Building a Secure App with Docker - Ying Li and David Lawrence, Docker

•

2 likes•758 views

Built-in security is one of the most important features in Docker. But to build a secure app, you have to understand how to take advantage of these features. Security begins with the platform, but also requires conscious secure design at all stages of app development. In this session, we'll cover the latest features in Docker security, and how you can leverage them. You'll learn how to add them to your existing development pipeline, as well as how you can and streamline your workflow while making it more secure.

David Lawrence
Sr. Security Engineer
Docker
Ying Li
Security Engineer
Docker
Building a Secure Docker App

“... tech giant Juniper Networks
revealed in a startling announcement
that it had found “unauthorized” code
embedded in an operating system
running on some of its firewalls.”
- wired.com

User Authentication
• Multi-Factor Authentication
• Key Based Authentication
Sign your commits
• Use hardware like Yubikeys
Secure your source

Pin your dependencies
• Include the list with the source
• (golang) vendor.conf, Godeps.json
• (python) requirements.txt
• (ruby) Gemfile
• (node) package.json
Validate your upstreams

Pin your dependencies
• Include the list with the source
• Use checksums
Validate your upstreams
requires == 2.13 --hash=sha256:2cf24dba5fb0a30e26e83…
golang.org/x/crypto 5bcd134fee4dd1475da17714aac19c0a…

Pin your dependencies
• Include the list with the source
• Use checksums
• Use publisher keys when available
Validate your upstreams

Verify everything on ingress
• commit signatures
• dependency checksums
• dependency signatures
• Docker Content Trust (DCT)
signatures of base images
CI is an island

Be minimal, be disciplined
• do build minimal images
• do not embed secret/
sensitive data in images
• do sign built images with
Docker Content Trust (DCT)
CI is ascetic

Find Common Vulnerabilities and Exposures (CVEs)
• stop being reactive, get proactive
• make compliance easier
Get notified about new CVEs
• automate the auditing of existing applications
Docker Security Scanning (DSS)

Docker Trusted Registry (DTR) and Docker Hub/Cloud come with DCT metadata
hosting
• you can start signing now
• provides trust from publisher to consumer
• no need to trust the middleman
Docker Content Trust (DCT)

• use Docker Content Trust to only deploy signed artifacts
• use Docker EE Signing Policies to guarantee applications meet your
acceptance criteria
What are you deploying?

Use the absolute minimum privilege set necessary!
Don’t:
docker run --privileged ...
Do:
docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ...
Least Privileged Microservices

Defense in Depth
• isolate sensitive workloads to their own nodes
• use docker secrets
Least Privileged Nodes

Mitigate entire classes of compromise
• run read-only containers
• use Docker Editions for <your platform here>
Immutable Infrastructure

1. Secure & sign your source
2. Pin & verify your dependencies
3. Sign your artifacts with Docker Content Trust
4. Leverage Docker Security Scanning
5. Deploy onto immutable infrastructure …
6. … with Least Privilege configurations
In Summary

Thank You!
Questions?
@docker
#dockercon

DevOps in the Real World is far from perfect, and we're all somewhere on the path to one day writing that "Amazing-Hacker-News-Post about your chat-bot fully-automated micro-service infrastructure." But until then, how can you *really* start using containers today, in meaningful ways that impact yours and your customers productivity? This session is designed for practitioners who are looking for ways to get started now with Docker and Swarm in production. No Docker 101 here, this is for helping you be successful on your way to Dockerizing your production systems. Attendees will get tactics, example configs, real working infrastructure designs, and see the (sometimes messy) internals of Docker in production today.

Global Operations with Docker for the Enterprise - Nico Kabar, Docker

Docker, Inc.

Enterprises often have hundreds or even thousands of applications spread across hundreds of development teams, business units and geographies. This presents challenges to IT teams as they architect an environment to run Docker apps on globally distributed hybrid cloud infrastructure, developed by distributed dev teams and consumed by customers around the world. Docker Datacenter provides the technology and framework to implement a global software supply chain. This session will dig into the design considerations, tools and best practices to address this type of environment with Docker Datacenter. And there will be data, demos and tools! Results from various performance tests will be presented in conjunction with recommendations for high-availability configurations, content cache use cases for faster developer workflow and scheduling strategies for improving application resilience.

Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...

Docker, Inc.

What’s New in Docker - Victor Vieux, Docker

Docker, Inc.

Troubleshooting Tips from a Docker Support Engineer

Jeff Anderson

What Have Namespaces Done for you Lately? Liz Rice, Aqua Security

Docker, Inc.

Escape From Your VMs with Image2Docker Jeff Nickoloff, All in Geek Consulting...

Docker, Inc.

