Container adoption is on the rise across companies of every size and industry. While containerization is a new and exciting paradigm, it brings with it some of the same technical and organizational issues that security teams have always faced. This presentation will dive into a selection of these familiar issues and suggested solutions to help security teams get a better handle on containers and keep up with the deployment pace that DevOps requires.
Check out the Denver Chapter of OWASP!
meetup.com/denver-owasp and our annual conference
www.snowfroc.com
DockerCon 2016 Recap highlights new features in Docker 1.12 including Swarm mode for orchestration without an external datastore, declarative services, routing mesh, stacks for multi-container applications, and built-in security. It also discusses Docker for Mac/Windows which now has a native experience, improved networking and file sharing, and Docker for AWS which provisions highly available Swarm clusters on AWS using CloudFormation templates. The Docker Store marketplace was introduced for validated Dockerized applications.
Just as the roles of CIOs and CTOs have needed to rapidly evolve along with the pace of technology, it is now becoming critically important for lawyers to understand emerging software security challenges.
Container security involves securing the host, container content, orchestration, and applications. The document discusses how container isolation evolved over time through namespaces, cgroups, capabilities, and other Linux kernel features. It also covers securing container images, orchestrators, and applications themselves. Emerging technologies like LinuxKit, Katacontainers, and MirageOS aim to provide more lightweight and secure container environments.
This document discusses container security, providing a brief history of containers, security benefits and challenges of containers, and approaches to container vulnerability management and responding to attacks. It notes that while containers are not new, their adoption has increased rapidly in recent years. The document outlines security advantages like smaller surface areas but also challenges like managing vulnerabilities across many moving parts. It recommends strategies like using official images, hardening hosts, scanning for vulnerabilities, and practicing incident response for containers.
This document discusses container security. It outlines the advantages and disadvantages of containers, including their small footprint, fast provisioning time, and ability to enable effective microservices. However, containers also pose security risks like reduced isolation and potential for cross-container attacks. The document then examines different approaches to container security, including host-based methods using namespaces, control groups, and Linux Security Modules, as well as container-based scanning and third-party security offerings. It provides examples of configuring security controls and evaluating containers for vulnerabilities.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host
This document discusses container security and provides information on various related topics. It begins with an overview of container security risks such as escapes and application vulnerabilities. It then covers security controls for containers like namespaces, control groups, and capabilities. Next, it discusses access control models and Linux security modules like SELinux and AppArmor that can provide container isolation. The document concludes with some third-party security offerings and emerging technologies that aim to enhance container security.
DockerCon 2016 Recap highlights new features in Docker 1.12 including Swarm mode for orchestration without an external datastore, declarative services, routing mesh, stacks for multi-container applications, and built-in security. It also discusses Docker for Mac/Windows which now has a native experience, improved networking and file sharing, and Docker for AWS which provisions highly available Swarm clusters on AWS using CloudFormation templates. The Docker Store marketplace was introduced for validated Dockerized applications.
Just as the roles of CIOs and CTOs have needed to rapidly evolve along with the pace of technology, it is now becoming critically important for lawyers to understand emerging software security challenges.
Container security involves securing the host, container content, orchestration, and applications. The document discusses how container isolation evolved over time through namespaces, cgroups, capabilities, and other Linux kernel features. It also covers securing container images, orchestrators, and applications themselves. Emerging technologies like LinuxKit, Katacontainers, and MirageOS aim to provide more lightweight and secure container environments.
This document discusses container security, providing a brief history of containers, security benefits and challenges of containers, and approaches to container vulnerability management and responding to attacks. It notes that while containers are not new, their adoption has increased rapidly in recent years. The document outlines security advantages like smaller surface areas but also challenges like managing vulnerabilities across many moving parts. It recommends strategies like using official images, hardening hosts, scanning for vulnerabilities, and practicing incident response for containers.
This document discusses container security. It outlines the advantages and disadvantages of containers, including their small footprint, fast provisioning time, and ability to enable effective microservices. However, containers also pose security risks like reduced isolation and potential for cross-container attacks. The document then examines different approaches to container security, including host-based methods using namespaces, control groups, and Linux Security Modules, as well as container-based scanning and third-party security offerings. It provides examples of configuring security controls and evaluating containers for vulnerabilities.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host
This document discusses container security and provides information on various related topics. It begins with an overview of container security risks such as escapes and application vulnerabilities. It then covers security controls for containers like namespaces, control groups, and capabilities. Next, it discusses access control models and Linux security modules like SELinux and AppArmor that can provide container isolation. The document concludes with some third-party security offerings and emerging technologies that aim to enhance container security.
Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17.
To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk.
Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as:
1. Network security
2. Access control
3. Tamper management and trust
4. Denial of service and SLAs
5. Vulnerabilities
Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats.
Watch the webinar on BrightTalk: http://bit.ly/2bpdswg
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
This document discusses open-source tools for security and compliance using Docker containers. It introduces Anchore, an open-source tool that allows deep inspection of container images to check for compliance with policies. Anchore performs image scanning, analyzes operating system packages and artifacts, checks for secrets or source code, and validates Dockerfiles. It generates reports on findings and can integrate with DevOps pipelines using plug-ins for notifications and policy enforcement. Anchore is open-source, extensible, and provides both a web interface and command line tools.
Container Security Deep Dive & Kubernetes Aqua Security
Container Security Deep Dive & Kubernetes by Tsvi Korren, Director of Technical Services at Aqua.
Container security best practices and implications in a Kubernetes environment. Tsvi will cover security for your containerized applications from development, through build, ship, and run, and as a result, how to make your entire Kubernetes deployment more secure.
An In-depth look at application containersJohn Kinsella
Slides for a talk I gave to the NIST cloud security working group on the state of container security.
Due to this being a NIST talk, it's without branding or vendor mentions, where possible.
Csa container-security-in-aws-dw
Video: https://youtu.be/X2Db27sAcyM
This session will touch upon container security constructs and isolation mechanisms like capabilities, syscalls, seccomp and Firecracker before digging into secure container configuration recommendations, third-party tools for build- and run-time analysis and monitoring, and how Kubernetes security mechanisms and AWS security-focussed services interact.
This "mini" version of my CSA Congress talk about building a secure cloud was given at the San Francisco Cloud Security Meetup in November, 2011.
I got some great feedback while giving this talk, and will be applying it to an updated version of this deck which will be released during the CSA Congress, November 15th and 16th 2011.
This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
Practical Approaches to Container SecurityShea Stewart
This presentation was a discussion on how bringing container technology should be addressed with regards to security. It is focused on setting expectations that can achieve success when rolling out a new platform in enterprise environments.
Equifax cyber attack contained by containersAqua Security
1) The Equifax cyber attack compromised the personal information of around 143 million customers by exploiting a vulnerability in the Apache Struts framework that allows remote code execution.
2) The attack occurred from mid-May to July 2017 before it was detected, and shaved $4 billion off Equifax's market capitalization, around 25% of its total value.
3) Using containers may have helped prevent the Equifax attack by isolating vulnerable applications and limiting an attacker's ability to access additional internal resources and exfiltrate sensitive personal information if the vulnerable web application was contained.
Docker Security - Secure Container Deployment on LinuxMichael Boelen
How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis.
Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now.
With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them.
In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.
This session examines how Legal Counsel can help software development teams create an automated compliance process to make daily decisions related to open source licenses.
Attendees will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers, including Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS). We also discuss best practices for the security of your container images such as scanning them for known vulnerabilities.
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck
Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption.
The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.
In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn:
• Why container environments present new application security challenges, including those posed by ever-increasing open source use.
• How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities.
• Best practices and methodologies for deploying secure containers with trust and confidence.
Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protectio...EmbeddedFest
Доповідь представить рішення з безпеки під назвою FIVE від компанії Samsung. Метою FIVE є моніторинг цілісності процесів Android та детектування зловмисних спроб модифікації оригінальних додатків та системних компонентів.
Ми поговоримо про можливі сценарії атак, спрямованих на цілісність додатків, зануримось у процес встановлення Java-додатків та розкажемо про проблеми, пов'язані з підрахунком та подальшою перевіркою цілісності нативних та Java програм. Наостанок ми покажемо, як саме FIVE захищає цілісність Android-додатків на телефонах Samsung.
Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.
Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
The document discusses security vulnerabilities found in various security appliance products. It describes easy password attacks, cross-site scripting vulnerabilities with session hijacking, lack of account lockouts, and other issues found across email/web filtering, firewall, and remote access appliances from vendors like Barracuda, Symantec, Trend Micro, Sophos, Citrix, and others. Many appliances were found to have command injection flaws allowing root access. Vendors' responses to reported vulnerabilities varied, with some issues getting addressed within months while others saw no fixes. The author advocates defense-in-depth practices and keeping appliances updated with vendor patches.
Docker provides security features to secure content, access, and platforms. It delivers integrated security through content trust, authorization and authentication, and runtime containment using cGroups, namespaces, capabilities, seccomp profiles, and Linux security modules.
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.
Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17.
To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk.
Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as:
1. Network security
2. Access control
3. Tamper management and trust
4. Denial of service and SLAs
5. Vulnerabilities
Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats.
