SlideShare a Scribd company logo

BSides SF talk on Docker Images Security - Feb 13, 2017

Manideep Konakandla
Manideep Konakandla

This document provides an overview of Docker image security presented by Manideep Konakandla. It begins with introductions and then outlines the following: 1. A brief introduction to containers in 45 seconds. 2. An overview of the container pipeline and risk areas including images security. 3. Details on securing Dockerfiles, building images, maintaining/consuming images, and enterprise practices. 4. Introduction of a benchmark for assessing the security of Docker images. The presentation aims to educate attendees on Docker image security best practices across the software development lifecycle.

Technology
1 of 21
Download to read offline
1TCS Confidential Manideep Konakandla Carnegie Mellon University @Bsides SF – Feb 13, 2017 How secure are your Docker Images?
2 Who am I? Hmm, yeah - Shameless Bragging • J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc. • Masters Student (Graduating in May’17) + Security Researcher at CMU • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • 10 certifications + Trained 15,000+ people in Information Security • Ex “Team Lead – Core Security & Data Analytics” at TCS • Interest areas : Container Security, Application Security, System Security etc. More details about me on www.manideepk.com
3 What am I up to with Containers? • Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks • Extensive research at Carnegie Mellon (CMU) • Presented (/will be presenting) at OWASP AppsecUSA, Container World etc. • Cloud Security Research Intern @Adobe last Summer
4 Before we start
5 What are we doing for next 30 mins?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
6 What are we doing for next 30 mins?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
7 Quick “60 second” Intro Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces : Isolation (PID, User, Network, IPC, Mount, UTS) Cgroups : Isolates, limits and accounts resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com Containers in 45 seconds
8 Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Container Pipeline, Risk Areas and our Scope Ref: Modified version of image on www.docker.com
9 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
10 Life cycle of an “Image” Build Spin Dockerfile Image Container Maintaining images securely
11 Security of “Dockerfile” • Do not write secrets in Dockerfile (Info Disclosure). Use secret management solutions (Twitter’s Vine) • Create a USER or else container will run as a root (Privilege escalation) • Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue) • Remove unnecessary setuid, setgid permissions (Privilege escalation) • Do not write any kind of update instructions alone in the Dockerfile (Caching) • Download packages securely using GPG (MITM) and also do not download unnecessary packages (Increased attack surface) • Use COPY instead of ADD (Increased attack surface) • Use HEALTHCHECK command (Best practice) • Use gosu instead of sudo wherever possible • Try to restrict a image (/container) to one service
12 Building Images
13 Maintaining/ Consuming Images • Docker Content Trust - Provides authenticity, integrity and freshness guarantees - Takes some time to understand & prepare production setup (worth it!) • Vulnerability–free Images - Tool selection : binary level analysis + hash based - Tool recommendation (Meet me!) • Except compatibility issues, all images and packages must be up-to-date
14 Enterprise zone (Personal users ALLOWED!) • Do not use Docker hub Images - Why? - How about Docker Store? • Maintain your own in-house registries • Perform image optimization techniques (I did not explore into this!) • Use commercial tools (meet me for recommendations) which provide - Image Lockdown - RBAC etc. • Use file monitoring solutions to monitor any malicious changes in image layers • Have separate patch, vulnerability (any other) management procedures for container ecosystems (including Images) • Customize CIS Docker benchmarks as per your requirements and adhere to it
15 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
16 Benchmark to assess “Images Security”
17 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
18 So, what did you learn today?
19 It’s not good to keep questions in your mind Throw them out and I am here to catch 
20 References 1. CIS Docker Benchmarks - 1.12 and 1.13 2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 3. www.oreilly.com/webops-perf/free/files/docker-security.pdf 4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 5. http://www.slideshare.net/Docker/docker-security-workshop-slides 6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 7. https://docs.docker.com/engine/security/ 8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
21TCS Confidential That’s it…! You can collect my V-Card Reach me on www.manideepk.com for any questions

Recommended

Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?
Manideep Konakandla
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
Manideep Konakandla
 
RSA conference poster on Docker container security
RSA conference poster on Docker container securityRSA conference poster on Docker container security
RSA conference poster on Docker container security
Manideep Konakandla
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 

Recommended

Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?
Manideep Konakandla
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
Manideep Konakandla
 
RSA conference poster on Docker container security
RSA conference poster on Docker container securityRSA conference poster on Docker container security
RSA conference poster on Docker container security
Manideep Konakandla
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
John Kinsella
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
Anthony Chow
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
Aqua Security
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
All Things Open
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
Saltmarch Media
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
 
Hardcore container debugging v3
Hardcore container debugging v3Hardcore container debugging v3
Hardcore container debugging v3
Nitu Parimi
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
Frank Victory
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 
Finalpresentation
FinalpresentationFinalpresentation
Finalpresentation
Ankita Mandekar
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
Aditya K Sood
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
Daniel Garcia (a.k.a cr0hn)
 
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Zohar Stolar
 

More Related Content

What's hot

5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
Saltmarch Media
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
Aditya K Sood
 

What's hot (20)

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Hardcore container debugging v3
Hardcore container debugging v3Hardcore container debugging v3
Hardcore container debugging v3
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
Finalpresentation
FinalpresentationFinalpresentation
Finalpresentation
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 

Viewers also liked

Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Zohar Stolar
 
Dockerfile at Guidewire
Dockerfile at GuidewireDockerfile at Guidewire
Dockerfile at Guidewire
Docker, Inc.
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
Docker, Inc.
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
Docker, Inc.
 

