Container security involves securing the host, container content, orchestration, and applications. The document discusses how container isolation evolved over time through namespaces, cgroups, capabilities, and other Linux kernel features. It also covers securing container images, orchestrators, and applications themselves. Emerging technologies like LinuxKit, Katacontainers, and MirageOS aim to provide more lightweight and secure container environments.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies.
In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace.
By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.
An introduction to docker; the concepts; how to use it and why. The presentation is mainly based on the following presentation by docker, but with added info about Docker Compose and Docker Swarm.
https://www.slideshare.net/Docker/docker-101-nov-2016
#container #docker #Trifork #TriforkSelected #GotoConf
This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
Docker is the world's leading software containerization platform.
This is a comprehensive introduction to Docker, suitable for delivering in introductory meetups to an audience who does not know about docker.
In case you want to deliver this presentation somewhere, kindly drop me a mail at aditya.konarde@gmail.com
You can contact me at:
Connect with me onLinkedIN: https://www.linkedin.com/in/adityakonarde
Add me on Facebook: https://www.facebook.com/Aditya.Konarde
Tweet to me @aditya_konarde
Attendees will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers, including Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS). We also discuss best practices for the security of your container images such as scanning them for known vulnerabilities.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies.
In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace.
By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.
An introduction to docker; the concepts; how to use it and why. The presentation is mainly based on the following presentation by docker, but with added info about Docker Compose and Docker Swarm.
https://www.slideshare.net/Docker/docker-101-nov-2016
#container #docker #Trifork #TriforkSelected #GotoConf
This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
Docker is the world's leading software containerization platform.
This is a comprehensive introduction to Docker, suitable for delivering in introductory meetups to an audience who does not know about docker.
In case you want to deliver this presentation somewhere, kindly drop me a mail at aditya.konarde@gmail.com
You can contact me at:
Connect with me onLinkedIN: https://www.linkedin.com/in/adityakonarde
Add me on Facebook: https://www.facebook.com/Aditya.Konarde
Tweet to me @aditya_konarde
Attendees will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers, including Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS). We also discuss best practices for the security of your container images such as scanning them for known vulnerabilities.
Docker is a tool designed to make it easier to create, deploy, and run applications
by using containers. Containers allow a developer to package up
an application with all of the parts it needs, such as libraries and other dependencies,
and ship it all out as one package. By doing so, thanks to the
container, the developer can rest assured that the application will run on
any other Linux machine regardless of any customized settings that machine
might have that could differ from the machine used for writing and testing
the code.
In a way, Docker is a bit like a virtual machine. But unlike a virtual
machine, rather than creating a whole virtual operating system, Docker allows
applications to use the same Linux kernel as the system that they’re
running on and only requires applications be shipped with things not already
running on the host computer. This gives a significant performance boost
and reduces the size of the application.
Dojo given at ESEI, Uvigo.
The slides include a set of great slides from a presentation made by Elvin Sindrilaru at CERN.
Docker is an open platform for building, shipping and running distributed applications. It gives programmers, development teams and operations engineers the common toolbox they need to take advantage of the distributed and networked nature of modern applications.
Dockerized containers are the current wave that promising to revolutionize IT. Everybody is talking about containers, but a lot of people remain confused on how they work and why they are different or better than virtual machines. In this session, Black Duck container and virtualization expert Tim Mackey will demystify containers, explain their core concepts, and compare and contrast them with the virtual machine architectures that have been the staple of IT for the last decade.
Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17.
To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk.
Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as:
1. Network security
2. Access control
3. Tamper management and trust
4. Denial of service and SLAs
5. Vulnerabilities
Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats.
Watch the webinar on BrightTalk: http://bit.ly/2bpdswg
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
There’s a constant rise of the container usage in the existing cloud ecosystem.
Most companies are evaluating how to migrate to newer, flexible and automated platform for content and application delivery.
The containers are building themselves alone across the business, but who's securing them?
This presentation discusses the evolution of infrastructure solutions from servers to containers, how can they be secured.
What opensource security options are available today?
Where is the future leading towards container security?
What will come after containers?
This presentation cuts through the confusion and hype surrounding blockchain, explains the key technical aspects of blockchain systems, and summarizes the point of view of different blockchain luminaries and open sourced systems. Originally presented as a guest lecture at Columbia University in April 2019.
