects • Embedded malware • Leaking clear text secrets Risks
© 2022 Synopsys, Inc. 17 Synopsys Confidential Information Securing image registries Mitigations • Use private registry • Use secure connections to the registry • Harden the registry host • Use authentication and access control – E.g. developers can only write to the specific repository • Regularly monitor • Prune stale images • Only publish trusted images (that passed security requirements) • Ensure that only containers from your private registry can be used within the organization • Insecure connection • Leaking IP from the registry • Stale images Risks
© 2022 Synopsys, Inc. 18 Synopsys Confidential Information Securing container runtime Mitigations • Monitor container runtime for vulnerabilities (CVEs) and update it often • Control egress network traffic sent by containers – Traffic in the virtual network is encrypted. Therefore, traditional network controls (firewalls) may not work. – Dynamic IP assigned automatically. Therefore, IP- based controls won’t work. – Use app-aware tools • Use mandatory access control (MAC) technologies (file system, processes, network sockets, etc.) • CIS Benchmark for Docker • Use OS kernel level controls • Network risks between containers in the same runtime • Runtime misconfigurations: • Containers running in privileged mode • Containers mounting volumes in sensitive directories on the host OS Risks
© 2022 Synopsys, Inc. 19 Synopsys Confidential Information Securing host OS Mitigations • Use slim OS with additional kernel protection (e.g. SELinux) • Keep the OS up-to-date, monitor for vulnerabilities • Limit logins to the host OS, audit authentication • Monitoring for any unexpected behavior on the host (network, file system, processes, etc.) • Running “busted” containers • Malicious containers • Rogue containers • Containers with vulnerable layers • Containers with application security defects • Large attack surface • Shared kernel • Host OS components • Shared file system (mounting volumes) • Additional users of the OS Risks
© 2022 Synopsys, Inc. 20 Synopsys Confidential Information Host OS Can we forget about application security? Scenario: vulnerable application in a container Secure/vetted Container Container Marketing web app Public Internet DB Engine SQL injection Payload: SQLi to RCE Container Container Container Mitigations: • Limit egress: to an internal subnet or (better) application protocols • No internet access • Only needed internal network access • Restrict DB user: deny running OS commands Service managing bounties for Bug Bounty program RCE: network scan
© 2022 Synopsys, Inc. 21 Synopsys Confidential Information Securing orchestration platforms Risks • Unnecessary administrative access • Unauthorized access (to containers and data storage volumes) • Compliance risk – encrypting data at rest • Network risks – traffic from different applications sharing the same virtual network • Orchestrator node trust Mitigations • Limit the number of privileged users • Access control linked to the company user directory • Encrypting data storage volumes • Segmentation, segmentation, segmentation: – Virtual networks by sensitivity level (if by app is not possible) – Host “pinning” by sensitivity levels (individually managed clusters) Aerial view of the Forbidden City, Beijing (© Google Earth 2021) Defense in depth
© 2022 Synopsys, Inc. 22 Synopsys Confidential Information Container Security Resources
© 2022 Synopsys, Inc. 23 Synopsys Confidential Information OWASP Docker Top 10 Draft in progress. Not a list of top 10 vulnerabilities or risks, but a list of top 10 controls. Document: https://github.com/OWASP/Docker- Security/blob/main/dist/owasp-docker- security.pdf • Use it as guidance during the design phase, for auditing an existing environment, or procuring a new one • Focuses on Docker, but could be applied to containers in general • Orchestrator security risks are out of scope for this list, but container networking is in scope D01 - Secure User Mapping D02 - Patch Management Strategy D03 - Network Segmentation and Firewalling D04 - Secure Defaults and Hardening D05 - Maintain Security Contexts D06 - Protect Secrets D07 - Resource Protection D08 - Container Image Integrity and Origin D09 - Follow Immutable Paradigm D10 - Logging https://owasp.org/www-project-docker-top-10/
© 2022 Synopsys, Inc. 24 Synopsys Confidential Information OWASP Container Security Verification Standard (CSVS) • The structure is based on the OWASP Application Security Verification Standard (ASVS) • Has overlap with Docker Top 10, but covers broader categories: – V1: Organizational (processes & people) – V2: Infrastructure – V3: Containers (Docker Top 10) – V4: Orchestration Management – V5: Image Distribution – V6: Secrets and Keys – V7: Network – V8: Storage – V9: Logging & Monitoring – V10: Integration – V11: Disaster Recovery – V12: Testing • This is a shorter standard, compared to CIS Benchmarks and NIST Application Container Security Guide https://owasp.org/www-project-container-security-verification-standard/migrated_content • Provides 3 security verification levels 1. For all containers 2. Containers with sensitive data or business logic 3. Critical containers (high value transactions, PII, medical data)
© 2022 Synopsys, Inc. 25 Synopsys Confidential Information NIST Special Publication 800-190 Application Container Security Guide https://doi.org/10.6028/NIST.SP.800-190 • Overview of Container Technology • Explains basic concepts of container and orchestrations • Discusses risks to the core components of container technologies • Contains a section on countermeasures for the listed risks • Provides threat scenario examples and considerations for the container technology life cycle NIST Application Container Security Guide Container Technology Architecture and Lifecycle Phases NIST SP 800-190
© 2022 Synopsys, Inc. 26 Synopsys Confidential Information Center for Internet Security (CIS) developed "more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats." • CIS Benchmarks include hardening guidelines for manual and automated steps CIS Docker Benchmark provides detailed guidelines in the following categories: • Host • Docker daemon and its config files • Container images and build files • Container runtime • Docker security operations • Docker Swarm CIS Docker Benchmark https://www.cisecurity.org/benchmark/docker
© 2022 Synopsys, Inc. 27 Synopsys Confidential Information 1. Harden all the systems 2. Use segmentation at all levels (clusters, hosts, networks) 3. Monitor all the components: scan, scan, scan 4. Introduce gates before publishing your images 5. Use vetted base images 6. Generate a Software Bill of Materials (SBOM) for every container image 7. Use an Application Security Orchestration and Correlation tool (ASOC) – Collects data from various AppSec sources – Consolidates and correlates the findings, prioritizing remediation efforts Best Practices of Securing Containers Defense in Depth
© 2022 Synopsys, Inc. 28 Synopsys Confidential Information Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software
Thank You

