SlideShare a Scribd company logo
1 of 21
Download to read offline
1TCS Confidential
Manideep Konakandla
Carnegie Mellon University
@Bsides SF – Feb 13, 2017
How secure are your Docker Images?
2
Who am I? Hmm, yeah - Shameless Bragging
• J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc.
• Masters Student (Graduating in May’17) + Security Researcher at CMU
• Authored a book on Info Sec & Ethical Hacking at the age of 20
• Featured in INDIA’s largest news papers and news channels
• 10 certifications + Trained 15,000+ people in Information Security
• Ex “Team Lead – Core Security & Data Analytics” at TCS
• Interest areas : Container Security, Application Security, System Security etc.
More details about me on www.manideepk.com
3
What am I up to with Containers?
• Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks
• Extensive research at Carnegie Mellon (CMU)
• Presented (/will be presenting) at OWASP AppsecUSA, Container World etc.
• Cloud Security Research Intern @Adobe last Summer
4
Before we start
5
What are we doing for next 30 mins?
 A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
 Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
 Benchmark to assess security of your Docker Images
 Wrap up
6
What are we doing for next 30 mins?
 A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
 Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
 Benchmark to assess security of your Docker Images
 Wrap up
7
Quick “60 second” Intro
Containers?
 Lightweight
 Application centric
 No more - “it works on my machine”
 Micro-services
Namespaces : Isolation (PID, User, Network, IPC,
Mount, UTS)
Cgroups : Isolates, limits and accounts resource
usage (CPU, memory etc.)
BUZZ……….!
Are containers
brand new?
Img Ref: www.docker.com
Containers in 45 seconds
8
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
9
What’s next?
 A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
 Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
 Benchmark to assess security of your Docker Images
 Wrap up
10
Life cycle of an “Image”
Build Spin
Dockerfile Image Container
Maintaining images securely
11
Security of “Dockerfile”
• Do not write secrets in Dockerfile (Info Disclosure). Use secret management
solutions (Twitter’s Vine)
• Create a USER or else container will run as a root (Privilege escalation)
• Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue)
• Remove unnecessary setuid, setgid permissions (Privilege escalation)
• Do not write any kind of update instructions alone in the Dockerfile (Caching)
• Download packages securely using GPG (MITM) and also do not download
unnecessary packages (Increased attack surface)
• Use COPY instead of ADD (Increased attack surface)
• Use HEALTHCHECK command (Best practice)
• Use gosu instead of sudo wherever possible
• Try to restrict a image (/container) to one service
12
Building Images
13
Maintaining/ Consuming Images
• Docker Content Trust
- Provides authenticity, integrity and freshness guarantees
- Takes some time to understand & prepare production setup (worth it!)
• Vulnerability–free Images
- Tool selection : binary level analysis + hash based
- Tool recommendation (Meet me!)
• Except compatibility issues, all images and packages must be up-to-date
14
Enterprise zone (Personal users ALLOWED!)
• Do not use Docker hub Images
- Why?
- How about Docker Store?
• Maintain your own in-house registries
• Perform image optimization techniques (I did not explore into this!)
• Use commercial tools (meet me for recommendations) which provide
- Image Lockdown
- RBAC etc.
• Use file monitoring solutions to monitor any malicious changes in image layers
• Have separate patch, vulnerability (any other) management procedures for
container ecosystems (including Images)
• Customize CIS Docker benchmarks as per your requirements and adhere to it
15
What’s next?
 A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
 Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
 Benchmark to assess security of your Docker Images
 Wrap up
16
Benchmark to assess “Images Security”
17
What’s next?
 A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
 Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
 Benchmark to assess security of your Docker Images
 Wrap up
18
So, what did you learn today?
19
It’s not good to keep questions in your mind
Throw them out and I am here to catch 
20
References
1. CIS Docker Benchmarks - 1.12 and 1.13
2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf
3. www.oreilly.com/webops-perf/free/files/docker-security.pdf
4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf
5. http://www.slideshare.net/Docker/docker-security-workshop-slides
6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231
7. https://docs.docker.com/engine/security/
8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
21TCS Confidential
That’s it…!
You can collect my V-Card
Reach me on www.manideepk.com for any questions

More Related Content

What's hot

A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016Anthony Chow
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery  BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Hardcore container debugging v3
Hardcore container debugging v3Hardcore container debugging v3
Hardcore container debugging v3Nitu Parimi
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technologyFrank Victory
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of  Testing)VxWorks - Holistic Security (Art of  Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 

What's hot (20)

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery  BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Hardcore container debugging v3
Hardcore container debugging v3Hardcore container debugging v3
Hardcore container debugging v3
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
Finalpresentation
FinalpresentationFinalpresentation
Finalpresentation
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of  Testing)VxWorks - Holistic Security (Art of  Testing)
VxWorks - Holistic Security (Art of Testing)
 

Viewers also liked

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers  running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers  running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Zohar Stolar
 
Dockerfile at Guidewire
Dockerfile at GuidewireDockerfile at Guidewire
Dockerfile at GuidewireDocker, Inc.
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen DayDocker, Inc.
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsDocker, Inc.
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Docker, Inc.
 