This presentation gives an overview of SPEC Cloud (TM) IaaS 2016, the first industry standard benchmark that measures the performance of infrastructure as a service clouds. More details on benchmark at https://www.spec.org/cloud_iaas2016/ .
A Survey of Container Security in 2016: A Security Update on Container PlatformsSalman Baset
This talk is an update of container security in 2016. It describes the security measures that containers provide, shows how containers provide security measures out of box that are prone to configuration errors when running applications directly on host, and finally lists the ongoing in container security in the community.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
3. What is a container?
According to NIST (National Institute of Standards Technology)
• Virtualization: the simulation of the software and/or hardware upon which
other software runs. (800-125)
• System Virtual Machine: A System Virtual Machine (VM) is a software
implementation of a complete system platform that supports the execution of
a complete operating system and corresponding applications in a cloud. (800-
180 draft)
• Operating System Virtualization (aka OS Container): Provide multiple
virtualized OSes above a single shared kernel (800-190). E.g., Solaris Zone,
FreeBSD Jails, LXC
• Application Virtualization (aka Application Containers): Same shared kernel
is exposed to multiple discrete instances (800-180 draft). E.g., Docker
(containerd), rkt
3
5. Container Runtime Stack on a Single Host
Host kernel
Container
runtime
VM kernel
Host kernel
Container
runtime
Application
containers
App
Bins/libs
App
Bins/libs
App
Bins/libs
App
Bins/libs
Application
containers
1. Is host isolated from application container?
2. Is one application container isolated from another application container?
5
6. Shared kervel vs. separate kernel debate…
CVEs inside Linux kernel
https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 6
7. The previous chart can be misleading…
• Gain privilege exploits in 2017: 36
• Includes CVEs in previous kernel versions
• 1 eCryptfs 3.18 or earlier
• Drivers: 5 Qualcomm drives, 2 NVIDIA, 1 USB, 1 BROADCOM, 1 GPU,
1 TTY
• KVM: 1 (that is, CVE found in kvm also)
• Not all CVEs are [easily] exploitable, but nevertheless…
Host kernel
Container
runtime
App
Bins/libs
App
Bins/libs
Application
containers
Focus of this talk
7
8. Usage Model
Host kernel
Container
runtime
App
Bins/libs
App
Bins/libs
Application
containers
Host kernel
Container
runtime
App
Bins/libs
App
Bins/libs
Application
containers
Host kernel
Container
runtime
App
Bins/libs
App
Bins/libs
Application
containers
Multiple apps of same user running on same/different hosts
Multiple apps of distinct users running on same/different hosts
Image
Registry
Orchestrator + +
8
9. What does host security mean? Informally…
• Isolation from host
• Can never be root
• Should not “see” host processes
• Shout not interfere with host operation
• Isolation from other containers
• Should not “see” other containers
• Should not impact performance of other containers
9
10. Container on Linux
• is just a process
• wrapper in bunch of “isolation gear”
• to isolate from host and other processes
• the isolation gear was developed independently over time
• docker engine (on a host) + containerd + runC
10
11. Namespaces
• Linux kernel namespaces provide the isolation
(hence “container”) in which we place one or more
processes
• Introduced ~2002 – inspired from Plan B
• Ok, what about devices?
• docker options
• --userns
• --pid
• --uts
pid mount
ipc
user net
uts
HOST SECURITY
11
12. Resource isolation - cgroups
• What is a
resource?
• CPU, memory,
disk, network
• PID, file
descriptors
• Devices
• cgroups v2 support introduced in Kernel 4.5.
• Docker has many options for tuning cpu, mem, disk
• cpu: 10
• device: 8
• memory: 5
• PID: configure the max number of PID descriptors
• Device: maximum device bandwidth, in, out
HOST SECURITY
12
13. Are namespaces and cgroups enough?
• No
• Linux capabilities:
• Fine-grained access capabilities besides root/non-root
• E.g., load a module, mount a file
• Docker container drops most capabilities by default
• chown, dac_override, fsetid, fowner,
mknod, net_raw, setgid, setuid, setfcap,
setpcap, net_bind_service, sys_chroot,
kill, audit_write
• Seccomp
• Restrict the system calls that a system is allowed to execute
• Often, security issues found in system calls pertaining to legacy
devices
• AppArmor / SELINUX
• Mandatory access control (MAC)
Default Docker capabilities
HOST SECURITY
13
14. Is that enough for host security?
• No
• Other host security best practices still apply!
