[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam

•

1 like•174 views

Docker containers are a fast-growing technology that has become hugely popular in the software industry nowadays. It offers amazing benefits but also presents the developer with lots of security challenges. This talk will give you an introduction to Docker as well basic security best practices. But don’t worry, we will also do some live hacking :).

Technology

München Aachen Bamberg Berlin Boswil Đà Nẵng Dresden Grenoble Hamburg Köln Leipzig Nürnberg Prag Stuttgart Washington Zug
Docker Security
Phạm Hồng Khánh
Are your
containers safe?
Do you dockerize?

08.04.2019 2
Graduated from DUT
Web Application Security Engineer at mgm
security partners
5 years IP Networking
3 years Infrastructure Operations
whoami
Phạm Hồng Khánh
khanh.hong.pham@mgm-sp.com

08.04.2019 3
Slow deployment times
Huge costs
Wasted resources
Difficult to scale
Difficult to migrate
Dark Ages - One Application - One Server

08.04.2019 4
Benefits
One physical machine divided
into multiple virtual machines
Limitations
Resources
An entire Guest OS
Hypervisor-based Virtualization

08.04.2019 5
Containers vs. Virtualization
lightweight & flexible
A docker container is
minimal
task specific
isolated
reproducible
Docker Overview

08.04.2019 8
Let‘s try something!
Build, Ship, Run

08.04.2019 9
HOST
RESOURCES
CONTAINERS
IMAGES
REGISTRY

08.04.2019 11
“It doesn‘t matter how many locks are
on your door if your window is open“

08.04.2019 12
Know your threat model and your attack surface!

08.04.2019 13
HOST
RESOURCES
CONTAINERS
IMAGES
REGISTRY
Docker Attack Surfaces

08.04.2019 14
Images are the basis of a docker container,
so we just use them all, don‘t we?
Docker Image Security
IMAGES

08.04.2019 15
Let‘s try something!
Crypto Mining Container

08.04.2019 16
 17 cryptomining containers on Docker Hub
 Active for almost a year
 Made around $90,000 = 2 Billion VND in Bitcoins
Docker Image Security

08.04.2019 17
Use official repositories as parent images
Scan images! Micro Badger
Sign images / verify signatures
Do not put secrets in images!
What can we do to have a safe image?

08.04.2019 18
Private Registry Security
Cheap, under your control
You have to think about everything yourself!
Hosted
AWS or Google or DockerHub
More features
Privacy! Costs!
A secure Docker Registry
REGISTRY

08.04.2019 19
Secure defaults
Docker Container Security
Can be more robust
CONTAINERS

08.04.2019 20
Let‘s try something!
Privileged Container

08.04.2019 22
Docker is only as secure as the underlying host!
Best Practices
Make sure your system is patched and monitored!
Use minimal systems designed for this purpose as base system
Docker itself should be configured securely
Docker Host Security HOST

08.04.2019 23
https://github.com/docker/docker-bench-security
Docker Bench Security

08.04.2019 24
 Know your attack surface!
 Docker: okay by default
 Solution:
Harden your Containers!
Test and audit regularly
Keep everything up to date
Tips: “How to be safe“!
HOST
CONTAINERS REGISTRY
IMAGES

08.04.2019 27
Innovation Implemented.
mgm technology partners
Vietnam
07 Phan Chau Trinh, Đà Nẵng
Tel.: +49 (89) 35 86 80-0
Fax: +49 (89) 35 86 80-288
www.mgm-tp.com
PragMünchen Berlin Hamburg Köln NürnbergGrenoble LeipzigDresdenBamberg ZugĐà NẵngAachen WashingtonStuttgart

Lightning talk from the OpenStack NYC meetup on October 8, 2014. http://bit.ly/ibm-os-meetup By Paolo Dettori and Seetharami Seelam We will describe our experiences running Docker containers in a multi-node OpenStack environment deployed on public cloud infrastructure. From this we will show DockerCloud, providing IaaS like capabilities for Docker containers as well as container orchestration on OpenStack. The content of this talk is a statement from the IBM Research division, not IBM product divisions, and is not a statement from IBM regarding its plans, directions or product intents. Any activities described by this talk are subject to change.

Wocker & WordCamp Kansai 2015

Kite Koga

Linux Container Primitives and Runtimes - AWS Summit Sydney

Amazon Web Services

In this session we'll explore the different Linux primitives that are commonly used in implementing container runtimes. We’ll learn about cgroups, namespaces and union filesystems and explain how these are leveraged by container runtimes like Docker to deliver powerful container management system. In this session we’ll demonstrate how Docker uses each of these primitives and show how you can effectively inspect and troubleshoot containers from the host operating system.

Illustrated Intro to Containers & Kubernetes

Kaslin Fields

Interested in Containers and want to learn more? This talk will introduce you to the basics of why containers are important, how they work, and how Kubernetes is making containers the DevOps way of the future - through fun comic illustrations and analogies! You'll learn and retain the key points you'll need whether you're trying to convince your leadership that container adoption is right for the company, or talking to that person a few cubes down who just can't seem to stop talking about containers!