Recommended

Docker Tours Meetup #1 - Introduction à Docker
Docker Tours Meetup #1 - Introduction à DockerDocker Tours Meetup #1 - Introduction à Docker
Docker Tours Meetup #1 - Introduction à DockerThibaut Marmin
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker ComposeAjeet Singh Raina
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingPiotr Perzyna
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Megan O'Keefe
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideBytemark
 
Helm intro
Helm introHelm intro
Helm introHaggai Philip Zagury
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDBatyr Nuryyev
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)rajdeep
 

Recommended

Docker Tours Meetup #1 - Introduction à Docker
Docker Tours Meetup #1 - Introduction à DockerDocker Tours Meetup #1 - Introduction à Docker
Docker Tours Meetup #1 - Introduction à DockerThibaut Marmin
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker ComposeAjeet Singh Raina
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingPiotr Perzyna
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Megan O'Keefe
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideBytemark
 
Helm intro
Helm introHelm intro
Helm introHaggai Philip Zagury
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDBatyr Nuryyev
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)rajdeep
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helmJeeva Chelladhurai
 
kubernetes, pourquoi et comment
kubernetes, pourquoi et commentkubernetes, pourquoi et comment
kubernetes, pourquoi et commentJean-Baptiste Claramonte
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefitsAmit Manwade
 
docker installation and basics
docker installation and basicsdocker installation and basics
docker installation and basicsWalid Ashraf
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfKnoldus Inc.
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Vietnam Open Infrastructure User Group
 
ansible why ?
ansible why ?ansible why ?
ansible why ?Yashar Esmaildokht
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introductionJason Hu
 
What you need to know about ceph
What you need to know about cephWhat you need to know about ceph
What you need to know about cephEmma Haruka Iwao
 
Containers 101
Containers 101Containers 101
Containers 101Black Duck by Synopsys
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Jérôme Petazzoni
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsEueung Mulyana
 
Introduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelIntroduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelAmazon Web Services
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Kubernetes introduction
Kubernetes introductionKubernetes introduction
Kubernetes introductionDongwon Kim
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 

More Related Content

What's hot

Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefitsAmit Manwade
 
docker installation and basics
docker installation and basicsdocker installation and basics
docker installation and basicsWalid Ashraf
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfKnoldus Inc.
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Vietnam Open Infrastructure User Group
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introductionJason Hu
 
What you need to know about ceph
What you need to know about cephWhat you need to know about ceph
What you need to know about cephEmma Haruka Iwao
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Jérôme Petazzoni
 
Introduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelIntroduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelAmazon Web Services
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Kubernetes introduction
Kubernetes introductionKubernetes introduction
Kubernetes introductionDongwon Kim
 

What's hot (20)

