SlideShare a Scribd company logo

Devopsdays london: Let’s talk about security

J
Justin Cormack

This document summarizes Justin Cormack's talk on security at DevOpsDays London. It discusses how developers and operations teams can work together to improve security by clearly defining what access and permissions each service or microservice requires. It provides examples of pledge and Content Security Policy for limiting actions and access. It also discusses how containers provide a secure environment through mechanisms like namespaces, capabilities, and seccomp profiles. The talk argues for making security configurations easier to define, more uniform across tools, and correlated so different options can be set together for whole roles or types of services.

1 of 28
Download to read offline
DevOpsDays London: Let’s talk about Security Justin Cormack
Justin Cormack Cambridge based developer at Docker @justincormack   2
Co-author of Docker in the Trenches: Successful Production Deployment 3
Let’s talk about Security
Security“NO!”
A Conversation
Ops“please,developers,can you write secure code?” Devs“please,ops,can you secure the environment for our code?” 7
DevOps“This service needs to do these things and access these other services” DevOps“Ok,I will restrict its access in test and production to those actions” 8
To get to this we need a domain specific manifest of types of actions a program can do,and a way to restrict it to just these. We want defence in depth –a single way of imposing restrictions only needs a single circumvention. 9
Examples
11
Android permissions and intents were a good early model •  Certainly conversational... •  Good apart from the bit where the user clicks “Allow” 12
13
pledge(2) •  System call to reduce ability to do things, grouped into different classes •  stdio rpath wpath cpath dpath tmppath fattr flock inet dns unix sendfd recvfd proc getpw tty ioctl prot_exec exec settime ps vminfo id pf audio 14
if (pledge("stdio rpath wpath cpath", NULL) == -1) { perror("pledge"); exit(2); } 01. 02. 03. 04. 15
Usability •  Within 6 months it had been introduced to over 400 programs •  Not a typical coding community, true •  Not the sole means of defence, adds defence in depth. •  There are only 8000 SELinux profiles on github after 18 years, and most are the same ones. 16
Doesn’t Apply to Me
•  Probably you are not writing Unix commands for OpenBSD •  Very domain specific rules eg exactly which files can be read •  Some of the specifics are less of a concern •  However, microservices are modelled on the Unix process model 18
Content Security Policy for Web Applications •  Content headers for browsers limiting actions, defines none, urls or local only, or similar •  default-src script-src object-src style-src img-src media-src frame-src font-src connect-src form-action sandbox script-nonce plugin-types reflected-xss report-uri •  http://w3c.github.io/webappsec-csp/ •  Creating a CSP Policy from Scratch 19
Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self' https://www.slideshare.net; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'none'; base-uri diogomonica.com www.diogomonica.com; report-uri https://report-uri.io/report/59e303e8e117668e8e166508913a6d1d;" 01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11. 20
Containers
Docker supports lots of security mechanisms •  Namespaces, capabilities, SELinux, Apparmor, seccomp, iptables, networks (Linux likes different security subsystems) •  The defaults are really good, and work for almost everyone •  Containers are a very secure environment to run code. 22
Not so friendly {"name": "accept4", "action": "SCMP_ACT_ALLOW", "args": []}, deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, docker run --cap-drop=sys_admin 01. 02. 03. 23
Next steps •  Make the customisation easier for your use cases •  Increase uniformity •  Correlate the different types of option, so set different options in lockstep 24
Types of role for microservices •  Client, server, or both •  Connects to specified hosts outside local network •  May not connect to certain types of host (finance, production) •  Must use encrypted connections to these hosts •  Document clear contracts about what is allowed 25
Summary •  First talk about what your application needs to do •  Human readable and understandable •  Machine readable, testable and debuggable. •  Declarative •  Domain specific 26
Talk!
Questions? •  @justincormack •  justin.cormack@docker.com •   docker pull justincormack/devopsdays2016   28

Recommended

Docker container security
Docker container securityDocker container security
Docker container security
Thoughtworks
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
Minded Security
 
Build your first DApp using Substrate Framework - Part I
Build your first DApp using Substrate Framework - Part IBuild your first DApp using Substrate Framework - Part I
Build your first DApp using Substrate Framework - Part I
Knoldus Inc.
 