AWS EKS Security Best Practices

StackRox

Containers jumpstart from a DevOps perspective

Matteo Emili

DockerDay 2015: From months to minutes - How GE appliances brought docker int...

Docker-Hanoi

Open source on Microsoft Azure: Linux, Java, NodeJS, MongoDb and many other t...

Codemotion

Developers want to use platforms and technologies they love to develop, deploy and manage their applications. Microsoft Azure is the best cloud platform to run your apps even if you use Java, Python, .NET, NodeJS on the frontend, or MySQL, SQL Server, MongoDB on the backend, Windows or Linux as the OS. In this session we will explore open source technologies on Microsoft Azure and how to choose the right service to manage your applications.

Arif PhD deals with how efficiently applications are deployed in distributed fog environments. A short abstract of the thesis is given below: Fog computing architectures are composed of a large number of machines distributed across a geographical area such as a city or a region. In this context it is important to support a quick startup of applications deployed in the for of docker containers. This thesis explores the reasons for slow deployment and identifies three improvement opportunities: (1) improving the Docker cache hit rate; (2) speed-up the image installation operation; and (3) accelerate the application boot phase after the creation of a container.

Csa container-security-in-aws-dw

Cloud Security Alliance, UK chapter

Csa container-security-in-aws-dw Video: https://youtu.be/X2Db27sAcyM This session will touch upon container security constructs and isolation mechanisms like capabilities, syscalls, seccomp and Firecracker before digging into secure container configuration recommendations, third-party tools for build- and run-time analysis and monitoring, and how Kubernetes security mechanisms and AWS security-focussed services interact.

How to Secure Containerized Applications

DevOps.com

Containers, Kubernetes, and Docker - oh my! These innovative tools have exploded in popularity over the last ten years, and with good reason - allowing for containerized applications gives development teams the flexibility they need to move and deploy quickly. But in the rush to modernize, it’s easy to forget about security. Although applications are now distributed across containers, they are still vulnerable to Layer-7 attacks and malicious activity. In this webinar, Doug Coburn, Director of Professional Services at Signal Sciences, will walk through: An overview on containerized applications and how it fits into a DevOps workflow Where and how containers are vulnerable to Layer 7 attacks Evaluating tools and processes for deploying security across containers and containerized apps

Security best practices for kubernetes deployment

Michael Cherny

Security best practices for kubernetes deployment

Aqua Security

Top 6 Practices to Harden Docker Images to Enhance Security

9 series

Persistent storage in Docker

Cheryl Hung

20190613 - IBM Cloud Côte d'Azur meetup - "Cloud & Containers"

IBM France Lab

BBL Premiers pas avec Docker

kanedafromparis

Oracle Database 18c Docker.pdf

Yossi Nixon

2014, April 15, Atlanta Java Users Group

Todd Fritz

Server to Cloud – convert a legacy platform to a micro-PaaS using Docker and related, containerization technologies Video: http://vimeo.com/94556976 The talk will begin with how to setup a local Docker development environment (Windows or Mac OSX) as Docker runs atop Linux. The basics of Docker will be examined including how to use image repositories, and a brief description of available UI’s for managing Docker containers (Shipyard and DockerUI). Next, example applications will be built for progressively more robust use cases and deployments; to demonstrate the power, flexibility and scalability of Containerization with Docker. The first example will discuss a simple two container model to encapsulate a database and application layer, which will lead to demonstration and discussion about more robust deployments that include features such as service discovery, automatic load balancing, and abstractions to simplify linking of containers. The context of the talk with be how Containerization enables architectural choice, scalability, and polyglot environments. Docker and supporting technologies will be discussed to expose the multitude of supporting technologies within the ecosystem such as Flynn, Serf (makes or Vagrant), CoreOS, Deus, HAProxy and more. Technologies that may be employed within containers during the demonstration include, Java, Scala, Akka, Docker, vert.x or node.js, memcached, mysql, mongo.

Security Patterns for Microservice Architectures - Oktane20

Matt Raible

Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures. 1. Be Secure by Design 2. Scan Dependencies 3. Use HTTPS Everywhere 4. Use Access and Identity Tokens 5. Encrypt and Protect Secrets 6. Verify Security with Delivery Pipelines 7. Slow Down Attackers 8. Use Docker Rootless Mode 9. Use Time-Based Security 10. Scan Docker and Kubernetes Configuration for Vulnerabilities 11. Know Your Cloud and Cluster Security Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Cloud Computing Presentation

Ashish Kumar Singh

dockerCesar Maciel

Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradar

sangam biradar

Kubernetes with Cilium in AWS - Experience Report!