Migrating apps out of Virtual Machines is difficult, especially distributed apps with multiple components, and even more so when the components run on different operating systems. But with the Docker platform and the Image2Docker tools - which extract Linux and Windows apps from existing VMs into containers - it's easy. In this session we'll take a PHP front-end application running in a Linux VM, which connects to a .NET Web Service running in a Windows VM, and convert the whole stack to Docker automatically. Then we'll run the app on a hybrid Docker Datacenter cluster, where we can manage the Windows and Linux components from a single pane of glass.

Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...

Docker, Inc.

People typically think of Docker for microservices and try to make the smallest container they can. There are tremendous benefits to a microservices model but those are not the only apps that qualify for containers. Traditional, homegrown, monolithic apps are also great candidates for Docker - why? By containerizing these apps, many of the same agility, portability, security and cost savings benefits can be applied to the hundreds (if not thousands) of apps in your datacenters. But where to begin? Attend this session to learn how to approach modernizing traditional apps (MTA), considerations, the available tools and possibilities.

So you are looking to adopt docker, but receive feedback and commentary such as "our development pipeline won't support containers" or "the applications aren't micro services, so I don't see a benefit." You are not alone, these and other statements are common misconceptions when considering using docker in the enterprise. Perhaps having a real enterprise use case with some tips on objection handling would support your goal of adopting docker in your organization? In this presentation, Chris Ciborowski, CEO and Principal Consultant at Nebulaworks and Docker Captain will discuss ways that you can leverage docker in existing enterprise environments providing tangible benefits to both developers and operations teams and accelerate DevOps adoption. He will also provide a few insider tips on objection handling learned while working on enterprise container adoption in enterprise clients.

DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP

Thomas Graf

This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.

DockerCon 2017 - General Session Day 1 - Solomon Hykes

Docker, Inc.

The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori

Docker, Inc.

True microservices are more than simply bolting a REST interface on your legacy application, packing it in a Docker container and hoping for the best. Security is a key component when designing and building out any new architecture, and it must be considered from top to bottom. Umpa Lumpas might not be considered "real" microservices, but Willy Wonka still has them locked down tight! In this talk, Aaron will briefly touch on the idea and security benefits of microservices before diving into practical and real world examples of creating a secure microservices architecture. We'll start with designing and building high security Docker containers, using and examining the latest security features in Docker (such as User Namespaces and seccomp-bpf) as well as examine some typically forgotten security principals. Aaron will end on exploring related challenges and solutions in the areas of network security, secrets management and application hardening. Finally, while this talk is geared towards Microservices, it should prove informational for all Docker users, building a PaaS or otherwise.

How to be successful running Docker in Production

Docker, Inc.

John’s presentation will cover his lessons learned from running Docker in Production @ SalesforceIQ. Learn how to scale your registry using AWS and S3. Should you use Device Mapper or AUFS? Why run Swarm, Mesos, Kubernetes, or neither. Finally, know how persistent storage (Kafka, Cassandra, or SQL) can be run successfully with Docker in Production His team focuses on Docker based solutions to power their SaaS infrastructure and developer operations.

DockerCon SF 2015: Docker Security

Docker, Inc.

DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...

Docker, Inc.

Presentation by Michael Neale, co-founder, CloudBees In this presentation I will show how you can use and abuse namespaces to do things that you might not think were possible in docker. In doing this I will show how you can create a volume bind mount in a running container, and use "super privileged" containers to control other containers on the same machine. There are many uses for this, but at it also demystifies what some of the namespaces in linux are, and how they work (hint: everything is files, its unix!).

Browser Testing with Docker - Craig Huber

Docker, Inc.

Integration tests are an integral part of any modern web application, and regardless of which front-end or server side framework you choose, you'll likely be running Selenium tests. While Selenium tests are easy to write and execute on your local workstation, Works On My Machine™ won't get you past your CI system. Now you're stuck with two bad options, use a SaaS provider and live with slow builds or running your own Selenium Grid and managing a multitude of machines and browser versions. Rock, meet hard place, right? It doesn't have to be that way! In this talk you'll see how easy it is to setup a Selenium Grid with Docker, how easy it is to maintain, and how to extend and grow your Selenium grid to satisfy your team's needs. It's not all roses and sunshine, so you'll see some common issues presented and how to avoid them. Finally, a Selenium Grid you'll want to manage!

Networking Overview for Docker Platform

Aditya Patawari

DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...

Docker, Inc.

Presented by Udo Seidel, Chief Architect and Digital Evangelist, Amadeus In the recent past there were quite some discussions about security in the context of introducing or using Docker. It is true that there are some gaps to be closed but the whole story does not start from square one either. At Amadeus we are using Docker to build our future-oriented services and to introduce devops culture. Due to the nature of our business we have to deal with Security certifications like PCI-DSS, SSAE 16 and ISO 27001. This talks described the challenges we were facing in that context and how we mastered them. The story has technical and non-technical aspects.

