SlideShare a Scribd company logo

Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016

Manideep Konakandla
Manideep Konakandla

My Talk at OWASP Appsec USA 2016

Technology
1 of 38
Download to read offline
Breaking && Securing your ‘Docker’ized environments Manideep K
Shameless Bragging • Masters Student + Security Researcher at “Carnegie Mellon” • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • Trained 15,000+ people in Infosec including corporates, students & cyber cops • 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc. • Ex Team Lead – Core Security & Data Analytics at TCS • Interest areas : Container Security, Application Security etc. More details on “www.manideepk.com” 2
Experience with Docker containers • Research at Carnegie Mellon University under renowned professors • Cloud Security Research Intern @Adobe • Co-Authored CIS Docker 1.12 Benchmark (You will see points from it today) • Research Intern at Carnegie Mellon 3
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host - Communication and Registry security (if time permits)  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 4
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 5
Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces Isolates containers (PID, User, Network, IPC, Mount , UTS) Cgroups Limits, accounts and isolates resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com 6
Container environment (Docker) Img Ref: Modified version of image on www.docker.com 7
8 Risk Areas Images Container Runtime Daemon Host System Kernel/ Containers Isolation (Shared kernel) Communication
Container pipeline (Docker) Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images 9
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 10
11 Containers do not contain 53% of decision makers are worried about security of containers* Containers are not production-ready Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week Containers are the “FUTURE” * Forrester/Red Hat Report , January 2015 ** You have to make them secure
Docker says At Docker we believe in “Secure by Default” * NCC Group Report on containers says Docker default security settings are quite good ** I say (and even you will, by end of this presentation) “Docker is not secure by default, you have to make it secure…!” * https://blog.docker.com/2016/04/docker-security/ ** https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/april/understanding-and-hardening-linux- containers/ 12
My approach for explanation “Point” (on later slides) What breaks it & How to secure it Why this approach? 13
Breaking and Securing “Images” 14
Image Layers – Copy on Write (CoW) model Manifest file of an image inside registry Image’s lifecycle (Img Ref: www.docker.com) Introduction to Images 15
• Where can I get Images? - Docker hub , Docker Private Store • Can I use them (directly)? - No, Not Docker hub (at least general images) for enterprises (personal?) - How about Docker Private store? • Official images are scanned with Nautilus (general images are not) • My analysis with images (sampling) • Banyanops analysis* proved that Docker hub images are prone to severe vulnerabilities such as Heartbleed, Shellshock etc. (2015 report) Quick Facts from the report : 30% official images are vulnerable 70% general images are vulnerable * : Below report was released in 2015. Though Docker initiated Nautilus after that and started mitigating the vulnerabilities in official images, it still has many unpatched. Also, unofficial Docker hub images are still untouched and are left with lot of vulnerabilities. So, though the percentage of vulnerabilities might not be exactly the same today, the essence of the report still remains the same** ** : You can open the official images on Docker hub and see the tags section of each image which shows the scan report of Nautilus for that particular image Report Link: https://banyanops.com/blog/analyzing-docker-hub/ 16
Lesson Learnt….! Do Not directly use Docker hub images (not atleast general images and not at-least for enterprise use) 17
Manideep, Then what to do? Prepare your own Docker Images (Oh Gosh, Lot of security controls to follow….!) • How to write Dockerfiles (any other similar mechanism such as Packr) securely? • How to maintain/consume images securely? 18