Kubernetes
KubernetesKubernetes
Kubernetes
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
 
kubernetes, pourquoi et comment
kubernetes, pourquoi et commentkubernetes, pourquoi et comment
kubernetes, pourquoi et comment
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefits
 
docker installation and basics
docker installation and basicsdocker installation and basics
docker installation and basics
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introduction
 
What you need to know about ceph
What you need to know about cephWhat you need to know about ceph
What you need to know about ceph
 
Containers 101
Containers 101Containers 101
Containers 101
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
Introduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelIntroduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day Israel
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Kubernetes introduction
Kubernetes introductionKubernetes introduction
Kubernetes introduction
 

Similar to Finding Your Way in Container Security

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsAbdul Khan
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetesDr Ganesh Iyer
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security EssentialsDNIF
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015WaveMaker, Inc.
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT AgilityAmazon Web Services
 

Similar to Finding Your Way in Container Security (20)

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
 
Container Security
Container SecurityContainer Security
Container Security
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
Docker
DockerDocker
Docker
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Finding Your Way in Container Security

  • 1. Ksenia Peguero October 20, 2022 Finding Your Way in Container Security
  • 2. © 2022 Synopsys, Inc. 2 Synopsys Confidential Information whoami • Current: Sr. Manager of Research Engineering at Synopsys Software Integrity Group • Prior: Principal Consultant at Cigital/Synopsys • PhD in Computer Science • Mother • Ballroom dancing & diving • @KseniaDmitrieva
  • 3. © 2022 Synopsys, Inc. 3 Synopsys Confidential Information Agenda • Introduction to container technologies • Challenges for DevSecOps engineers • Common container threats and real-world attacks • How to secure components of container infrastructure • Standards and resources for container security • Best practices to secure containers
  • 4. © 2022 Synopsys, Inc. 4 Synopsys Confidential Information What is a container? • Containerization is not new. The first ones appeared in 1999 as FreeBSD Jails • Modern containers took off in 2013 (Docker) Containers is an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud. (IBM) • Containers use operating system virtualization – Uses namespaces and cgroups to isolate processes, CPU, memory, disk
  • 5. © 2022 Synopsys, Inc. 5 Synopsys Confidential Information Containers vs Virtual Machines Hypervisor Hardware • Isolation of machines • Hardware virtualization Host OS Kernel Hardware • Process isolation • Operating system virtualization > Application virtualization C 1 C 2 C 3 C 4 Containers Virtual Machines VM1 OS VM2 OS VM3 OS VM4 OS
  • 6. © 2022 Synopsys, Inc. 7 Synopsys Confidential Information Components of container infrastructure Container image image creation Image registry image storage and retrieval Orchestrator automating deployment, management, scaling, security management Container runtime >_ loading container images, spinning up containers, managing network, local resources Host OS running the container runtime
  • 7. © 2022 Synopsys, Inc. 8 © 2022 Synopsys, Inc. 8 Synopsys Confidential Information Main benefits: • Lightweight • Portable and platform independent • Support modern development and architecture • Improve utilization of CPU and memory According to IBM report (2020), “containers are delivering real- world business benefits”: • Improved application quality • Faster time to market • Improved employee productivity • Higher customer satisfaction • Reduced application downtime https://www.ibm.com/downloads/cas/VG8KRPRM Benefits of using containers This Photo by Unknown Author is licensed under CC BY
  • 8. © 2022 Synopsys, Inc. 9 Synopsys Confidential Information https://www.ibm.com/downloads/cas/VG8KRPRM Challenges of using containers (in 2020) Talent and knowledge Insufficient internal expertise Complexity of learning containerization strategies and technologies Challenges in redesigning existing on-premises enterprise application for containers Costs Uncertainty regarding the time and costs involved in container projects No clear way to assess ROI or track benefits concretely Difficulty predicting container performance, undermining confidence in meeting SLAs Management Difficulty cataloging, curating and managing containers as they proliferate across our environment Difficulty managing, sharing and securing data across containers Tooling Immaturity of internal, homegrown tools for container development and management Lack of enterprise-grade security capabilities
  • 9. © 2022 Synopsys, Inc. 10 Synopsys Confidential Information Examples of Container Vulnerabilities • CVE-2014-9357 • CVE-2019-5021 • CVE-2019-15752 • CVE-2019-11246