DCSF19 CMD and Conquer: Containerizing the Monolith

Docker, Inc.

Tony Lee & Nelson Wang, Splunk Modern microservice-oriented software architectures evangelize the principles of infrastructure-as-code and declarative directives to manage and run applications. At Splunk, we wanted to marry these ideals with the majestic monolith, Splunk Enterprise, to simplify the use of our product through containerization. Without rearchitecting the entire product from the ground-up, which can be a costly investment, we focused on incorporating a flexible configuration management layer on top of the core application. This has enabled us to make running Splunk in Docker act and behave as a true microservice, greatly reducing the friction of migrating towards more container-native software. We not only concentrated on making our open-source Docker image initiative user-friendly and production-ready, but we also wanted to seamlessly integrate it back into our internal engineering process. Join us for this session as we discuss migrating a traditional application into a microservice ecosystem, developing a containerization strategy for both external customer usage and internal development, as well as learning about our internal container platform at scale.

A Survey of Container Security in 2016: A Security Update on Container Platforms

Salman Baset

The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove

Docker, Inc.

Dockerfiles are great. They provide a zero-barrier-to-entry format for describing a single Docker image which is immediately clear to anyone reading them. But with that simplicity comes problems that become apparent as your adoption of Docker gathers pace. * Dockerfiles can inherit from other docker images, but images are not Dockerfiles * Dockerfile provides no built-in mechanism for creating abstractions, so as usage grows identical or similar instructions can be duplicated across many files * The Docker APi exposes a build endpoint, but the API is very course, taking Dockerfile as the transport rather than exposing the individual instructions * Dockerfiles are just that, files. So they can come from anywhere The one layer per line in a Dockerfile limitation can lead to an explosion of layers, which fail to take advantage of the promised space and performance benefits.

It takes a Village to do the Impossible - Jeff Lindsay

Docker, Inc.

Securing your Containers

Riyaz Faizullabhoy

Secure Substrate: Least Privilege Container Deployment

Docker, Inc.

Riyaz Faizullabhoy - Security Engineer, Docker Diogo Mónica - Security Lead, Docker The popularity of containers has driven the need for distributed systems that can provide a substrate for container deployments. These systems need the ability to provision and manage resources, place workloads, and adapt in the presence of failures. In particular, container orchestrators make it easy for anyone to manage their container workloads using their cloud-based or on-premise infrastructure. Unfortunately, most of these systems have not been architected with security in mind.Compromise of a less-privileged node can allow an attacker to escalate privileges to either gain control of the whole system, or to access resources it shouldn't have access to. In this talk, we will go over how Docker has been working to build secure blocks that allow you to run a least privilege infrastructure - where any participant of the system only has access to the resources that are strictly necessary for its legitimate purpose. No more, no less.

DockerCon EU 2015: The Latest in Docker Engine

Docker, Inc.

DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...

Docker, Inc.

Presented by Gareth Rushgrove, Sr. Software Engineer, Puppet Labs The shipping container metaphor for Docker points to many of the advantages of building and running software using containers. But what about other essential parts of the shipping container ecosystem like the shipping manifest and bill of lading? Many of the most powerful features of traditional package management tools like apt or yum are based on metadata associated with the packages. You can find out who created a package and when, check where a particular file came from, whether the package has a known vulnerability and more. What would this capability look like for Docker containers? This talk will look at the power of metadata for containers, in particular: * Docker provides labels for associating metadata with images and containers but how best to use them?* What problems can be solved by agreeing on standards for container metadata?* Exposing standard commands and endpoints to expose metadata about what is inside a container* Demo some open source toolings and also look at the sort of tools we might build atop those standards and low-level tools.

Docker Bday #5, SF Edition: Introduction to Docker

Docker, Inc.

In celebration of Docker's 5th birthday in March, user groups all around the world hosted birthday events with an introduction to Docker presentation and hands-on-labs. We invited Docker users to recognize where they were on their Docker journey and the goal was to help them take the next step of their journey with the help of mentors. This presentation was done at the beginning of the events (this one is from the San Francisco event in HQ) and gives a run down of the birthday event series, Docker's momentum, a basic explanation of containers, the benefits of using the Docker platform, Docker + Kubernetes and more.

Effective Data Pipelines with Docker & Jenkins - Brian Donaldson

Docker, Inc.

Ever find yourself needing data pipelines to feed a hungry data-driven culture, but not sure where to start, or what features are essential? In this talk, I will demonstrate a baseline data pipeline infrastructure built with Jenkins and Docker EE that checks all the boxes. Data pipelines often exist as that mysterious plumbing buried underground: occasionally inspected, but largely prone to silent failures and the ensuing hot fixes. Join the quest to daylight the infrastructure and benefit!