Containerd - core container runtime component
Containerd - core container runtime component Containerd - core container runtime component
Containerd - core container runtime component Docker, Inc.
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdDocker, Inc.
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRIDocker, Inc.
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPCDocker, Inc.
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker, Inc.
 

Viewers also liked (13)

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
 
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers  running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers  running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
 
Dockerfile at Guidewire
Dockerfile at GuidewireDockerfile at Guidewire
Dockerfile at Guidewire
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container Environments
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0
 
Containerd - core container runtime component
Containerd - core container runtime component Containerd - core container runtime component
Containerd - core container runtime component
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPC
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 

Similar to BSides SF talk on Docker Images Security - Feb 13, 2017

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT AgilityAmazon Web Services
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...NETWAYS
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Lessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker ContainersLessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker ContainersBlueData, Inc.
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Amazon Web Services
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 
Docker for developers - The big picture
Docker for developers - The big pictureDocker for developers - The big picture
Docker for developers - The big pictureGeorge Dyrrahitis
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Docker container security
Docker container securityDocker container security
Docker container securityThoughtworks
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...Spark Summit
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 

Similar to BSides SF talk on Docker Images Security - Feb 13, 2017 (20)

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Lessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker ContainersLessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker Containers
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Docker for developers - The big picture
Docker for developers - The big pictureDocker for developers - The big picture
Docker for developers - The big picture
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Docker container security
Docker container securityDocker container security
Docker container security
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple Steps
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 

Recently uploaded

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Recently uploaded (20)

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

BSides SF talk on Docker Images Security - Feb 13, 2017

  • 1. 1TCS Confidential Manideep Konakandla Carnegie Mellon University @Bsides SF – Feb 13, 2017 How secure are your Docker Images?
  • 2. 2 Who am I? Hmm, yeah - Shameless Bragging • J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc. • Masters Student (Graduating in May’17) + Security Researcher at CMU • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • 10 certifications + Trained 15,000+ people in Information Security • Ex “Team Lead – Core Security & Data Analytics” at TCS • Interest areas : Container Security, Application Security, System Security etc. More details about me on www.manideepk.com
  • 3. 3 What am I up to with Containers? • Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks • Extensive research at Carnegie Mellon (CMU) • Presented (/will be presenting) at OWASP AppsecUSA, Container World etc. • Cloud Security Research Intern @Adobe last Summer
  • 5. 5 What are we doing for next 30 mins?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 6. 6 What are we doing for next 30 mins?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 7. 7 Quick “60 second” Intro Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces : Isolation (PID, User, Network, IPC, Mount, UTS) Cgroups : Isolates, limits and accounts resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com Containers in 45 seconds
  • 8. 8 Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Container Pipeline, Risk Areas and our Scope Ref: Modified version of image on www.docker.com
  • 9. 9 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 10. 10 Life cycle of an “Image” Build Spin Dockerfile Image Container Maintaining images securely
  • 11. 11 Security of “Dockerfile” • Do not write secrets in Dockerfile (Info Disclosure). Use secret management solutions (Twitter’s Vine) • Create a USER or else container will run as a root (Privilege escalation) • Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue) • Remove unnecessary setuid, setgid permissions (Privilege escalation) • Do not write any kind of update instructions alone in the Dockerfile (Caching) • Download packages securely using GPG (MITM) and also do not download unnecessary packages (Increased attack surface) • Use COPY instead of ADD (Increased attack surface) • Use HEALTHCHECK command (Best practice) • Use gosu instead of sudo wherever possible • Try to restrict a image (/container) to one service
  • 13. 13 Maintaining/ Consuming Images • Docker Content Trust - Provides authenticity, integrity and freshness guarantees - Takes some time to understand & prepare production setup (worth it!) • Vulnerability–free Images - Tool selection : binary level analysis + hash based - Tool recommendation (Meet me!) • Except compatibility issues, all images and packages must be up-to-date
  • 14. 14 Enterprise zone (Personal users ALLOWED!) • Do not use Docker hub Images - Why? - How about Docker Store? • Maintain your own in-house registries • Perform image optimization techniques (I did not explore into this!) • Use commercial tools (meet me for recommendations) which provide - Image Lockdown - RBAC etc. • Use file monitoring solutions to monitor any malicious changes in image layers • Have separate patch, vulnerability (any other) management procedures for container ecosystems (including Images) • Customize CIS Docker benchmarks as per your requirements and adhere to it
  • 15. 15 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 16. 16 Benchmark to assess “Images Security”
  • 17. 17 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 18. 18 So, what did you learn today?
  • 19. 19 It’s not good to keep questions in your mind Throw them out and I am here to catch 
  • 20. 20 References 1. CIS Docker Benchmarks - 1.12 and 1.13 2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 3. www.oreilly.com/webops-perf/free/files/docker-security.pdf 4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 5. http://www.slideshare.net/Docker/docker-security-workshop-slides 6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 7. https://docs.docker.com/engine/security/ 8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
  • 21. 21TCS Confidential That’s it…! You can collect my V-Card Reach me on www.manideepk.com for any questions