Watch the webinar on BrightTalk: http://bit.ly/2bpdswg
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
This document discusses open-source tools for security and compliance using Docker containers. It introduces Anchore, an open-source tool that allows deep inspection of container images to check for compliance with policies. Anchore performs image scanning, analyzes operating system packages and artifacts, checks for secrets or source code, and validates Dockerfiles. It generates reports on findings and can integrate with DevOps pipelines using plug-ins for notifications and policy enforcement. Anchore is open-source, extensible, and provides both a web interface and command line tools.
Container Security Deep Dive & Kubernetes Aqua Security
Container Security Deep Dive & Kubernetes by Tsvi Korren, Director of Technical Services at Aqua.
Container security best practices and implications in a Kubernetes environment. Tsvi will cover security for your containerized applications from development, through build, ship, and run, and as a result, how to make your entire Kubernetes deployment more secure.
An In-depth look at application containersJohn Kinsella
Slides for a talk I gave to the NIST cloud security working group on the state of container security.
Due to this being a NIST talk, it's without branding or vendor mentions, where possible.
Csa container-security-in-aws-dw
Video: https://youtu.be/X2Db27sAcyM
This session will touch upon container security constructs and isolation mechanisms like capabilities, syscalls, seccomp and Firecracker before digging into secure container configuration recommendations, third-party tools for build- and run-time analysis and monitoring, and how Kubernetes security mechanisms and AWS security-focussed services interact.
This "mini" version of my CSA Congress talk about building a secure cloud was given at the San Francisco Cloud Security Meetup in November, 2011.
I got some great feedback while giving this talk, and will be applying it to an updated version of this deck which will be released during the CSA Congress, November 15th and 16th 2011.
This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
Practical Approaches to Container SecurityShea Stewart
This presentation was a discussion on how bringing container technology should be addressed with regards to security. It is focused on setting expectations that can achieve success when rolling out a new platform in enterprise environments.
Equifax cyber attack contained by containersAqua Security
1) The Equifax cyber attack compromised the personal information of around 143 million customers by exploiting a vulnerability in the Apache Struts framework that allows remote code execution.
2) The attack occurred from mid-May to July 2017 before it was detected, and shaved $4 billion off Equifax's market capitalization, around 25% of its total value.
3) Using containers may have helped prevent the Equifax attack by isolating vulnerable applications and limiting an attacker's ability to access additional internal resources and exfiltrate sensitive personal information if the vulnerable web application was contained.
Docker Security - Secure Container Deployment on LinuxMichael Boelen
How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis.
Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now.
With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them.
In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.
This session examines how Legal Counsel can help software development teams create an automated compliance process to make daily decisions related to open source licenses.
Attendees will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers, including Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS). We also discuss best practices for the security of your container images such as scanning them for known vulnerabilities.
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck
Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption.
The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.
In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn:
• Why container environments present new application security challenges, including those posed by ever-increasing open source use.
• How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities.
• Best practices and methodologies for deploying secure containers with trust and confidence.
Embedded Fest 2019. Володимир Шанойло. High FIVE: Samsung integrity protectio...EmbeddedFest
Доповідь представить рішення з безпеки під назвою FIVE від компанії Samsung. Метою FIVE є моніторинг цілісності процесів Android та детектування зловмисних спроб модифікації оригінальних додатків та системних компонентів.
Ми поговоримо про можливі сценарії атак, спрямованих на цілісність додатків, зануримось у процес встановлення Java-додатків та розкажемо про проблеми, пов'язані з підрахунком та подальшою перевіркою цілісності нативних та Java програм. Наостанок ми покажемо, як саме FIVE захищає цілісність Android-додатків на телефонах Samsung.
Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.
Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
The document discusses security vulnerabilities found in various security appliance products. It describes easy password attacks, cross-site scripting vulnerabilities with session hijacking, lack of account lockouts, and other issues found across email/web filtering, firewall, and remote access appliances from vendors like Barracuda, Symantec, Trend Micro, Sophos, Citrix, and others. Many appliances were found to have command injection flaws allowing root access. Vendors' responses to reported vulnerabilities varied, with some issues getting addressed within months while others saw no fixes. The author advocates defense-in-depth practices and keeping appliances updated with vendor patches.
Docker provides security features to secure content, access, and platforms. It delivers integrated security through content trust, authorization and authentication, and runtime containment using cGroups, namespaces, capabilities, seccomp profiles, and Linux security modules.
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
This document discusses securing container-based applications. It covers container and OS security best practices like using Linux namespaces and cgroups for isolation, reducing the container attack surface, and hardening container images. It also discusses securing the container lifecycle through vulnerability scanning, configuration governance with Amazon ECS, and using secrets management. Finally, it shows how to automate security deployments through the CI/CD pipeline and tools like CloudFormation and CodeDeploy.