  • 10. © 2022 Synopsys, Inc. 11 Synopsys Confidential Information • Docker 1.3.2 – Used chroot sandboxing to extract archives – Victim calls docker pull to automatically unpack a malicious image or build • Attacker includes malicious xz binaries in the image or build • Victim creates a container using the malicious image or build • Privilege escalation => Attacker runs as root on the host OS • CVE severity – Critical • Vulnerability was fixed in Docker 1.3.3 CVE-2014-9357 Arbitrary code execution with root privileges
  • 11. © 2022 Synopsys, Inc. 12 Synopsys Confidential Information Blank root password • Affects containers built with the Alpine Linux Docker image versions 3, 4, 5. • System credentials are typically stored in etc/shadow • Authentication mechanisms can be customized with different packages – Alpine Linux + shadow/PAM packages • Empty password for root user • Attacker hacks into container => easily switches to root • CVE Severity - Critical CVE-2019-5021 Root users on Alpine Linux containers have blank passwords.
  • 12. © 2022 Synopsys, Inc. 13 Synopsys Confidential Information Trojan horse • Not the virus trojan horse • Docker Desktop Community Edition versions prior to 2.1.0.1 • Docker startup or authenticate invokes docker-credential-wincred.exe • Access controls of containing folder %PROGRAMDATA%DockerDesktopversi on-bin • Exploit: Replace the executable, keep the name • When Docker starts, the executable runs with user’s privilege (what if it was admin?) • CVE Severity - High CVE-2019-15752 Docker folder uses the default windows access control.
  • 13. © 2022 Synopsys, Inc. 14 Synopsys Confidential Information • Affects Kubernetes versions older than 1.12.9, 1.13.6, and 1.14.2 • Command kubectl cp – copy files between host and containers – Packs into archive using tar – Transfers over network – Unpacks on the host • Compromised tar binary on the container => access to the host file system: – Adding malicious files – Overwriting existing files • CVE Severity - High CVE-2019-11246 Kubernetes File Manipulation
  • 14. © 2022 Synopsys, Inc. 15 Synopsys Confidential Information Securing Containers: Risks and Mitigations • Container image • Image registry • Container runtime • Host OS • Orchestrator Container image Image registry Orchestrator Container runtime >_ Host OS
  • 15. © 2022 Synopsys, Inc. 16 Synopsys Confidential Information Securing container images Mitigations • Use a minimalistic base OS, like Alpine Linux and Windows Nano Server • Keep the software in container images up-to-date • Periodically scan the containers for: – Known vulnerabilities / CVEs in the container layers – Misconfigurations of containers (Containerfiles/Dockerfiles) with a scanner (port misconfigurations, protocols, certificates, running as privileged users, etc.) – Malware – Hard-coded secrets • An organization should have a set of vetted images that are used across all teams • Maintain application security requirements for the code deployed on the container: – Maintain the frameworks/libraries/components up-to-date – Scan the internally-developed applications • Base OS functionality and components • Components missing critical security updates (component become outdated over time) • Configuration defects • Embedded malware • Leaking clear text secrets Risks
  • 16. © 2022 Synopsys, Inc. 17 Synopsys Confidential Information Securing image registries Mitigations • Use private registry • Use secure connections to the registry • Harden the registry host • Use authentication and access control – E.g. developers can only write to the specific repository • Regularly monitor • Prune stale images • Only publish trusted images (that passed security requirements) • Ensure that only containers from your private registry can be used within the organization • Insecure connection • Leaking IP from the registry • Stale images Risks
  • 17. © 2022 Synopsys, Inc. 18 Synopsys Confidential Information Securing container runtime Mitigations • Monitor container runtime for vulnerabilities (CVEs) and update it often • Control egress network traffic sent by containers – Traffic in the virtual network is encrypted. Therefore, traditional network controls (firewalls) may not work. – Dynamic IP assigned automatically. Therefore, IP- based controls won’t work. – Use app-aware tools • Use mandatory access control (MAC) technologies (file system, processes, network sockets, etc.) • CIS Benchmark for Docker • Use OS kernel level controls • Network risks between containers in the same runtime • Runtime misconfigurations: • Containers running in privileged mode • Containers mounting volumes in sensitive directories on the host OS Risks
  • 18. © 2022 Synopsys, Inc. 19 Synopsys Confidential Information Securing host OS Mitigations • Use slim OS with additional kernel protection (e.g. SELinux) • Keep the OS up-to-date, monitor for vulnerabilities • Limit logins to the host OS, audit authentication • Monitoring for any unexpected behavior on the host (network, file system, processes, etc.) • Running “busted” containers • Malicious containers • Rogue containers • Containers with vulnerable layers • Containers with application security defects • Large attack surface • Shared kernel • Host OS components • Shared file system (mounting volumes) • Additional users of the OS Risks
