Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSides SF talk on Docker Images Security - Feb 13, 2017

244 views

Published on

My talk at BSides SF on "How secure are your Docker Images?"

Published in: Technology
  • Be the first to comment

BSides SF talk on Docker Images Security - Feb 13, 2017

  1. 1. 1TCS Confidential Manideep Konakandla Carnegie Mellon University @Bsides SF – Feb 13, 2017 How secure are your Docker Images?
  2. 2. 2 Who am I? Hmm, yeah - Shameless Bragging • J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc. • Masters Student (Graduating in May’17) + Security Researcher at CMU • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • 10 certifications + Trained 15,000+ people in Information Security • Ex “Team Lead – Core Security & Data Analytics” at TCS • Interest areas : Container Security, Application Security, System Security etc. More details about me on www.manideepk.com
  3. 3. 3 What am I up to with Containers? • Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks • Extensive research at Carnegie Mellon (CMU) • Presented (/will be presenting) at OWASP AppsecUSA, Container World etc. • Cloud Security Research Intern @Adobe last Summer
  4. 4. 4 Before we start
  5. 5. 5 What are we doing for next 30 mins?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  6. 6. 6 What are we doing for next 30 mins?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  7. 7. 7 Quick “60 second” Intro Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces : Isolation (PID, User, Network, IPC, Mount, UTS) Cgroups : Isolates, limits and accounts resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com Containers in 45 seconds
  8. 8. 8 Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Container Pipeline, Risk Areas and our Scope Ref: Modified version of image on www.docker.com
  9. 9. 9 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  10. 10. 10 Life cycle of an “Image” Build Spin Dockerfile Image Container Maintaining images securely
  11. 11. 11 Security of “Dockerfile” • Do not write secrets in Dockerfile (Info Disclosure). Use secret management solutions (Twitter’s Vine) • Create a USER or else container will run as a root (Privilege escalation) • Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue) • Remove unnecessary setuid, setgid permissions (Privilege escalation) • Do not write any kind of update instructions alone in the Dockerfile (Caching) • Download packages securely using GPG (MITM) and also do not download unnecessary packages (Increased attack surface) • Use COPY instead of ADD (Increased attack surface) • Use HEALTHCHECK command (Best practice) • Use gosu instead of sudo wherever possible • Try to restrict a image (/container) to one service
  12. 12. 12 Building Images
  13. 13. 13 Maintaining/ Consuming Images • Docker Content Trust - Provides authenticity, integrity and freshness guarantees - Takes some time to understand & prepare production setup (worth it!) • Vulnerability–free Images - Tool selection : binary level analysis + hash based - Tool recommendation (Meet me!) • Except compatibility issues, all images and packages must be up-to-date
  14. 14. 14 Enterprise zone (Personal users ALLOWED!) • Do not use Docker hub Images - Why? - How about Docker Store? • Maintain your own in-house registries • Perform image optimization techniques (I did not explore into this!) • Use commercial tools (meet me for recommendations) which provide - Image Lockdown - RBAC etc. • Use file monitoring solutions to monitor any malicious changes in image layers • Have separate patch, vulnerability (any other) management procedures for container ecosystems (including Images) • Customize CIS Docker benchmarks as per your requirements and adhere to it
  15. 15. 15 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  16. 16. 16 Benchmark to assess “Images Security”
  17. 17. 17 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  18. 18. 18 So, what did you learn today?
  19. 19. 19 It’s not good to keep questions in your mind Throw them out and I am here to catch 
  20. 20. 20 References 1. CIS Docker Benchmarks - 1.12 and 1.13 2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 3. www.oreilly.com/webops-perf/free/files/docker-security.pdf 4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 5. http://www.slideshare.net/Docker/docker-security-workshop-slides 6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 7. https://docs.docker.com/engine/security/ 8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
  21. 21. 21TCS Confidential That’s it…! You can collect my V-Card Reach me on www.manideepk.com for any questions

×