This document discusses vSphere Integrated Containers, a solution from VMware that allows running containers natively on vSphere alongside traditional virtual machines. It provides an overview of key components like the Virtual Container Host, Photon OS, Harbor registry, and Admiral management portal. These components give developers a portable, lightweight container experience while also providing operations teams the visibility, management, and security capabilities of vSphere for containers in production.
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
Michael Wardrop, Netflix
Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads.
As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.
Docker provides security for containerized applications using Linux kernel features like namespaces and cgroups to isolate processes and limit resource usage. The Docker daemon manages these Linux security mechanisms to build secure containers. Docker images can also be scanned for vulnerabilities and signed with content trust to ensure only approved container images are deployed in production.
Docker is the developer-friendly container technology that enables creation of your application stack: OS, JVM, app server, app, database and all your custom configuration. So you are a Java developer but how comfortable are you and your team taking Docker from development to production? Are you hearing developers say, “But it works on my machine!” when code breaks in production? And if you are, how many hours are then spent standing up an accurate test environment to research and fix the bug that caused the problem?
This workshop/session explains how to package, deploy, and scale Java applications using Docker.
Dockerized containers are the current wave that promising to revolutionize IT. Everybody is talking about containers, but a lot of people remain confused on how they work and why they are different or better than virtual machines. In this session, Black Duck container and virtualization expert Tim Mackey will demystify containers, explain their core concepts, and compare and contrast them with the virtual machine architectures that have been the staple of IT for the last decade.
Understanding docker ecosystem and vulnerabilities pointsAbdul Khan
Docker has given many developers an easy platform with which to build and deploy scalable containerised applications and services. In this presentation docker is explored but it’s importance to understand the vulnerable endpoints of the docker ecosystem.
This document provides an overview of container security best practices. It discusses challenges in securing components of the container infrastructure like images, registries, runtimes and orchestrators. It outlines common container threats like privilege escalation attacks and misconfigured containers. The document recommends mitigations like using vetted base images, access controls, network segmentation and updating components. It also references resources like the OWASP Docker Top 10, NIST container security guide and CIS Docker benchmark that provide guidelines for container hardening. In summary, the key is to monitor components, limit access, use segmentation and follow security standards to protect the container environment.
Docker EE 2.0 provides choice, security, and agility for container deployments. It offers more than just containers and orchestration, including lifecycle management, governance, and security features. Docker EE can deploy applications on Linux and Windows across on-premises and cloud infrastructure. It supports both Docker Swarm and Kubernetes orchestrators. Security features include image scanning, role-based access control, and audit logging to secure the software supply chain. Docker EE aims to provide a unified platform for both traditional and microservices applications.
This document discusses security considerations for Docker containers. It covers three main aspects: securing the platform/infrastructure by hardening the Docker engine and hosts; securing container content through image management, content trust, and secrets management; and securing access and operations through authentication, authorization, access control, auditing, and multi-tenancy. While containers provide isolation and security benefits, the document emphasizes that containers must still follow security best practices to prevent compromise, especially as container usage evolves from individual services to larger applications.
From Containerized Application to Secure and Scaling With KubernetesShikha Srivastava
Discuss following:
What does it really take to make sure your application is production ready?
With new privacy regulations being added, many aspects need to be taken into account when deciding when to deliver your final application is ready for production.
Can your application handle multiple users with different levels of access?
Can you extend your application to use existing authentication and authorization platforms?
Have you invested in using Mutual TLS for communication between components?
How do you manage the certificates and passwords used within your product?
Is CICD your friend or your enemy when it comes to delivering your product?
Have you considered the availability and scalability of the application?
This document discusses anatomy of cloud hacks by analyzing past data breaches and vulnerabilities. It begins by looking at known attacks where compromised infrastructure was based in the cloud. Specific case studies of attacks on Code Spaces, Olindata, and Tesla are described. The document then covers techniques for enumerating cloud services and resources like storage containers. Methods for gaining an initial foothold like leaked credential hunting and exploiting server-side request forgery are also outlined.
This document summarizes Docker security features as of release 1.12. It discusses key security modules like namespaces, cgroups, capabilities, seccomp, AppArmor/SELinux that provide access control and isolation in Docker containers. It also covers multi-tenant security, image signing, TLS for daemon access, and best practices like using official images and regular updates.