  • 19. © 2022 Synopsys, Inc. 20 Synopsys Confidential Information Host OS Can we forget about application security? Scenario: vulnerable application in a container Secure/vetted Container Container Marketing web app Public Internet DB Engine SQL injection Payload: SQLi to RCE Container Container Container Mitigations: • Limit egress: to an internal subnet or (better) application protocols • No internet access • Only needed internal network access • Restrict DB user: deny running OS commands Service managing bounties for Bug Bounty program RCE: network scan
  • 20. © 2022 Synopsys, Inc. 21 Synopsys Confidential Information Securing orchestration platforms Risks • Unnecessary administrative access • Unauthorized access (to containers and data storage volumes) • Compliance risk – encrypting data at rest • Network risks – traffic from different applications sharing the same virtual network • Orchestrator node trust Mitigations • Limit the number of privileged users • Access control linked to the company user directory • Encrypting data storage volumes • Segmentation, segmentation, segmentation: – Virtual networks by sensitivity level (if by app is not possible) – Host “pinning” by sensitivity levels (individually managed clusters) Aerial view of the Forbidden City, Beijing (© Google Earth 2021) Defense in depth
  • 21. © 2022 Synopsys, Inc. 22 Synopsys Confidential Information Container Security Resources
  • 22. © 2022 Synopsys, Inc. 23 Synopsys Confidential Information OWASP Docker Top 10 Draft in progress. Not a list of top 10 vulnerabilities or risks, but a list of top 10 controls. Document: https://github.com/OWASP/Docker- Security/blob/main/dist/owasp-docker- security.pdf • Use it as guidance during the design phase, for auditing an existing environment, or procuring a new one • Focuses on Docker, but could be applied to containers in general • Orchestrator security risks are out of scope for this list, but container networking is in scope D01 - Secure User Mapping D02 - Patch Management Strategy D03 - Network Segmentation and Firewalling D04 - Secure Defaults and Hardening D05 - Maintain Security Contexts D06 - Protect Secrets D07 - Resource Protection D08 - Container Image Integrity and Origin D09 - Follow Immutable Paradigm D10 - Logging https://owasp.org/www-project-docker-top-10/
  • 23. © 2022 Synopsys, Inc. 24 Synopsys Confidential Information OWASP Container Security Verification Standard (CSVS) • The structure is based on the OWASP Application Security Verification Standard (ASVS) • Has overlap with Docker Top 10, but covers broader categories: – V1: Organizational (processes & people) – V2: Infrastructure – V3: Containers (Docker Top 10) – V4: Orchestration Management – V5: Image Distribution – V6: Secrets and Keys – V7: Network – V8: Storage – V9: Logging & Monitoring – V10: Integration – V11: Disaster Recovery – V12: Testing • This is a shorter standard, compared to CIS Benchmarks and NIST Application Container Security Guide https://owasp.org/www-project-container-security-verification-standard/migrated_content • Provides 3 security verification levels 1. For all containers 2. Containers with sensitive data or business logic 3. Critical containers (high value transactions, PII, medical data)
  • 24. © 2022 Synopsys, Inc. 25 Synopsys Confidential Information NIST Special Publication 800-190 Application Container Security Guide https://doi.org/10.6028/NIST.SP.800-190 • Overview of Container Technology • Explains basic concepts of container and orchestrations • Discusses risks to the core components of container technologies • Contains a section on countermeasures for the listed risks • Provides threat scenario examples and considerations for the container technology life cycle NIST Application Container Security Guide Container Technology Architecture and Lifecycle Phases NIST SP 800-190
  • 25. © 2022 Synopsys, Inc. 26 Synopsys Confidential Information Center for Internet Security (CIS) developed "more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats." • CIS Benchmarks include hardening guidelines for manual and automated steps CIS Docker Benchmark provides detailed guidelines in the following categories: • Host • Docker daemon and its config files • Container images and build files • Container runtime • Docker security operations • Docker Swarm CIS Docker Benchmark https://www.cisecurity.org/benchmark/docker
  • 26. © 2022 Synopsys, Inc. 27 Synopsys Confidential Information 1. Harden all the systems 2. Use segmentation at all levels (clusters, hosts, networks) 3. Monitor all the components: scan, scan, scan 4. Introduce gates before publishing your images 5. Use vetted base images 6. Generate a Software Bill of Materials (SBOM) for every container image 7. Use an Application Security Orchestration and Correlation tool (ASOC) – Collects data from various AppSec sources – Consolidates and correlates the findings, prioritizing remediation efforts Best Practices of Securing Containers Defense in Depth
  • 27. © 2022 Synopsys, Inc. 28 Synopsys Confidential Information Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software