• Patch management
• Monitoring
• Antivirus
• Malware
• Logging
• Privileged user monitoring
HOST SECURITY
14
15. Container Images
• Container images are the root of software supply chain
• Containers images are supposed to provide an immutable source
• In reality: secrets needed for running the container are stored outside the
container image, and can impact its run-time
• Different secrets for different run-time environments (stage, prod)
• Container images are often pulled through open source
• Important to vet the base image, malware, anti-virus
• Container images contain OS distro packages + application
packages + application code
• Ubuntu, Node.js
• Check vulnerabilities of all content that goes inside the image, including
scanning application source code
CONTENT SECURITY
App
Bins/libs
secrets
15
16. Orchestrator Security
• Containers are often deployed through orchestrators
• Docker Machine, Kubernetes
• Sane defaults, TLSv1.2 etc
• Who has access to those APIs just equally as important as other
aspects
• determine what volumes, devices are passed inside container
• who can docker exec into a running container
• Moreover, secrets are typically stored outside container registry
and container run-time. Access to these secrets also important
• Your Jenkins server may be leaking secrets!
ORCHESTRATOR SECURITY
16
17. App Security
• A developer still needs to configure their app securely.
• However it is still much better to run app in a container than inside a host
APP SECURITY
17
Configurepartitions
Runasnon-root,
utilizinguserand
kernelnamespaces
Configurelog,
monitoring,audit
Configurenetwork,
relatedservices,
disableIPforwarding
Configurepatching
andanti-virusagents
Configuremandatory
accesscontrol
Preventapplication
fromDoSingahost
Furtherdeprivilege
applicationthrough
subsetofLinux
capabilities
FurtherDeprivilege
applicationbylimiting
allowedsystemcalls
Configureapplication
security
Host
Container
Host
Manual
Manual
Manual
per app
One time
(in Docker)
Manual
per app
Manual
One time
Step 1 Step 2 Step 3
Manual
Manual
Step 4
Manual
Manual
Step 5 Step 6
Manual
per app
Out of box
(in Docker)
Out of box
(in Docker)
Step 7
Manual
per app
Step 8
Manual
per app
Out of box
(in Docker)
Manual
per app
Out of box
(in Docker)
Step 9 Step 10
Manual
per app
Manual
18. Kernel and Container Security Evolution
• 2015
• Content Addressability (image spec, phase 1) – Docker 1.6
• Default ulimits for all containers – Docker 1.6
• Docker Content Trust – (notary) image provenance/signing – Docker 1.8
• 2016
• Full migration to content addressability for images/layers – Docker 1.10
• User namespaces – Docker 1.10
• Secure computing (libseccomp) – Docker 1.10
• --pids-limit (cgroups pid limitation) – Docker 1.11 (kernel 4.3 +)
• cgroups “v2” – (kernel 4.5+)
• --no-new-privileges (limit process escalation) – Docker 1.11
• Storage driver quotas (limited) – Docker 1.12
• Secure by default multi-node orchestration (mutual TLS) – Docker 1.12
• 2017
• Improved resource isolation features in Linux Kernel and in Docker engine
18
19. Whats Next in Container Security?
• Host Security
• Linux Kit
• Lightweight virtualization (Katacontainers (formerly Intel clear
containers) )
• Unikernels (MirageOS)
• Content Security
• Distribution Specific Project (OCI)
• Project Grafeas
19
20. Linux Kit
• Secure, portable OSes for Linux containers
• Support Kubernetes, AWS, GCP, Azure etc
• https://github.com/linuxkit/linuxkit
20
21. Katacontainers
• Based on Intel Clear Containers
• Perform like containers but provide the workload isolation and
security advantages of VMs
• OCI compliant
• https://github.com/kata-containers/
21
23. Distribution Specific Project
• Image and run-time formats through OCI
• Image distribution is now defacto Docker Image Registry API
• https://www.opencontainers.org/announcement/2018/04/09/oci-
announces-dist-spec-project
23
25. Conclusion
• Container security has significantly evolved from early days of
Docker
• Secure-by-default in all major platforms
• For users, security focus is on securing software supply chain
• New features promise standardization, light-weight, VM
isolation
25