The ABC of Docker: The Absolute Best Compendium of DockerAniekan Akpaffiong
Containers provide a lightweight virtualization approach compared to virtual machines. Containers share the host operating system kernel and isolate applications at the process level, while virtual machines run a full guest operating system and require hypervisor software. Containers have a smaller footprint and overhead than virtual machines since they share resources more efficiently. Both containers and virtual machines provide portability and isolation benefits for applications.
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
University of Kent 2013 - CO899 System security
Presentation of the article:
Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
Runcy Oommen discusses security for cloud native workloads and containers. Some key points include:
1) The shared responsibility model where cloud providers and customers both have responsibilities for security.
2) Securing the container lifecycle from build to deploy to run through measures like limiting access, resource management, and network segmentation.
3) Kubernetes security improvements such as disabling anonymous authentication, configuring admission controllers, pod security policies, enabling RBAC, and using network policies.
Similar to Container security Familiar problems in new technology (20)
Malware on workstations is annoying enough, but when an attacker accesses your systems using remote desktop or other interactive software, you feel down right violated.
The presentation includes a technical dive into forensic artifacts generated during interactive logon sessions with multiple examples from real-life investigations. The presentation covers well known artifacts including MuiCache, UserAssist, and Windows Recycler, but also explores lesser known artifacts including the RDP Bitmap Cache, the Windows 10 Timeline, and Jumplists.
Speaker Bio:
Phillip Kealy is the Senior Manager for Incident Response for the Mandiant Denver and Phoenix offices and provides emergency services to clients when a security breach occurs. With over 15 years of experience in both private and public sector environments, Mr. Kealy has a background in incident response, security architecture, and networking
Automation and open source turning the tide on the attackersFrank Victory
TOPIC: Automation and Open Source, Turning the Tide on Attackers
The security world is still trying figure out how to deal with the overwhelming number of security alerts and data deluge most SOCs are faced with and then turn them into intelligence that is useful and actionable. Throwing more people and tech at the problem has proven to be ineffective and costly. In this talk I walk through methods and tools (that you can actually employ) to turn the tide in your favor and create a security team that proactively deals with threats.
This document discusses cloud computing and cloud services. It defines cloud computing as putting resources and services in the cloud so companies do not have to own their own hardware. The main types of cloud services are Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Some major cloud providers are Amazon Web Services, Microsoft Azure, and Google Cloud. The document also covers security threats in cloud computing and important controls for cloud security including architecture, identity and access management, governance, and ensuring confidentiality, integrity and availability of data.
This document discusses wireless networking standards and vulnerabilities. It covers:
1. Wi-Fi standards including IEEE 802.11, common environments like multiple access points and hotspots, and wireless vocabulary.
2. Vulnerabilities in wireless encryption like WEP and ways to break it by intercepting initialization vectors.
3. Attacks on wireless networks including exploiting weak encryption standards, attacking access points by brute forcing passwords, and compromising endpoints like user laptops broadcasting nearby networks.
as presented at SnowFROC 2017 https://snowfroc.com/
by Denver Chapter of OWASP - https://www.owasp.org/index.php/Denver
Learn of the different college programs around Colorado
• Learn of different certifications
• Decide which is better for you
• Understand the challenges facing our industry
• Learn of extracurricular activities like
-RMCCDC and Cyber Patriots
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Frank Victory
This document discusses phishing forensics and analysis techniques. It describes common types of phishing like deceptive, spear, and CEO fraud phishing. It then provides steps for basic analysis like submitting URLs to phishtank and advanced analysis using tools like Burp Suite, Alienvault, and Maltego. Finally, it discusses analyzing browser forensics for Google Chrome, Firefox, and Internet Explorer using tools like Hindsight and WinUFO. The overall document provides an overview of phishing techniques and analysis methods for investigating phishing attacks.
The document discusses deception in warfare and provides some key principles: Dt + Rt < At, which means deception plus reality is less than apparent truth. It also mentions the "Three A's" of annoyance, attribution, and attack. The document encourages thinking about a range of options in any situation and quotes Sun Tzu's principle that "all warfare is based on deception." It concludes by providing contact information for the author and information on free webcasts.
The document discusses threats to DNS security and solutions. It describes how distributed denial of service (DDoS) attacks target name servers and use them to amplify attacks. Monitoring DNS traffic volumes and top clients can help detect attacks. Deploying anycast routing and response rate limiting makes attacks less effective by load balancing queries across multiple servers.
Authentication verifies a user's identity by validating credentials like a username and password. Authorization then determines what access and permissions an authenticated user has. Authentication methods can include something you know like passwords, something you have like tokens or smartcards, or something you are like biometrics. Common authentication practices for systems include setting password policies, locking accounts after failed logins, and disabling unused accounts. Proper authentication helps implement access controls and security.