5 Ways to Secure Your Containers for Docker and Beyond

Black Duck by Synopsys

Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17. To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk. Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as: 1. Network security 2. Access control 3. Tamper management and trust 4. Denial of service and SLAs 5. Vulnerabilities Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats. Watch the webinar on BrightTalk: http://bit.ly/2bpdswg

DockerCon EU 2015 Barcelona

Roman Dembitsky

What's hot

You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...

Docker, Inc.

DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP

Thomas Graf

DockerCon 2017 - General Session Day 1 - Solomon Hykes

Docker, Inc.

The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori

Docker, Inc.

How to be successful running Docker in Production

Docker, Inc.

DockerCon SF 2015: Docker Security

Docker, Inc.

DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...

Docker, Inc.

Browser Testing with Docker - Craig Huber

Docker, Inc.

Networking Overview for Docker Platform

Aditya Patawari

DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...

Docker, Inc.

DCSF19 CMD and Conquer: Containerizing the Monolith

Docker, Inc.

A Survey of Container Security in 2016: A Security Update on Container Platforms

Salman Baset

The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove

Docker, Inc.

It takes a Village to do the Impossible - Jeff Lindsay

Docker, Inc.

Securing your Containers

Riyaz Faizullabhoy

Secure Substrate: Least Privilege Container Deployment

Docker, Inc.

DockerCon EU 2015: The Latest in Docker Engine

Docker, Inc.

DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...

Docker, Inc.

Docker Bday #5, SF Edition: Introduction to Docker

Docker, Inc.

Effective Data Pipelines with Docker & Jenkins - Brian Donaldson

Docker, Inc.

What's hot (20)

You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...

DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP

DockerCon 2017 - General Session Day 1 - Solomon Hykes

The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori

How to be successful running Docker in Production

DockerCon SF 2015: Docker Security

DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...

Browser Testing with Docker - Craig Huber

Networking Overview for Docker Platform

DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...

DCSF19 CMD and Conquer: Containerizing the Monolith

A Survey of Container Security in 2016: A Security Update on Container Platforms

The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove

It takes a Village to do the Impossible - Jeff Lindsay

Securing your Containers

Secure Substrate: Least Privilege Container Deployment

DockerCon EU 2015: The Latest in Docker Engine

DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...

Docker Bday #5, SF Edition: Introduction to Docker

Effective Data Pipelines with Docker & Jenkins - Brian Donaldson

Similar to Building a Secure App with Docker - Ying Li and David Lawrence, Docker

5 Ways to Secure Your Containers for Docker and Beyond

Black Duck by Synopsys

DockerCon EU 2015 Barcelona

Roman Dembitsky

DCEU 18: Docker Container Security

Docker, Inc.

Yuvraj Mehta - Group Product Manager, Docker Steve Richards - Solutions Architect, Docker Creating a Secure Supply Chain for your applications is vitally important for a compliant and smooth-running application development organization. Every organization needs to understand where their container images come from, who has access to them, understand the security risks to weigh ALL options available before deploying . In this session, we will take a closer look at how Docker Enterprise helps developers, DevOps and DevSecOps teams securely Build and Ship applications through the software pipeline. We’ll dive into security features of the platform’s private registry Image Signing which provides authenticity for image sources and Image Scanning which provides insight into any vulnerabilities. We’ll also look at how this can be automated by policy and seamlessly integrated with your software pipeline to provide a succinct audit trail.

Docker Containers Security

Stephane Woillez

Docker Introduction

Peng Xiao

Contain your risk: Deploy secure containers with trust and confidence

Black Duck by Synopsys

Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption. The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present. In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn: • Why container environments present new application security challenges, including those posed by ever-increasing open source use. • How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities. • Best practices and methodologies for deploying secure containers with trust and confidence.

Kubernetes and container security

Volodymyr Shynkar

Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle. Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image. Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible. During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system. Contacts: LinkedIn - https://www.linkedin.com/in/vshynkar/ GitHub - https://github.com/sqerison ------------------------------------------------------------------------------------- Materials from the video: The policies and docker files examples: https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90 The repo with the helm chart used in a demo: https://github.com/sqerison/argo-rollouts-demo Tools that showed in the last section: https://github.com/armosec/kubescape https://github.com/aquasecurity/kube-bench https://github.com/controlplaneio/kubectl-kubesec https://github.com/Shopify/kubeaudit#installation https://github.com/eldadru/ksniff Further learning. A book released by CISA (Cybersecurity and Infrastructure Security Agency): https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF O`REILLY Kubernetes Security: https://kubernetes-security.info/ O`REILLY Container Security: https://info.aquasec.com/container-security-book Thanks for watching!

Orchestrating Distributed Apps with Docker

Carl Su

Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...

Docker, Inc.