Writing Dockerfiles securely (our “Points” are here….) 1) Follow version pinning mechanisms for base images, packages etc. (Caching issue) CIS Docker 1.12– 5.27 2) Download packages securely - Ex: GPG (MITM issue) : CIS Docker 1.12 – 4.11 3) Create a user for containers (Priv issue / root issue) : CIS Docker 1.12 – 4.1 4) Do not use any kind of update instructions alone in the Dockerfile (Caching issue) CIS Docker 1.12 – 4.7 5) Remove setuid, setgid permissions within the images (Priv Escalation) : CIS Docker 1.12 – 4.8 6) Do not install unnecessary packages within the images (Increased attack surface) CIS Docker 1.12 – 4.3 7) Do not write secrets in Dockerfiles (Information Disclosure). Use Keywhiz, Vault etc. CIS Docker 1.12 – 4.10 8) Use COPY instead of ADD (Increased attack surface) : CIS Docker 1.12 – 4.9 9) Use HEALTHCHECK command (Best practice) : CIS Docker 1.12 – 4.6 10) Use gosu instead of sudo wherever possible ( TTY and signal forwarding issue) 11) Do not prefer to run multiple applications within one container (Increased attack surface) 19
How to maintain / consume images securely? 1) Docker Content Trust (Enable it!) • Based on Thandy framework and is little complex to understand • Ensures integrity, authenticity and freshness guarantees to images (Without DCT?) • Extensive analysis done (Seems secure…) • Create your own Notary setup 2) Images should be “vulnerability-free” and should be “frequently” scanned with tools like Twistlock, Nautilus etc. Tools should be capable of doing binary level analysis /hash based match and just not version string matching. 3) All images / packages within images must be up-to-date (Except compatibility issues) 4) Follow all CIS Docker benchmark standards 20
Breaking and Securing “Container runtime” 21
Container runtime security 1) Ensure Docker commands get latest images (Caching issue) : CIS Docker 1.12 – 5.27 2) Enable PIDs cgroup per container (fork bomb) : CIS Docker 1.12 - 5.28 3) Do not use default docker0 bridge (ARP spoofing, MITM etc.) : CIS Docker 1.12 - 5.29 4) Set memory limits per container (DOS) : CIS Docker 1.12 - 5.10 5) Do not use privileged containers (Violation of least privilege) : CIS Docker 1.12 - 5.4 6) Bind incoming traffic to any specific interface (Info disclosure etc.) : CIS Docker 1.12 - 5.13 7) Do not share host’s process, user, UTS, IPC, network namespaces to containers (Info disclosure etc.) 8) Do not disable capabilities (significance of SYS_TIME, NET_RAW) 9) Prefer to set no new privileges flag (no runtime priv. gain atacks) : CIS Docker 1.12 – 5.25 10) Do not disable seccomp profiles (Container breakout) : CIS Docker 1.12 – 5.21 11) Set CPU shares appropriately (DOS) : CIS Docker 1.12 – 5.11 12) Use Apparmor / SELinux profiles (No access restriction) : CIS Docker 1.12 – 5.1, 5.2 13) Mounts (Violation of least privilege) 14) Beware of non namespaced components : kernel keyring etc. (Container breakout) 15) Adhere CIS Docker 1.12 benchmark 22
Breaking and Securing “Daemon” 23
1) Enable user namespaces - When user namespaces are enabled (which are disabled by default) root inside the container will be “no more” root on the host. (Without user namespaces?) - Enable user namespaces when launching daemon with “- - userns-remap” flag - Know about the restrictions (no read only filesystem for containers, no - -privileged flag etc.) 2) Disable communication between containers - By default, all containers are on the same bridge and can communicate (intercept traffic) - Add “- - icc = false” flag when launching daemon which would prevent container communication - Use user-defined networks for allowing group of containers to communicate (DO NOT use legacy container linking method as it leaks secrets stored in environment variables between containers) 3) Enable TLS & authentication for communication between daemon and client - By default, communication between docker daemon and client are not encrypted and there is no authentication between them. - Enable TLS & CA authentication at daemon level which would prevent attacks such as MITM, server or client impersonation etc. Daemon Security 24
Daemon Security 4) Enable ulimits for your docker daemon (You can do it at runtime per container) - ulimits are great way to restrict lot of resources such as CPU time limit, max file descriptors that can be opened, max no of processes etc. - By default, no ulimits are set . You can enable them by using flags. Ex: “- -default-ulimit nproc=10” 5) Use authorization plugins - By default, every user having access to daemon can run any Docker command. Auth plugins provides granular control on “who runs what” at daemon level. - You can enable auth plugins while launching daemon with the flag “- -authorization-plugin=plugin1 –authorization-plugin=plugin2 …………….” 6) Ensure only trusted users will have access to docker daemon as all the members within the docker group will have effective root privileges 25
