Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose.
In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
9. - New infrastructure, new layers, new risks
- But we have seen them before:
- DDoS, isolation break-out, injections
- Fast pipeline: skip security?
- This is an opportunity
- More steps: more security onion layers
https://sysdig.com/blog/7-docker-security-vulnerabilities/
Are containers secure?.
10. How to do security?.
- Establish trust boundaries (dev vs prod)
- Identify, minimise, and harden attack
surfaces
- Reduce scope and access
- Layer protections and defenses (secure and
updates)
- Traceability and test
11. Continuous Security.
- DevOps: agile and faster
- Security team: less incidents
DevSecOps!
- Modify process to bring security, agile
- Security as Code
- Failure: open an issue vs break the build
15. Security pipeline: Build.
- Container scan
- At the CI -> registry step
- Find known vulnerabilities: inventory
- CoreOS Red Hat Clair
- Anchore (integrated in Sysdig Secure soon)
- Red Hat OpenScap
- Vuls.io
- Other commercial vendors
16.
17. What we are looking for?.
- Package lists
- Software installed manually (pip, rake, …)
- Static binaries
- Hashes of known vulnerabilities
- Lost credentials
- Docker image layers
21. How to bring this into the pipeline?.
- CI, build the image
- Scan:
- https://github.com/optiopay/klar
- https://gitlab.com/gitlab-org/clair-scanner
- https://wiki.jenkins.io/display/JENKINS/Anchore+C
ontainer+Image+Scanner+Plugin
- https://github.com/jenkinsci/anchore-container-sc
anner-plugin
- Push into the registry
33. Security pipeline: Run-time scanning.
- Threat detection
- Network inspection
- Privilege escalation
- Post-mortem analysis and forensics
- Attacks are multiple steps
- Successful attack those are unknown to us
- But we just need to recognize one IoC
34. Seccomp.
- Application syscall sandboxing
- Create filter (BPF) with allowed syscalls
- Failures-> log message, error return,
and/or kill process
- Docker runs containerized process under a
seccomp profile
- Notable disallowed syscalls:
- clone (creating new namespaces)
- reboot (reboot the host)
- setns (change namespaces)
36. - An open-source behavioral activity monitor
- Detects suspicious activity defined by a
set of rules
- Uses Sysdig’s flexible and powerful
filtering expressions
- With full support for
containers/orchestration
sysdig.com/opensource/falco/
37.
38. - macro: proc_is_new
condition: proc.duration <= 5000000000
- rule: Read secret file after startup
desc: >
an attempt to read any secret file (e.g. files containing user/password/authentication
information) Processes might read these files at startup, but not afterwards.
condition: fd.name startswith /etc/secrets and open_read and not proc_is_new
output: >
Sensitive file opened for reading after startup (user=%user.name
command=%proc.cmdline file=%fd.name)
priority: WARNING
Falco real rule example.