Devoxx 2016 - Docker Nuts and Bolts

Patrick Chanezon

Docker is the developer-friendly container technology that enables creation of your application stack: OS, JVM, app server, app, database and all your custom configuration. So you are a Java developer but how comfortable are you and your team taking Docker from development to production? Are you hearing developers say, “But it works on my machine!” when code breaks in production? And if you are, how many hours are then spent standing up an accurate test environment to research and fix the bug that caused the problem? This workshop/session explains how to package, deploy, and scale Java applications using Docker.

Docker at and with SignalFx

SignalFx

Docker {at,with} SignalFx

Maxime Petazzoni

Dockercon 2015 Recap

ehazlett

OpenStack SummitDocker, Inc.

Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013dotCloud

Docker Introduction

Jeffrey Ellin

Secure Application Development in the Age of Continuous Delivery

Tim Mackey

As delivered at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Secure Application Development in the Age of Continuous Delivery

Black Duck by Synopsys

As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Docker Security

antitree

Docker Security and Content Trust

ehazlett

Similar to Building a Secure App with Docker - Ying Li and David Lawrence, Docker (20)

5 Ways to Secure Your Containers for Docker and Beyond

DockerCon EU 2015 Barcelona

DCEU 18: Docker Container Security

Docker Containers Security

Docker Introduction

Contain your risk: Deploy secure containers with trust and confidence

Kubernetes and container security

Orchestrating Distributed Apps with Docker

Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...

Devoxx 2016 - Docker Nuts and Bolts

Docker at and with SignalFx

Docker {at,with} SignalFx

Dockercon 2015 Recap

OpenStack Summit

Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013

Docker Introduction

Secure Application Development in the Age of Continuous Delivery

Docker Security

Docker Security and Content Trust

More from Docker, Inc.

Containerize Your Game Server for the Best Multiplayer Experience

Docker, Inc.

Raymond Arifianto, AccelByte and Mark Mandel, Google - We have been deploying containerized micro-services for our Game Backend Services for a while. Now we are tackling the challenge to scale up fleets of game dedicated servers in multiple regions, multiple data centers and multiple providers - some in bare metal, some in Cloud. So we leverage docker containerization to deploy Game Servers to achieve Portability, Fast Deployment and Predictability, enabling us to scale up to thousands of servers, on demand, without a sweat.

How to Improve Your Image Builds Using Advance Docker Build

Docker, Inc.

Nicholas Dille, Haufe-Lexware + Docker Captain - Docker continues to be the standard tool for building container images. For more than a year Docker ships with BuildKit as an alternative image builder, providing advanced features for secret and cache management. These features help to make image builds faster and more secure. In this session, Docker Captain Nicholas Dille will teach you how to use Buildkit features to your advantage.

Build & Deploy Multi-Container Applications to AWS

Docker, Inc.

Lukonde Mwila, Entelect - As the cloud-native approach to development and deployment becomes more prevalent, it's an exciting time for software engineers to be equipped on how to dockerize multi-container applications and deploy them to the cloud. In this talk, Lukonde Mwila, Software Engineer at Entelect, will cover the following topics: - Docker Compose - Containerizing an Nginx Server - Containerizing an React App - Containerizing an Node.JS App - Containerizing anMongoDB App - Runing Multi-Container App Locally - Creating a CI/CD Pipeline - Adding a build stage to test containers and push images to Docker Hub - Deploying Multi-Container App to AWS Elastic Beanstalk Lukonde will start by giving an overview of how Docker Compose works and how it makes it very easy and straightforward to startup multiple Docker containers at the same time and automatically connect them together with some form of networking. After that, Lukonde will take a hands on approach to containerize an Nginx server, a React app, a NodeJS app and a MongoDB instance to demonstrate the power of Docker Compose. He'll demonstrate usage of two Docker files for an application, one production grade and the other for local development and running of tests. Lastly, he'll demonstrate creating a CI/CD pipeline in AWS to build and test our Docker images before pushing them to Docker Hub or AWS ECR, and finally deploying our multi-container application AWS Elastic Beanstalk.

Securing Your Containerized Applications with NGINX

Docker, Inc.

Kevin Jones, NGNIX - NGINX is one of the most popular images on Docker Hub and has been at the forefront of the web since the early 2000's. In this talk we will discuss how and why NGINX's lightweight and powerful architecture makes it a very popular choice for securing containerized applications as a sidecar reverse proxy within containers. We will highlight important aspects of application security that NGINX can help with, such as TLS, HTTP, AuthN, AuthZ and traffic control.

How To Build and Run Node Apps with Docker and Compose

Docker, Inc.

Kathleen Juell, Digital Ocean - Containers are an essential part of today's microservice ecosystem, as they allow developers and operators to maintain standards of reliability and reproducibility in fast-paced deployment scenarios. And while there are best practices that extend across stacks in containerized environments, there are also things that make each stack distinct, starting with the application image itself. This talk will dive into some of these particularities, both at the image and service level, while also covering general best practices for building and running Node applications with database backends using Docker and Compose.