Breaking and Securing “The host where containers are hosted” 26
Security controls on the host 1) Maintain up-to-date Linux kernel - They have all vulnerabilities fixed and latest security controls included - Ex: PIDs cgroup (prevents fork bomb) is only available in kernels > 4.3 2) Apply kernel hardening policies such as GRSecurity, PaX etc. - These are kernel patch sets which help in preventing multiple kind of memory, access control exploits etc. These would prevent exploitation even though attacker was able to break out of container. Also, ensure that these kernel patches do not interfere with your Docker setup (test with sysctl and then lock down) 3) Harden the host as per your enterprise / CIS / SANS guidelines 4) Keep Docker always up-to-date 27
Container pipeline (Holistic View) – Communication & Registry Security Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Img Ref: Modified version of image on www.docker.com * * 28
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 29
Few tips for enterprises • Setup your own in-house registry having “secure and ready-to-consume” images • Prepare customized auth plugins, seccomp, apparmor profiles as per your requirements • Do not share secrets in environment variables • Use tools like Twistlock, Scalock etc. to secure your container environments. These tools provide capabilities like Image lockdown, RBAC, automatic profiling etc. • Use TPM, TCB etc. in Docker environments (Add docker daemon to TCB) • Use image optimization techniques (Do not compromise security!) • Container specific rules to be created in SIEM • Group containers on VM’s (basing on trust, operational categories) • Employ least privilege, defense in depth, reduced attack surface principles • Employ file integrity monitoring tools for critical files • Prepare separate patch management, vulnerability management etc. procedures for container environments • Adhere to latest CIS Docker benchmark or prepare your own internal benchmarks customizing standard CIS Docker benchmark as per your organizational requirements 30
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 31
Future (My 2¢) • Hardware level Isolation ( Container’s performance + VM security ) - Clear Containers (QEMU+KVM : Very light weight VM ‘s. Though not up to Docker performance, they are optimizing more). - Has lot of scope. My area of work for next few days. • No more shared kernel as in clear containers • Trusted place for getting Images. Ex: Docker store • Advancement in container security tools : Twistlock, Scalock are only tools which cover entire container ecosystems today. They are adding more features • In-built “proper” hardening of host when Docker installed (GRSEC, PaX etc.) • Docker Images encryption – similar to VM (Most security controls of VM will be soon shipped to container ecosystem) • Portability between container technologies (lot of current work) • Name spacing the missing components: Kernel keyring, SYS_TIME etc. • Enhanced security controls on the daemon, images and container runtime Ex: better default seccomp by in-built profiling etc. 32
My Next Plans • Research on hardware level isolation to containers • In-depth Research on other container technologies • Whitepaper (or possibly a book? ) on Docker Security • Continue contribution to CIS Docker Benchmark (Please join!) • Will be presenting at RSA conference (poster under RSA Scholar Program), Grehack etc. • Feel free to reach me if you have similar interests or want to collaborate 33
Conclusion 34
References 1. https://www.nccgroup.trust/globalassets/our- research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 2. http://www.oreilly.com/webops-perf/free/files/docker-security.pdf 3. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 4. CIS Docker Benchmark 1.12 5. http://csrc.nist.gov/news_events/cif_2015/research/day1_research_430-530.pdf 6. http://www.slideshare.net/SreenivasMakam/docker-security-overview?qid=49963984-be1a-4322-a3a8- e5a2963127c0&v=&b=&from_search=1 7. http://www.slideshare.net/Docker/docker-security-workshop-slides 8. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 9. https://clearlinux.org/features/clear-containers 10. https://arxiv.org/pdf/1501.02967.pdf 11. http://www.slideshare.net/Docker/the-golden-ticket-docker-and-high-security-microservices-by-aaron- grattafiori?qid=dd633f11-1c78-42ce-86f0-88068690a6ee&v=&b=&from_search=2 12. https://docs.docker.com/engine/security/ 13. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence 35
Special Thanks to Adobe 36
Q & A time 37
Thank you…! Reach me on www.manideepk.com for any questions 38