JS digest. November 2017
JS digest. November 2017JS digest. November 2017
JS digest. November 2017
ElifTech
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
EVE Microservices Platform
EVE Microservices PlatformEVE Microservices Platform
EVE Microservices Platform
Alaa Qutaish
 
Neues aus dem Docker-Universum
Neues aus dem Docker-UniversumNeues aus dem Docker-Universum
Neues aus dem Docker-Universum
Nicholas Dille
 

Recommended

Docker container security
Docker container securityDocker container security
Docker container security
Thoughtworks
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
Minded Security
 
Build your first DApp using Substrate Framework - Part I
Build your first DApp using Substrate Framework - Part IBuild your first DApp using Substrate Framework - Part I
Build your first DApp using Substrate Framework - Part I
Knoldus Inc.
 
JS digest. November 2017
JS digest. November 2017JS digest. November 2017
JS digest. November 2017
ElifTech
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
EVE Microservices Platform
EVE Microservices PlatformEVE Microservices Platform
EVE Microservices Platform
Alaa Qutaish
 
Neues aus dem Docker-Universum
Neues aus dem Docker-UniversumNeues aus dem Docker-Universum
Neues aus dem Docker-Universum
Nicholas Dille
 
Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro Lahoza
Katherine Golovinova
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
Katherine Golovinova
 
Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017
Gianluca Arbezzano
 
WebAssembly with Rust
WebAssembly with RustWebAssembly with Rust
WebAssembly with Rust
Knoldus Inc.
 
Ecossistema Python Para Web
Ecossistema Python Para WebEcossistema Python Para Web
Ecossistema Python Para Web
Allisson Azevedo
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Katherine Golovinova
 
GROOVY ON GRAILS
GROOVY ON GRAILSGROOVY ON GRAILS
GROOVY ON GRAILS
ziyaaskerov
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
Chandrapal Badshah
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
Nodejs
NodejsNodejs
Nodejs
Bhushan Patil
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
Nodejs
NodejsNodejs
NodejsAkhil Gopan
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
Deepu S Nath
 
Quarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniquesQuarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniques
Red Hat Developers
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
Basav Nagur
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Binu Ramakrishnan
 
Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding Practices
All Things Open
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics
TheCreativedev Blog
 
RHSA BES Show 01
RHSA BES Show 01RHSA BES Show 01
RHSA BES Show 01Robert Strickland
 
Introduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacionalIntroduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacional
jupamova235
 

More Related Content

What's hot

Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro Lahoza
Katherine Golovinova
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
Katherine Golovinova
 
Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017
Gianluca Arbezzano
 
WebAssembly with Rust
WebAssembly with RustWebAssembly with Rust
WebAssembly with Rust
Knoldus Inc.
 
Ecossistema Python Para Web
Ecossistema Python Para WebEcossistema Python Para Web
Ecossistema Python Para Web
Allisson Azevedo
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Katherine Golovinova
 
GROOVY ON GRAILS
GROOVY ON GRAILSGROOVY ON GRAILS
GROOVY ON GRAILS
ziyaaskerov
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
Chandrapal Badshah
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
Nodejs
NodejsNodejs
Nodejs
Bhushan Patil
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
Deepu S Nath
 
Quarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniquesQuarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniques
Red Hat Developers
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
Basav Nagur
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Binu Ramakrishnan
 
Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding Practices
All Things Open
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics
TheCreativedev Blog
 

What's hot (20)

Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro Lahoza
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
 
Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017Jenkins in the real world - DevOpsCon 2017
Jenkins in the real world - DevOpsCon 2017
 