This document discusses various types of malware including viruses, spyware, grayware, and phishing. It provides details on the characteristics and behaviors of viruses, how they replicate and spread. It also discusses signs of infection and methods for detecting, preventing, and remediating malware through antivirus software, firewalls, and user education. Common remediation steps mentioned include repairing infected files, quarantining them, or deleting them. The document also covers spyware, grayware, phishing attacks and their risks as well as countermeasures organizations can take to help protect against social engineering and malicious software threats.
The document discusses various web-based attacks such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It provides an overview of these attacks, including how they work and examples. It also covers related topics like the HTTP protocol, URLs, cookies, and the OWASP Top 10 list of most critical web application security risks.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
7. • CVE-2019-5736 – Doomsday runC
• Container escape that affects the open source command line this vulnerability could allow an
attacker-controlled container to gain root-level code execution to the Docker host by
overwriting the runC binary
• CVE-2019-1003065 – Docker Community Edition Trojan Horse
• Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing
a Trojan horse docker-credential-wincred.exe file in
%PROGRAMDATA%DockerDesktopversion-bin as a low-privilege user, and then waiting for an
admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force
the command.
• CVE-2019-11253 – Billion Laughs Attack
• XML parser DoS vulnerability in the API server due to kube-api not performing input validation
or putting size restriction on YAML files
7
CONTAINER & KUBERNETES SPECIFIC
VULNERABILITIES
8. INSECURE DOCKER HUB IMAGES
15.9
40.5
Official
Images
Community
Images
Average number of
vulnerabilities in Docker Hub1
Source: Tenable, “Sourcing Container Images from Docker Hosts,” 2017
8
9. • 0 days get press and hype
• Cyber Hygiene is equally important
9
100+ DAY VULNERABILITIES
12. IMAGE SCANNING
12
Layer 1
Layer 2
Layer 3
Layer 4
Container Image
PRO TIP:
BEWARE OF FALSE POSITIVES
Higher container image layers often
remediate vulnerabilities found in
lower layers
13. SET RISK THRESHOLDS
13
Write container security policies
that align to security goals
Notify developers immediately
when container images exceed
organization risk thresholds
RegistryTestBuild
Source
Control
Build Container
Unit Tests
API Tests
Security Tests
Push to Registry
⛔️
⛔️
15. • Subject
• A subject represents a user, team, organization, or a service account. A subject can be granted a
role that defines permitted operations against one or more resource sets.
• Role
• Roles define what operations can be done by whom. A role is a set of permitted operations
against a type of resource, like a container or volume, which is assigned to a user or a team with
a grant.
• Grant
• A grant is made up of a subject, a role, and a resource/resource set.
• Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies
for an entire organization when grouped together.
15
ACCESS CONTROL MODEL
16. • Namespace
• A namespace is a logical area for a Kubernetes cluster. Kubernetes comes with a default namespace for
your cluster objects, plus two more namespaces for system and public resources.
• You can create custom namespaces
• Resource types that users can access in a Kubernetes namespace include pods, deployments, network
policies, nodes, services, secrets, and many more
16
ACCESS CONTROL MODEL - ORCHESTRATION
17. • Cgroups – limits the resources a process has access to (CPU, Memory, etc.)
• Namespaces – limits what a container can see
• Default: root on container is also root on the host due to shared kernel
• Update your dockerfile to create a uid for each application process
• Ensure containers are not running in privileged mode unless absolutely necessary
• Only enable docker socket if absolutely necessary
• Unix socket for the daemon listens on
• Enables direct communication with the daemon from within container
17
CONTAINER ACCESS CONTROL
18. • SecComp
• Acts as a whitelist for system calls
• Disables 44 system calls by default
• Only available if Docker kernel has seccomp available – to check:
• AppArmor
• Linux kernel security module that you can use to restrict the capabilities of processes running on the host
operating system
• The security profile allows or disallows specific capabilities, such as network access or file
read/write/execute
18
CAPABILITY LIMITATION
19. • Ensure orchestrator authentication directory isn’t creating orphaned accounts
• Default orchestrator accounts tend to be admin
• Leverage security zones and namespaces
• Groups nodes and prevents orchestrators from scheduling mixed sensitivity workloads on a
given node
19
ORCHESTRATOR ACCESS CONTROL
20. • CIS Docker Host benchmark
• Audits all layers of the stack (host, daemon, runtime etc.) security settings to bring them in line
with best practices
• Built into some vulnerability scanning tools
• NIST SP 800-190 Application Container Security Guide
• Contains risks, countermeasures, threat scenarios, security lifecycle considerations
• CNCF Kubernetes Security Audit
• Commissioned by the community, performed by Trail of Bits
• Very open and detailed with findings
• Offers a whitepaper and threat modeling scenarios
20
WHERE TO START: STANDARDS AND BEST PRACTICES