Recommended

How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?Manideep Konakandla
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017Manideep Konakandla
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
RSA conference poster on Docker container security
RSA conference poster on Docker container securityRSA conference poster on Docker container security
RSA conference poster on Docker container securityManideep Konakandla
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 

Recommended

How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?Manideep Konakandla
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017Manideep Konakandla
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
RSA conference poster on Docker container security
RSA conference poster on Docker container securityRSA conference poster on Docker container security
RSA conference poster on Docker container securityManideep Konakandla
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images SecurityJose Manuel Ortega Candel
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudJohn Kinsella
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker SecurityStephane Woillez
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekwiTTyMinds1
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016Anthony Chow
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...NETWAYS
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Docker 101
Docker 101Docker 101
Docker 101Lâm Đào
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
 
Common Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementCommon Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementMatt Ray
 
The Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesThe Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesDBmaestro - Database DevOps
 

More Related Content

What's hot

Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekwiTTyMinds1
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016Anthony Chow
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...NETWAYS
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
 

What's hot (20)

Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Docker 101
Docker 101Docker 101
Docker 101
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
 

Viewers also liked

Common Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementCommon Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementMatt Ray
 
The Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesThe Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesDBmaestro - Database DevOps
 
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Zohar Stolar
 
DevOps Picc12 Management Talk
DevOps Picc12 Management TalkDevOps Picc12 Management Talk
DevOps Picc12 Management TalkMichael Rembetsy
 
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...CA Technologies
 
Dockerfile at Guidewire
Dockerfile at GuidewireDockerfile at Guidewire
Dockerfile at GuidewireDocker, Inc.
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen DayDocker, Inc.
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsDocker, Inc.
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Docker, Inc.
 
Containerd - core container runtime component
Containerd - core container runtime component Containerd - core container runtime component
Containerd - core container runtime component Docker, Inc.
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdDocker, Inc.
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRIDocker, Inc.
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPCDocker, Inc.
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker, Inc.
 

Viewers also liked (18)

Common Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementCommon Challenges in DevOps Change Management
Common Challenges in DevOps Change Management
 
The Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesThe Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for Dummies
 
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
 
DevOps Picc12 Management Talk
DevOps Picc12 Management TalkDevOps Picc12 Management Talk
DevOps Picc12 Management Talk
 
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
 
Dockerfile at Guidewire
Dockerfile at GuidewireDockerfile at Guidewire
Dockerfile at Guidewire
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container Environments
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0
 
Containerd - core container runtime component
Containerd - core container runtime component Containerd - core container runtime component
Containerd - core container runtime component
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPC
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 

Similar to Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016

Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risksGlib Pakharenko
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container SecurityAll Things Open
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker: do's and don'ts
Docker: do's and don'tsDocker: do's and don'ts
Docker: do's and don'tsPaolo Tonin
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsPatrick Chanezon
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 

Similar to Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016 (20)

Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risks
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
Container security
Container securityContainer security
Container security
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container Security
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Docker: do's and don'ts
Docker: do's and don'tsDocker: do's and don'ts
Docker: do's and don'ts
 
Boycott Docker
Boycott DockerBoycott Docker
Boycott Docker
 
Docker best Practices
Docker best PracticesDocker best Practices
Docker best Practices
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and Bolts
 
Container Security
Container SecurityContainer Security
Container Security
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016