Hands-on Helm

Docker, Inc.

Distributed Deep Learning with Docker at Salesforce

Docker, Inc.

Jeff Hajewski, Salesforce - There is a wealth of information on building deep learning models with PyTorch or TensorFlow. Anyone interested in building a deep learning model is only a quick search away from a number of clear and well written tutorials that will take them from zero knowledge to having a working image classifier. But what happens when you need to deploy these models in a production setting? At Salesforce, we use TensorFlow models to help us provide customers with insights into their data, and we do this as close to real-time as possible. Designing these systems in a scalable manner requires overcoming a number of design challenges, but the core component is Docker. Docker enables us to design highly scalable systems by allowing us to focus on service interactions, rather than how our services will interact with the hardware. Docker is also at the core of our test infrastructure, allowing developers and data scientists to build and test the system in an end to end manner on their local machines. While some of this may sound complex, the core message is simplicity - Docker allows us to focus on the aspects of the system that matter, greatly simplifying our lives.

The First 10M Pulls: Building The Official Curl Image for Docker Hub

Docker, Inc.

James Fuller, webcomposite s.r.o. - Curl is the venerable (yet very modern) 'swiss army knife' command line tool and library for transferring data with URLs. Recently we (the Curl team) decided to build a release for Docker Hub. This talk will outline our current development workflow with respect to the docker image and provide insights on what it takes to build a docker image for mass public consumption. We are also keen to learn from users and other developers how we might improve and enhance the official curl docker image.

Monitoring in a Microservices World

Docker, Inc.

Fabian Stäber, Instana - In recent years, we saw a great paradigm shift in software engineering away from static monolithic applications towards dynamic distributed horizontally scalable architectures. Docker is one of the key technologies enabling this development. This shift poses a lot of new challenges for application monitoring, ranging from practical issues (need for automation) to technical challenges (Docker networking) to organizational topics (blurring line between software engineers and operations) to fundamental questions (define what is an application). In this talk we show how Docker changed the way we do monitoring, how modern application monitoring systems work, and what future developments we expect.

COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...

Docker, Inc.

Clemente Biondo, Engineering Ingegneria Informatica - When the COVID 19 pandemic started, Engineering Ingegneria Informatica Group (1.25 billion euros of revenues, 65 offices around the world, 12.000 employees) was forced to put their digital transformation to the test in order to maintain operational continuity. In this session, Clemente Biondo, the Tech Lead of the Information Systems Department, will share how his company is reacting to this unforeseeable scenario and how Docker-driven digital transformation had paved the path for work to continue remotely. Clemente will discuss learnings moving from colocated teams, manual approaches, email based-business processes, and a monolithic application to a mature DevOps culture characterized by a distributed autonomous workforce and a continuous deployment process that deploys backward-compatible Docker containerized microservices into hybrid multi cloud datacenters an average of twice a day with zero-downtime. He will detail how they use Docker to unify dev, test and production environments, and as an efficient and automated mechanism for deploying applications. Lastly, Clemente shares how, in our darkest hour, he and others are working to shine their brightest light.

Predicting Space Weather with Docker

Docker, Inc.

Chris Lauer, NOAA Space Weather Prediction Center - This is the story of how adopting a containerized workflow changed the way our small software team works at NOAA’s Space Weather Prediction Center. Our old architecture, a big ball of mud shared-database integration, just wasn’t cutting it - it was killing our agility. Over the past two years, our small team has adopted a microservice style architecture, using Docker with docker-compose and environment files as our deployment strategy for all new development. We’ve discovered the joys of using containers for identical dev, staging, and production environments. We work closely with scientists: much of the code we’re running has complicated and conflicting library dependencies. Docker captures these beautifully - we’ve even had some success teaching our scientists to use it! I’ll share what we’ve learned, some of the persistent challenges we face, and one place we really got it wrong. This talk builds off of a popular hallway track from DockerCon 2019.

Become a Docker Power User With Microsoft Visual Studio Code

Docker, Inc.

Brian Christner, 56k + Docker Captain - In this session, we will unlock the full potential of using Microsoft Visual Studio Code (VS Code) and Docker Desktop to turn you into a Docker Power User. When we expand and utilize the VS Code Docker plugin, we can take our projects and Docker skills to the next level. In addition to using VS Code, we streamline our Docker Desktop development workflow with less context switching and built-in shortcuts. You will learn how to bootstrap new projects, quickly write Dockerfiles utilizing templates, build, run, and interact with containers all from VS Code.

How to Use Mirroring and Caching to Optimize your Container Registry

Docker, Inc.

Monolithic to Microservices + Docker = SDLC on Steroids!

Docker, Inc.