23. • Scales security influence without scaling headcount
• Reinforces the mantra that security is everyone’s responsibility
• Gamification and wall of fame can increase adoption
• Avoid name and shame
• Avoids complete decentralization but minimizes bottlenecks
23
SECURITY CHAMPIONS
24. • Most security incidents are not the result of malicious insiders
• Development, security & business need to be on the same page
• Creates shared ownership
• Determines security tradeoffs to cost, scope, and timeline up-front
• Helps build security considerations into the earliest phase of development
24
COLLABORATIVE THREAT MODELING
25. • Security fundamentals need to be adapted for faster pace of development
• Communicate standards and risk thresholds up front if enforcement will be
automated
• Take advantage of portability and create golden, reusable images
• Collaborate to avoid bottlenecks
25
SUMMARY
It’s impossible to protect what you don’t know is out there which makes visibility into your environment and specifically visibility that can differentiate containers an essential starting point
The easiest way to do this through an infrastructure scan that can detect docker hosts
The average host is running 8 containers
Once you detect container hosts, it’s important to harden them based on best practices like the CIS benchmark for docker but more importantly, this is where the real work begins
It’s easy to think of containers security and focus on the the container itself but containerization is more than just a little container, it’s an entirely new application development and deployment paradigm that comes with an entire new ecosystem to protect
Docker Daemon checks the client request and communicates with the Docker components in order to perform a service whereas, Docker Engine or Docker is the base engine installed on your host machine to build and run containers using Docker components and services
Image - a read-only template with instructions for creating a Docker container. Generally comprised of a base image (minimal version of Ubuntu, linux, etc.) additional layers vary by container purpose and resemble modern web applications the most commonly used images are Nginx for running HTTP servers, redis for caching, and postgres Image also contains the declarative manifest for how the container runs e.g. the dockerfile
Container - a runnable instance of an image
Registry/Repository - stores Docker images. Docker Hub is a public registry that anyone can use, and Docker is configured to look for images on Docker Hub by default. Can also use private registries or registries provided by cloud platforms AWS ECR, Google container reg, azure container registry
Client - the primary way that many Docker users interact with Docker
Daemon - listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. A daemon can also communicate with other daemons to manage Docker services
Per datadog 50% of all deployments run in orchestrated environments
Pod - A Pod is the basic execution unit of a Kubernetes application–the smallest and simplest unit in the Kubernetes object model that you create or deploy. A Pod represents processes running on your Cluster.
Node - A node is a worker machine in Kubernetes, Each node contains the services necessary to run pods and is managed by the master components
Cluster - A cluster is a set of machines, called nodes, that run containerized applications managed by Kubernetes. A cluster has at least one worker node and at least one master node.
Kubectl - a command line interface for running commands against Kubernetes clusters
Kubernetes Master
API Server -REST API that validates and configures data for API objects such as pods, services, replication controllers
Scheduler - Scheduler that manages availability, performance, and capacity.
Controller Manager - Daemon that embeds the core control loops shipped with Kubernetes.
etcd – distributed storage system that manages cluster state
Kubelet - The primary node agent that runs on each node. The kubelet takes a set of PodSpecs and ensures that the described containers are running and healthy.
Kube-proxy - Can do simple TCP/UDP stream forwarding or round-robin TCP/UDP forwarding across a set of back-ends
Vulnerabilities have been present in every software component since time immemorial and now with increased complexity and software defined everything the number of components that can and will have vulnerabilities is only increasing
Containerized environments are susceptible to all manner of component and code vulnerabilities as well as some unique ones that we’ll take a look at next
Runc is a container escape vulnerability runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec.
I highlighted vulnerabilities within docker, docker community, and Kubernetes to show that these vulnerabilities can exist within any stage of container adoption from docker community where it might be one developer or a small team to full fledged orchestrated
Cryptojacking
Identify front facing systems and websites vulnerable to remote code execution and inject code via API or through webform. Code traverses to container environment
Code executes when container is spun up, code is executed and commands are sent directly to the shell
Cryptomining malware is downloaded through a wget command
If you ever needed evidence that “trust but verify” isn’t going away any time soon this should be it. Even official versions of images from reputable sources in the official docker hub repository are riddled with vulnerabilities.