  • 1. Breaking && Securing your ‘Docker’ized environments Manideep K
  • 2. Shameless Bragging • Masters Student + Security Researcher at “Carnegie Mellon” • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • Trained 15,000+ people in Infosec including corporates, students & cyber cops • 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc. • Ex Team Lead – Core Security & Data Analytics at TCS • Interest areas : Container Security, Application Security etc. More details on “www.manideepk.com” 2
  • 3. Experience with Docker containers • Research at Carnegie Mellon University under renowned professors • Cloud Security Research Intern @Adobe • Co-Authored CIS Docker 1.12 Benchmark (You will see points from it today) • Research Intern at Carnegie Mellon 3
  • 4. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host - Communication and Registry security (if time permits)  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 4
  • 5. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 5
  • 6. Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces Isolates containers (PID, User, Network, IPC, Mount , UTS) Cgroups Limits, accounts and isolates resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com 6
  • 7. Container environment (Docker) Img Ref: Modified version of image on www.docker.com 7
  • 8. 8 Risk Areas Images Container Runtime Daemon Host System Kernel/ Containers Isolation (Shared kernel) Communication
  • 9. Container pipeline (Docker) Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images 9
  • 10. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 10
  • 11. 11 Containers do not contain 53% of decision makers are worried about security of containers* Containers are not production-ready Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week Containers are the “FUTURE” * Forrester/Red Hat Report , January 2015 ** You have to make them secure
  • 12. Docker says At Docker we believe in “Secure by Default” * NCC Group Report on containers says Docker default security settings are quite good ** I say (and even you will, by end of this presentation) “Docker is not secure by default, you have to make it secure…!” * https://blog.docker.com/2016/04/docker-security/ ** https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/april/understanding-and-hardening-linux- containers/ 12
  • 13. My approach for explanation “Point” (on later slides) What breaks it & How to secure it Why this approach? 13
  • 15. Image Layers – Copy on Write (CoW) model Manifest file of an image inside registry Image’s lifecycle (Img Ref: www.docker.com) Introduction to Images 15
  • 16. • Where can I get Images? - Docker hub , Docker Private Store • Can I use them (directly)? - No, Not Docker hub (at least general images) for enterprises (personal?) - How about Docker Private store? • Official images are scanned with Nautilus (general images are not) • My analysis with images (sampling) • Banyanops analysis* proved that Docker hub images are prone to severe vulnerabilities such as Heartbleed, Shellshock etc. (2015 report) Quick Facts from the report : 30% official images are vulnerable 70% general images are vulnerable * : Below report was released in 2015. Though Docker initiated Nautilus after that and started mitigating the vulnerabilities in official images, it still has many unpatched. Also, unofficial Docker hub images are still untouched and are left with lot of vulnerabilities. So, though the percentage of vulnerabilities might not be exactly the same today, the essence of the report still remains the same** ** : You can open the official images on Docker hub and see the tags section of each image which shows the scan report of Nautilus for that particular image Report Link: https://banyanops.com/blog/analyzing-docker-hub/ 16
  • 17. Lesson Learnt….! Do Not directly use Docker hub images (not atleast general images and not at-least for enterprise use) 17
  • 18. Manideep, Then what to do? Prepare your own Docker Images (Oh Gosh, Lot of security controls to follow….!) • How to write Dockerfiles (any other similar mechanism such as Packr) securely? • How to maintain/consume images securely? 18