Ashish Sharma, SS&C Eze - SS&C Eze provides various products in the stock market domain. We spent the last couple of years building Eclipse which is an investment suite born in cloud. The journey so far has been very interesting. The very first version of the product were a bunch of monolithic windows services and deployed using Octopus tool. We successfully managed to bring all the monolithic problem to the cloud and created a nightmare for ourselves. We then started applying microservices architecture principles and started breaking the monolithic into small services. Very soon we realized that we need a better packaging/deployment tool. Docker looked like a magical solution to our problem. Since its adoption, It has not only solved the deployment problem for us but has made a deep impact on different aspects of SDLC. It allowed us to use heterogeneous technology stacks, simplified development environment setup, simplified our testing strategy, improved our speed of delivery, and made our developers more productive. In this talk I would like to share our experience of using Docker and its positive impact on our SDLC.

Kubernetes at Datadog Scale

Docker, Inc.

Ara Pulido, Datadog - Container technologies, although not new, have increased their popularity in the past few years, with container orchestrators allowing companies around the world to adopt these technologies to help them ship and scale microservices with precision and velocity. Kubernetes is currently the most popular container orchestration platform, and while many organizations are migrating their workloads to it, Kubernetes is still relatively immature. New corner cases, errors, and quirks are regularly discovered as users push the boundaries of size and scale. When Datadog adopted Kubernetes we discovered some of these boundaries the hard way, and we continuously challenge and modify our infrastructure decisions in order to fit our use case. Join me in this talk for our story on what we learned while we scaled our Kubernetes clusters, the contributions to Kubernetes we made along the way, and how you can apply those learnings when growing your Kubernetes clusters from a handful to hundreds or thousands of nodes.

Labels, Labels, Labels

Docker, Inc.

Andy Clemenko, StackRox - One underutilized, and amazing, thing about the docker image scheme is labels. Labels are a built in way to document all aspects about the image itself. Think about all the information that the tags inside your clothing carry. If you care to look you can find out everything about the garment. All that information can be very valuable. Now think about how we can leverage labels to carry similar information. We can even use the labels to contain Docker Compose or even Kubernetes Yaml. We can even include labels into the CI/CD process making things more secure and smoother. Come find out some fun techniques on how to leverage labels to do some fun and amazing things.

Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model

Docker, Inc.

Patrick Deloulay, Micro Focus - Micro Focus started their digital transformation 3 years ago, moving the entire portfolio into hundreds of container images. Leveraging Docker Hub as our primary registry service, we will cover how we ended up building a simple but secure push/pull model to publish and deliver our premium assets to our customers and partners to both meet the high agility of our DevOps teams while greatly simplifying the deployment of our applications.

Build & Deploy Multi-Container Applications to AWS

Docker, Inc.

Lukonde Mwila, Entelect As the cloud-native approach to development and deployment becomes more prevalent, it's an exciting time for software engineers to be equipped on how to dockerize multi-container applications and deploy them to the cloud. In this talk, Lukonde Mwila, Software Engineer at Entelect, will cover the following topics: - Docker Compose - Containerizing an Nginx Server - Containerizing an React App - Containerizing an Node.JS App - Containerizing anMongoDB App - Runing Multi-Container App Locally - Creating a CI/CD Pipeline - Adding a build stage to test containers and push images to Docker Hub - Deploying Multi-Container App to AWS Elastic Beanstalk Lukonde will start by giving an overview of how Docker Compose works and how it makes it very easy and straightforward to startup multiple Docker containers at the same time and automatically connect them together with some form of networking. After that, Lukonde will take a hands on approach to containerize an Nginx server, a React app, a NodeJS app and a MongoDB instance to demonstrate the power of Docker Compose. He'll demonstrate usage of two Docker files for an application, one production grade and the other for local development and running of tests. Lastly, he'll demonstrate creating a CI/CD pipeline in AWS to build and test our Docker images before pushing them to Docker Hub or AWS ECR, and finally deploying our multi-container application AWS Elastic Beanstalk.

From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...

Docker, Inc.

Elton Stoneman, Docker Captain + Container Consultant and Trainer How do you provide a SaaS offering when your product is a 10-year old Fortran app, currently built to run on Windows 10? With Docker and Kubernetes of course - and you can do it in a week (... to prototype level at least). In this session I'll walk through the processes and practicalities of taking an older Windows app, making it run in containers with Kubernetes, and then building a simple API wrapper to host the whole stack as a cloud-based SaaS product. There's a lot of technology here from a real world case study, and I'll focus on: - running Windows apps in Docker containers - building a .NET Core API which can run in Linux or Windows containers - running the stack in Kubernetes with Docker Desktop locally and AKS in the cloud - configuring AKS workloads in Azure to burst out to Azure Container Instances And there's a core theme to this session: Docker and Kubernetes are complex technologies, but they're the key to modern development. If you invest time learning them, they make projects like this simple, portable, fast and fun.

Developing with Docker for the Arm Architecture

Docker, Inc.