Cyber hygiene – doing the basics right is fundamental to security, more important the protecting yourself immediately from the next 0 day attack
Cyber hygiene becomes more difficult as more and more complexity is introduced to the environment. And containerization is very complex with several moving parts, microservices, and network overlays creating an obfuscation layer
Increased velocity is generally a byproduct of making more, smaller changes and it’s tempting to say that if there are only small changes being made then testing becomes less important
This thinking is a recipe for lots of small vulnerabilities getting through and causing havoc especially in microservices and containers that are meant to be deployed in bunches and built for autoscaling, one vulnerability in a container can quickly become 5 vulnerabilities in your production environment
Testing remains very important and done right it can remove security bottlenecks throughout the development process
there are a number of arguments to be made in favor of finding and fixing vulnerabilities as early as possible and that’s even more relevant with containers
There shouldn’t be differences between environments which removes the reason of dev/test/qa being behind production and different
From the developer’s laptop there’s generally an automated toolchain used for continuous integration and continuous deployment, as soon as an image is built it should go through automated testing
An important one and one that’s generally more convincing across stakeholder units is the economic and time argument for finding and fixing vulnerabilities as soon as possible. This leaves minimal time for the person who wrote the initial code to move on to new projects or move on all together so a new person needs to familiarize themselves with the codebase before implementing any fix. This time and money argument can be very persuasive but it needs to be implemented correctly.
Ensure the tool you’re using to scan images gives layer level detailed information. A lot of patching happens in development and falls to the developers who don’t want to waste cycles guessing what to patch where and falling victim to false positives
Suppose that you have a base image that includes mypkg 1.2.7 (without the fix), so we know it is vulnerable. If the scanner simply reports vulnerabilities layer by layer, it will appear that the issue is present in any child image, even if the package gets replaced with version 1.3.0 in a different layer. Another false positive.
Let’s say that there’s a fictional package mypkg version 1.2.7 with a vulnerability (that I’m making up) called CVE-999. The maintainers of mypkg fixed the vulnerability, and the fix made it into the release of mypkg 1.3.0. So the vulnerability database might say that CVE-999 is known to exist in any version of mypkg before 1.3.0.
Now, several other fixes and features went into 1.3.0 upstream, and let’s imagine that the owner of the image being scanned didn’t want all of them. Instead, she decided to cherry-pick just the fix for CVE-999. She rebuilt her own version of the mypkg and called it 1.2.7.12345.
According to the database, it would seem that the vulnerability is still there, because 1.2.7.12345 is lower than 1.3.0 where the fix is known to have been applied. But it’s a false positive.
Do not get complacent with images in repositories that have been scanned and patched before. As with any software, vulnerabilities will constantly be found in the software that makes up your image layers. Consistent scanning, patching, and re-deploying new secure versions of any containers running the image is required. This is where the immutability and portability of containers actually plays well with security. There’s no need to deploy complex patches to running applications, you can simply tear down the container and replace. The orchestrator will automatically pull the most recent (secure) version of the image to rebuild the container.
Access control here comes down to what different users and components can see and what they can do
Access control has two purposes, keep malicious actors out and if they get in, limit what they can do and where they can go to limit the blast radius of any breach
Now let’s get into several ways you can implement a containment strategy for your containers
https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
Avoid running containers as uid 0, if possible.
Containers leverage two concepts to govern access control and resource utilization – namespaces and cgroups
Namespace – what you can see
Cgroups what you can do/what resources you have access to – useful for preventing buffer overflow type attacks by limiting the amount of memory a given process/container is allocated
In addition to these tools, you can drop individual capabilities from your container as part of the build CAP_SYS_ADMIN is a specially nasty one in terms of security, it grants a wide range of root level permissions
SecComp, AppArmor and SELinux are linux kernel security modules that can be applied to containers to limit capabilities but one thing to remember is they’re meant to be broadly applicable. So in a sense these are made for “less privilege” but they’re not aware of how your containers will be used in your environment so even after applying these profiles or instead of applying these profiles if they’re not available it’s recommended that you list and remove individual capabilities that aren’t necessary
Kubernetes namespaces were developed as a method to help provide workload isolation. Running multiple, potentially multi-tenant, workloads in the same namespace sidesteps the protections of namespaces, resulting in a single large and flat namespace.
In Docker EE with Swarm mode, administrators have the ability of influencing these scheduling decisions by using labels that are securely attached to the individual node identities. These labels allow administrators to group nodes together into different security zones limiting the exposure of particularly sensitive workloads and any secrets related to them.
If you’re just starting out with containers it’s good to have a guide and some best practices, the good news is these exist for every level of the container ecosystem
Start with the hosts because if you build bullet proof applications on top of swiss cheese infrastructure you’re still extremely vulnerable
Next move on to the containers themselves with a detailed overview of common issues and countermeasures as well as things to keep in mind from the design of your first container to decommissioning