  • 19. Writing Dockerfiles securely (our “Points” are here….) 1) Follow version pinning mechanisms for base images, packages etc. (Caching issue) CIS Docker 1.12– 5.27 2) Download packages securely - Ex: GPG (MITM issue) : CIS Docker 1.12 – 4.11 3) Create a user for containers (Priv issue / root issue) : CIS Docker 1.12 – 4.1 4) Do not use any kind of update instructions alone in the Dockerfile (Caching issue) CIS Docker 1.12 – 4.7 5) Remove setuid, setgid permissions within the images (Priv Escalation) : CIS Docker 1.12 – 4.8 6) Do not install unnecessary packages within the images (Increased attack surface) CIS Docker 1.12 – 4.3 7) Do not write secrets in Dockerfiles (Information Disclosure). Use Keywhiz, Vault etc. CIS Docker 1.12 – 4.10 8) Use COPY instead of ADD (Increased attack surface) : CIS Docker 1.12 – 4.9 9) Use HEALTHCHECK command (Best practice) : CIS Docker 1.12 – 4.6 10) Use gosu instead of sudo wherever possible ( TTY and signal forwarding issue) 11) Do not prefer to run multiple applications within one container (Increased attack surface) 19
  • 20. How to maintain / consume images securely? 1) Docker Content Trust (Enable it!) • Based on Thandy framework and is little complex to understand • Ensures integrity, authenticity and freshness guarantees to images (Without DCT?) • Extensive analysis done (Seems secure…) • Create your own Notary setup 2) Images should be “vulnerability-free” and should be “frequently” scanned with tools like Twistlock, Nautilus etc. Tools should be capable of doing binary level analysis /hash based match and just not version string matching. 3) All images / packages within images must be up-to-date (Except compatibility issues) 4) Follow all CIS Docker benchmark standards 20
  • 22. Container runtime security 1) Ensure Docker commands get latest images (Caching issue) : CIS Docker 1.12 – 5.27 2) Enable PIDs cgroup per container (fork bomb) : CIS Docker 1.12 - 5.28 3) Do not use default docker0 bridge (ARP spoofing, MITM etc.) : CIS Docker 1.12 - 5.29 4) Set memory limits per container (DOS) : CIS Docker 1.12 - 5.10 5) Do not use privileged containers (Violation of least privilege) : CIS Docker 1.12 - 5.4 6) Bind incoming traffic to any specific interface (Info disclosure etc.) : CIS Docker 1.12 - 5.13 7) Do not share host’s process, user, UTS, IPC, network namespaces to containers (Info disclosure etc.) 8) Do not disable capabilities (significance of SYS_TIME, NET_RAW) 9) Prefer to set no new privileges flag (no runtime priv. gain atacks) : CIS Docker 1.12 – 5.25 10) Do not disable seccomp profiles (Container breakout) : CIS Docker 1.12 – 5.21 11) Set CPU shares appropriately (DOS) : CIS Docker 1.12 – 5.11 12) Use Apparmor / SELinux profiles (No access restriction) : CIS Docker 1.12 – 5.1, 5.2 13) Mounts (Violation of least privilege) 14) Beware of non namespaced components : kernel keyring etc. (Container breakout) 15) Adhere CIS Docker 1.12 benchmark 22
  • 24. 1) Enable user namespaces - When user namespaces are enabled (which are disabled by default) root inside the container will be “no more” root on the host. (Without user namespaces?) - Enable user namespaces when launching daemon with “- - userns-remap” flag - Know about the restrictions (no read only filesystem for containers, no - -privileged flag etc.) 2) Disable communication between containers - By default, all containers are on the same bridge and can communicate (intercept traffic) - Add “- - icc = false” flag when launching daemon which would prevent container communication - Use user-defined networks for allowing group of containers to communicate (DO NOT use legacy container linking method as it leaks secrets stored in environment variables between containers) 3) Enable TLS & authentication for communication between daemon and client - By default, communication between docker daemon and client are not encrypted and there is no authentication between them. - Enable TLS & CA authentication at daemon level which would prevent attacks such as MITM, server or client impersonation etc. Daemon Security 24
  • 25. Daemon Security 4) Enable ulimits for your docker daemon (You can do it at runtime per container) - ulimits are great way to restrict lot of resources such as CPU time limit, max file descriptors that can be opened, max no of processes etc. - By default, no ulimits are set . You can enable them by using flags. Ex: “- -default-ulimit nproc=10” 5) Use authorization plugins - By default, every user having access to daemon can run any Docker command. Auth plugins provides granular control on “who runs what” at daemon level. - You can enable auth plugins while launching daemon with the flag “- -authorization-plugin=plugin1 –authorization-plugin=plugin2 …………….” 6) Ensure only trusted users will have access to docker daemon as all the members within the docker group will have effective root privileges 25
  • 26. Breaking and Securing “The host where containers are hosted” 26