This virtual meetup introduces the concepts and best practices of using Docker containers for software development for the Arm architecture across a variety of hardware systems. Using Docker Desktop on Windows or Mac, Amazon Web Services (AWS) A1 instances, and embedded Linux, we will demonstrate the latest Docker features to build, share, and run multi-architecture images with transparent support for Arm.

More from Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience

How to Improve Your Image Builds Using Advance Docker Build

Build & Deploy Multi-Container Applications to AWS

Securing Your Containerized Applications with NGINX

How To Build and Run Node Apps with Docker and Compose

Hands-on Helm

Distributed Deep Learning with Docker at Salesforce

The First 10M Pulls: Building The Official Curl Image for Docker Hub

Monitoring in a Microservices World

COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...

Predicting Space Weather with Docker

Become a Docker Power User With Microsoft Visual Studio Code

How to Use Mirroring and Caching to Optimize your Container Registry

Monolithic to Microservices + Docker = SDLC on Steroids!

Kubernetes at Datadog Scale

Labels, Labels, Labels

Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model

Build & Deploy Multi-Container Applications to AWS

From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...

Developing with Docker for the Arm Architecture

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

Generating a custom Ruby SDK for your web service or Rails API using Smithy

g2nightmarescribd

Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

Securing your Kubernetes cluster_ a step-by-step guide to success !

JMeter webinar - integration with InfluxDB and Grafana

Generating a custom Ruby SDK for your web service or Rails API using Smithy

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

How world-class product teams are winning in the AI era by CEO and Founder, P...

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Bits & Pixels using AI for Good.........

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Building a Secure App with Docker - Ying Li and David Lawrence, Docker

1. David Lawrence Sr. Security Engineer Docker Ying Li Security Engineer Docker Building a Secure Docker App

2. The Pipeline

3. Docker Content Trust Service

4. Development

5. “... tech giant Juniper Networks revealed in a startling announcement that it had found “unauthorized” code embedded in an operating system running on some of its firewalls.” - wired.com

6. Where did it come from?

7. User Authentication • Multi-Factor Authentication • Key Based Authentication Sign your commits • Use hardware like Yubikeys Secure your source

9. Pin your dependencies • Include the list with the source • (golang) vendor.conf, Godeps.json • (python) requirements.txt • (ruby) Gemfile • (node) package.json Validate your upstreams

10. Pin your dependencies • Include the list with the source • Use checksums Validate your upstreams requires == 2.13 --hash=sha256:2cf24dba5fb0a30e26e83… golang.org/x/crypto 5bcd134fee4dd1475da17714aac19c0a…

11. Pin your dependencies • Include the list with the source • Use checksums • Use publisher keys when available Validate your upstreams

12. Test & Build

13. Verify everything on ingress • commit signatures • dependency checksums • dependency signatures • Docker Content Trust (DCT) signatures of base images CI is an island

14. Be minimal, be disciplined • do build minimal images • do not embed secret/ sensitive data in images • do sign built images with Docker Content Trust (DCT) CI is ascetic

15.

16.

17.

18.

19.

20.

21. Registry Services

22. Find Common Vulnerabilities and Exposures (CVEs) • stop being reactive, get proactive • make compliance easier Get notified about new CVEs • automate the auditing of existing applications Docker Security Scanning (DSS)

23.

24.

25. Docker Trusted Registry (DTR) and Docker Hub/Cloud come with DCT metadata hosting • you can start signing now • provides trust from publisher to consumer • no need to trust the middleman Docker Content Trust (DCT)

26. Going to Production

27. • use Docker Content Trust to only deploy signed artifacts • use Docker EE Signing Policies to guarantee applications meet your acceptance criteria What are you deploying?

28. Use the absolute minimum privilege set necessary! Don’t: docker run --privileged ... Do: docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ... Least Privileged Microservices

29. Zero Trust Networks

30. Defense in Depth • isolate sensitive workloads to their own nodes • use docker secrets Least Privileged Nodes

31. Mitigate entire classes of compromise • run read-only containers • use Docker Editions for <your platform here> Immutable Infrastructure

32.

33.

34.

35.

36.

37. 1. Secure & sign your source 2. Pin & verify your dependencies 3. Sign your artifacts with Docker Content Trust 4. Leverage Docker Security Scanning 5. Deploy onto immutable infrastructure … 6. … with Least Privilege configurations In Summary

38. Thank You! Questions? @docker #dockercon

Building a Secure App with Docker - Ying Li and David Lawrence, Docker

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Building a Secure App with Docker - Ying Li and David Lawrence, Docker

Similar to Building a Secure App with Docker - Ying Li and David Lawrence, Docker (20)

More from Docker, Inc.

More from Docker, Inc. (20)

Recently uploaded

Recently uploaded (20)

Building a Secure App with Docker - Ying Li and David Lawrence, Docker