The document discusses securing containerized applications as organizations transition from monolithic systems to microservices. It highlights security complexities, including authentication and environmental security, as well as the impact of east-west traffic on datacenter security monitoring. Strategies such as utilizing service meshes like Istio and Envoy for traffic monitoring and ensuring secure CI/CD pipelines are emphasized to mitigate risks associated with compromised containers and applications.

1. How to Secure Containerized
Applications
Presenter: Douglas Coburn
3/9/20

2. How did we get here?

3. Progression to the container world
3/9/203
Servers Monolithic Waterfall
VMs N-Tiered
Systems
Separation
Containers Microservices
DevOps
(DevSecOps)

4. For many organizations the shift to containers and
microservices requires deconstructing an existing
monolithic application. This requires spawning off a
function to its own container and adding an additional
communication layer. Usually the additional
communication layer is a form of HTTP (REST, SOAP,
HTTP2/gRPC, etc).
3/9/204

5. This is important why?
3/9/205
• Introduces new complexity around security concerns
• Who is allowed to use the function?
• How do they authenticate to that function?
• Are the sanity checks for inputs from the monolithic application included?
• How is the environment that the function runs in secured?
• Benefits
• Ability to update one function/part of the “application”
• Easier to maintain a smaller code base for a specific microservice
• App Owners can focus on smaller parts of the overall application

6. “
The other way you can expose this is if the “insecure API service”
is enabled. As the name suggests, this isn’t something you want
to expose on an untrusted network. But we’ve seen this happen
before, so it’s definitely something you should check.
3/9/206
https://techbeacon.com/enterprise-it/hackers-guide-kubernetes-security

7. East/West Traffic
3/9/207

8. East/West and North/South Traffic
3/9/208
• Because apps are highly distributed, 70-80% of traffic is now east-west traffic in data
centers. Traditional monitoring technologies at the edge of data centers monitor what is
coming in and going out of the data center, but they do not monitor what is really inside
of the data center. Hybrid cloud makes workload protection issues even worse because
every app on public cloud still relies on the services that are delivered on on-premises
data center infrastructure.
• https://www.cisco.com/c/en/us/solutions/data-center-virtualization/what-is-dc-
analytics.html

9. Detection and Protection at the Ingress
3/9/209
Pros Cons
• Inspection of consolidated traffic
• Transparent to Microservices/App Teams
• Simple configuration for adding
inspection and detection of North/South
Traffic
• Protect before hitting the
application/microservice
• If a container is compromised internal
cross traffic not inspected
• Harder to break out data per specific
microservice
• Enabled for all Microservices behind the
ingress

10. Envoy + Istio in a Service Mesh
3/9/2010
• Best of both worlds detection at the ingress and service layers
• Monitor East/West and North/South Traffic
• Transparent to the app teams, they can just deploy and Istio + Envoy handles the
communication
• App team does not need to worry about modifying their code

11. Compromised Web App can mean
Compromised Kubernetes Cluster
3/9/2011
• If you gain access to the container environment running the web app you become
trusted
• Some examples of compromised clusters:
• https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-
823be5c3d67c
• https://github.com/kayrus/kubelet-exploit

12. An example pipeline
3/9/2012

13. Simple Github Repo
3/9/2013

14. A configuration file
3/9/2014

15. Drives a CI/CD Pipeline
3/9/2015

16. Automated new container
3/9/2016

17. To an updated Deployment
3/9/2017

18. The Container Security Focus
3/9/2018

19. “
The app is part of the container also and yet it often
seems to be ignored in the container strategy.
3/9/2019
Douglas Coburn – Director of Professional Services, Signal Sciences

20. CI/CD
• Quick Development Cycle
• Strong security tools and
practices needed in
development cycle
• “Silly” mistake can go out fast
Kubernetes
• Easy to deploy to
• Can be automated from CI/CD
pipeline
• Quick to scale out a “bad” push
Containers
• Makes it easier/seamless to go
from dev to prod
• Often reliance on third party
images
• Easy to build, easy to push
DevOps: The speed is scary for security
3/9/2020

21. Exaggerated Python CMDEXE Example
3/9/2021

22. 3/9/2022

23. Over the top example… but highlights the
need
3/9/2023
The Why Where to Implement
• Web Applications in containers are still
vulnerable even if the “container profile”
is secured
• Compromising the Web Application can
still allow unauthorized access and
information gathering (East/West Traffic)
• Comprised container can mean
comprised cluster
• At the Application Layer
• As a separate layer 7 (WAF) Service
• At the ingress layer

24. 3/9/2024