  • 27. Security controls on the host 1) Maintain up-to-date Linux kernel - They have all vulnerabilities fixed and latest security controls included - Ex: PIDs cgroup (prevents fork bomb) is only available in kernels > 4.3 2) Apply kernel hardening policies such as GRSecurity, PaX etc. - These are kernel patch sets which help in preventing multiple kind of memory, access control exploits etc. These would prevent exploitation even though attacker was able to break out of container. Also, ensure that these kernel patches do not interfere with your Docker setup (test with sysctl and then lock down) 3) Harden the host as per your enterprise / CIS / SANS guidelines 4) Keep Docker always up-to-date 27
  • 28. Container pipeline (Holistic View) – Communication & Registry Security Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Img Ref: Modified version of image on www.docker.com * * 28
  • 29. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 29
  • 30. Few tips for enterprises • Setup your own in-house registry having “secure and ready-to-consume” images • Prepare customized auth plugins, seccomp, apparmor profiles as per your requirements • Do not share secrets in environment variables • Use tools like Twistlock, Scalock etc. to secure your container environments. These tools provide capabilities like Image lockdown, RBAC, automatic profiling etc. • Use TPM, TCB etc. in Docker environments (Add docker daemon to TCB) • Use image optimization techniques (Do not compromise security!) • Container specific rules to be created in SIEM • Group containers on VM’s (basing on trust, operational categories) • Employ least privilege, defense in depth, reduced attack surface principles • Employ file integrity monitoring tools for critical files • Prepare separate patch management, vulnerability management etc. procedures for container environments • Adhere to latest CIS Docker benchmark or prepare your own internal benchmarks customizing standard CIS Docker benchmark as per your organizational requirements 30
  • 31. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 31
  • 32. Future (My 2¢) • Hardware level Isolation ( Container’s performance + VM security ) - Clear Containers (QEMU+KVM : Very light weight VM ‘s. Though not up to Docker performance, they are optimizing more). - Has lot of scope. My area of work for next few days. • No more shared kernel as in clear containers • Trusted place for getting Images. Ex: Docker store • Advancement in container security tools : Twistlock, Scalock are only tools which cover entire container ecosystems today. They are adding more features • In-built “proper” hardening of host when Docker installed (GRSEC, PaX etc.) • Docker Images encryption – similar to VM (Most security controls of VM will be soon shipped to container ecosystem) • Portability between container technologies (lot of current work) • Name spacing the missing components: Kernel keyring, SYS_TIME etc. • Enhanced security controls on the daemon, images and container runtime Ex: better default seccomp by in-built profiling etc. 32
  • 33. My Next Plans • Research on hardware level isolation to containers • In-depth Research on other container technologies • Whitepaper (or possibly a book? ) on Docker Security • Continue contribution to CIS Docker Benchmark (Please join!) • Will be presenting at RSA conference (poster under RSA Scholar Program), Grehack etc. • Feel free to reach me if you have similar interests or want to collaborate 33
  • 35. References 1. https://www.nccgroup.trust/globalassets/our- research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 2. http://www.oreilly.com/webops-perf/free/files/docker-security.pdf 3. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 4. CIS Docker Benchmark 1.12 5. http://csrc.nist.gov/news_events/cif_2015/research/day1_research_430-530.pdf 6. http://www.slideshare.net/SreenivasMakam/docker-security-overview?qid=49963984-be1a-4322-a3a8- e5a2963127c0&v=&b=&from_search=1 7. http://www.slideshare.net/Docker/docker-security-workshop-slides 8. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 9. https://clearlinux.org/features/clear-containers 10. https://arxiv.org/pdf/1501.02967.pdf 11. http://www.slideshare.net/Docker/the-golden-ticket-docker-and-high-security-microservices-by-aaron- grattafiori?qid=dd633f11-1c78-42ce-86f0-88068690a6ee&v=&b=&from_search=2 12. https://docs.docker.com/engine/security/ 13. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence 35
  • 37. Q & A time 37
  • 38. Thank you…! Reach me on www.manideepk.com for any questions 38