Viewers also liked (13)

RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
 
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
 
Dockerfile at Guidewire
Dockerfile at GuidewireDockerfile at Guidewire
Dockerfile at Guidewire
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container Environments
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0
 
Containerd - core container runtime component
Containerd - core container runtime component Containerd - core container runtime component
Containerd - core container runtime component
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPC
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 

Similar to BSides SF talk on Docker Images Security - Feb 13, 2017

(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
Amazon Web Services
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
NETWAYS
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Lessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker ContainersLessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker Containers
BlueData, Inc.
 
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Amazon Web Services
 
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Spark Summit
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
PranavPatil822557
 

Similar to BSides SF talk on Docker Images Security - Feb 13, 2017 (20)

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Lessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker ContainersLessons Learned Running Hadoop and Spark in Docker Containers
Lessons Learned Running Hadoop and Spark in Docker Containers
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Docker for developers - The big picture
Docker for developers - The big pictureDocker for developers - The big picture
Docker for developers - The big picture
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Docker container security
Docker container securityDocker container security
Docker container security
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple Steps
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
Lessons Learned from Dockerizing Spark Workloads: Spark Summit East talk by T...
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 

Recently uploaded

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 

Recently uploaded (20)

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 

BSides SF talk on Docker Images Security - Feb 13, 2017

  • 1. 1TCS Confidential Manideep Konakandla Carnegie Mellon University @Bsides SF – Feb 13, 2017 How secure are your Docker Images?
  • 2. 2 Who am I? Hmm, yeah - Shameless Bragging • J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc. • Masters Student (Graduating in May’17) + Security Researcher at CMU • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • 10 certifications + Trained 15,000+ people in Information Security • Ex “Team Lead – Core Security & Data Analytics” at TCS • Interest areas : Container Security, Application Security, System Security etc. More details about me on www.manideepk.com
  • 3. 3 What am I up to with Containers? • Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks • Extensive research at Carnegie Mellon (CMU) • Presented (/will be presenting) at OWASP AppsecUSA, Container World etc. • Cloud Security Research Intern @Adobe last Summer
  • 5. 5 What are we doing for next 30 mins?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 6. 6 What are we doing for next 30 mins?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 7. 7 Quick “60 second” Intro Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces : Isolation (PID, User, Network, IPC, Mount, UTS) Cgroups : Isolates, limits and accounts resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com Containers in 45 seconds
  • 8. 8 Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Container Pipeline, Risk Areas and our Scope Ref: Modified version of image on www.docker.com
  • 9. 9 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 10. 10 Life cycle of an “Image” Build Spin Dockerfile Image Container Maintaining images securely
  • 11. 11 Security of “Dockerfile” • Do not write secrets in Dockerfile (Info Disclosure). Use secret management solutions (Twitter’s Vine) • Create a USER or else container will run as a root (Privilege escalation) • Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue) • Remove unnecessary setuid, setgid permissions (Privilege escalation) • Do not write any kind of update instructions alone in the Dockerfile (Caching) • Download packages securely using GPG (MITM) and also do not download unnecessary packages (Increased attack surface) • Use COPY instead of ADD (Increased attack surface) • Use HEALTHCHECK command (Best practice) • Use gosu instead of sudo wherever possible • Try to restrict a image (/container) to one service
  • 13. 13 Maintaining/ Consuming Images • Docker Content Trust - Provides authenticity, integrity and freshness guarantees - Takes some time to understand & prepare production setup (worth it!) • Vulnerability–free Images - Tool selection : binary level analysis + hash based - Tool recommendation (Meet me!) • Except compatibility issues, all images and packages must be up-to-date
  • 14. 14 Enterprise zone (Personal users ALLOWED!) • Do not use Docker hub Images - Why? - How about Docker Store? • Maintain your own in-house registries • Perform image optimization techniques (I did not explore into this!) • Use commercial tools (meet me for recommendations) which provide - Image Lockdown - RBAC etc. • Use file monitoring solutions to monitor any malicious changes in image layers • Have separate patch, vulnerability (any other) management procedures for container ecosystems (including Images) • Customize CIS Docker benchmarks as per your requirements and adhere to it
  • 15. 15 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 16. 16 Benchmark to assess “Images Security”
  • 17. 17 What’s next?  A.B.C.D…. • Containers in 45 seconds • Container Pipeline, Risk Areas and our Scope  Images Security • Dockerfile • Building • Maintaining/Consuming • Enterprise zone  Benchmark to assess security of your Docker Images  Wrap up
  • 18. 18 So, what did you learn today?
  • 19. 19 It’s not good to keep questions in your mind Throw them out and I am here to catch 
  • 20. 20 References 1. CIS Docker Benchmarks - 1.12 and 1.13 2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 3. www.oreilly.com/webops-perf/free/files/docker-security.pdf 4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 5. http://www.slideshare.net/Docker/docker-security-workshop-slides 6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 7. https://docs.docker.com/engine/security/ 8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
  • 21. 21TCS Confidential That’s it…! You can collect my V-Card Reach me on www.manideepk.com for any questions