QAware GmbH

Cloud Native Night, Munich, September 2023, Bernhard Schaidhammer === Please download slides if blurred! === Cilium is a powerful tool for network policies and also encryption between the Kubernetes nodes. Cilium hooks deep into Kubernetes in the network stack as an plugin and can even replace the AWS CNI Plugin. This talk will share our project experiences. Topics involve: - Network Policies - Encryption - Hubble (Observability) - Installation - CLI Usage (Hubble / Cilium)

Securing Containers - Sathyajit Bhat - Adobe

CodeOps Technologies LLP

Security Patterns for Microservice Architectures - London Java Community 2020

Matt Raible

[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline

DevDay.org

Lean UX helps teams build the minimal product necessary to validate risky assumptions and minimize the time to market with the right product. On this lecture, Lean UX principles and its value to the product cycle will be introduced. Also, the methods and tools that will help you get feedback from users and learn rapidly will be discussed. This session is geared towards those who are interested in UX but have no much experience, those looking for new methods to improve their current product processes, and anyone interested in design, business, and user centered design.

[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...

DevDay.org

Similar to [DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam

Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...

Amazon Web Services

Docker Kubernetes Istio

Araf Karsh Hamid

Arif's PhD Defense (Title: Efficient Cloud Application Deployment in Distrib...

Arif A.

Csa container-security-in-aws-dw

Cloud Security Alliance, UK chapter

How to Secure Containerized Applications

DevOps.com

Security best practices for kubernetes deployment

Michael Cherny

Security best practices for kubernetes deployment

Aqua Security

Top 6 Practices to Harden Docker Images to Enhance Security

9 series

Persistent storage in Docker

Cheryl Hung

20190613 - IBM Cloud Côte d'Azur meetup - "Cloud & Containers"

IBM France Lab

BBL Premiers pas avec Docker

kanedafromparis

Oracle Database 18c Docker.pdf

Yossi Nixon

2014, April 15, Atlanta Java Users Group

Todd Fritz

Security Patterns for Microservice Architectures - Oktane20

Matt Raible

Cloud Computing Presentation

Ashish Kumar Singh

dockerCesar Maciel

Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradar

sangam biradar

Kubernetes with Cilium in AWS - Experience Report!

QAware GmbH

Securing Containers - Sathyajit Bhat - Adobe

CodeOps Technologies LLP

Security Patterns for Microservice Architectures - London Java Community 2020

Matt Raible

Similar to [DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam (20)

Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...

Docker Kubernetes Istio

Arif's PhD Defense (Title: Efficient Cloud Application Deployment in Distrib...

Csa container-security-in-aws-dw

How to Secure Containerized Applications

Security best practices for kubernetes deployment

Top 6 Practices to Harden Docker Images to Enhance Security

Persistent storage in Docker

20190613 - IBM Cloud Côte d'Azur meetup - "Cloud & Containers"

BBL Premiers pas avec Docker

Oracle Database 18c Docker.pdf

2014, April 15, Atlanta Java Users Group

Security Patterns for Microservice Architectures - Oktane20

Cloud Computing Presentation

docker

Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradar

Kubernetes with Cilium in AWS - Experience Report!

Securing Containers - Sathyajit Bhat - Adobe

Security Patterns for Microservice Architectures - London Java Community 2020

More from DevDay.org

[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline

DevDay.org

[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...

DevDay.org

[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...

DevDay.org

[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline

DevDay.org

[DevDay2019] Growth Hacking - How to double the benefits of your startup with...

DevDay.org

[DevDay2019] Collaborate or die: The designers’ guide to working with develop...

DevDay.org

Collaboration and open communication tend to be categorized as “soft skills” and are often overlooked in organizations. In this session, he is going to discuss how to develop an effective strategy in bridging the gap between product, design, and engineering teams. He will also share some tips for including developers in different stages of design — from planning features to usability testing.

[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...

DevDay.org

Artificial intelligence (AI) has been changing the way software is tested and how humans interact with technology. AI predicts, prevents and automates the entire process of testing using algorithms. It will not only support and improve the models and test cases but also provide more sophisticated and refined form of text recognition and better code generators. Using AI will help to save time for testing and ensure a better quality software.

[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...

DevDay.org

[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...

DevDay.org

[DevDay2019] Power of Test Automation and DevOps combination - One click savi...

DevDay.org

Test Automation is becomming a MUST in software development life cycle now. DevOps has been an emerging trend, and it's no longer new. Remebering the old days, when you have to stand-up the test servers, get the builds from developers, deploy it, start-up agent machines, run your tests, collect reports, shutdown all resources you have just started, and spend days to analyze the failures. Now it's time to bring DevOps into this game and let it streamline all of these processes then you can save your days for other greater jobs of software testing.

[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS

DevDay.org

[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...

DevDay.org

[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...

DevDay.org

[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...

DevDay.org

[DevDay2019] Opportunities and challenges for human resources during the digi...

DevDay.org

[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...

DevDay.org

[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...

DevDay.org

[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...

DevDay.org

[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO

DevDay.org

[DevDay2019] Layering GraphQL on top of existing infrastructure - By Phan Tha...

DevDay.org

More from DevDay.org (20)