WebAssembly with Rust
WebAssembly with RustWebAssembly with Rust
WebAssembly with Rust
 
Ecossistema Python Para Web
Ecossistema Python Para WebEcossistema Python Para Web
Ecossistema Python Para Web
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
 
GROOVY ON GRAILS
GROOVY ON GRAILSGROOVY ON GRAILS
GROOVY ON GRAILS
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
 
Nodejs
NodejsNodejs
Nodejs
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
Nodejs
NodejsNodejs
Nodejs
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
 
Quarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniquesQuarkus tips, tricks, and techniques
Quarkus tips, tricks, and techniques
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...Securing Application Deployments in CI/CD Environments (Updated slides: http:...
Securing Application Deployments in CI/CD Environments (Updated slides: http:...
 
Open Source and Secure Coding Practices
Open Source and Secure Coding PracticesOpen Source and Secure Coding Practices
Open Source and Secure Coding Practices
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics
 

Viewers also liked

Introduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacionalIntroduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacional
jupamova235
 
Reflexion modulo 1
Reflexion modulo 1 Reflexion modulo 1
Reflexion modulo 1
Larisa Yabar Amezquita
 
educacion
educacion educacion
educacion
walter berna
 
Presentación en power point de Montserrat Moreno Flores
Presentación en power point de Montserrat Moreno FloresPresentación en power point de Montserrat Moreno Flores
Presentación en power point de Montserrat Moreno Flores
Montserrat Moreno Flores
 
Renaissance Dallas
Renaissance DallasRenaissance Dallas
Renaissance DallasJosh Johnson
 

Viewers also liked (6)

RHSA BES Show 01
RHSA BES Show 01RHSA BES Show 01
RHSA BES Show 01
 
Introduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacionalIntroduccion a la seguridad ocupacional
Introduccion a la seguridad ocupacional
 
Reflexion modulo 1
Reflexion modulo 1 Reflexion modulo 1
Reflexion modulo 1
 
educacion
educacion educacion
educacion
 
Presentación en power point de Montserrat Moreno Flores
Presentación en power point de Montserrat Moreno FloresPresentación en power point de Montserrat Moreno Flores
Presentación en power point de Montserrat Moreno Flores
 
Renaissance Dallas
Renaissance DallasRenaissance Dallas
Renaissance Dallas
 

Similar to Devopsdays london: Let’s talk about security

Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
Jim Driscoll
 
Custom Runtimes for the Cloud
Custom Runtimes for the CloudCustom Runtimes for the Cloud
Custom Runtimes for the Cloud
CloudBees
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
Azure Riyadh User Group
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
LibbySchulze
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
Phú Phùng
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Running Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryRunning Java Applications on Cloud Foundry
Running Java Applications on Cloud Foundry
VMware Tanzu
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock Platform
ForgeRock
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015
WaveMaker, Inc.
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
J2EE Performance And Scalability Bp
J2EE Performance And Scalability BpJ2EE Performance And Scalability Bp
J2EE Performance And Scalability Bp
Chris Adkin
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
Marco Ferrigno
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
NaLUG
 

Similar to Devopsdays london: Let’s talk about security (20)

Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
Custom Runtimes for the Cloud
Custom Runtimes for the CloudCustom Runtimes for the Cloud
Custom Runtimes for the Cloud
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Running Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryRunning Java Applications on Cloud Foundry
Running Java Applications on Cloud Foundry
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock Platform
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
J2EE Performance And Scalability Bp
J2EE Performance And Scalability BpJ2EE Performance And Scalability Bp
J2EE Performance And Scalability Bp
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
 

Recently uploaded

A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
Google
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 

Recently uploaded (20)

A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 

Devopsdays london: Let’s talk about security

  • 1. DevOpsDays London: Let’s talk about Security Justin Cormack
  • 2. Justin Cormack Cambridge based developer at Docker @justincormack   2
  • 3. Co-author of Docker in the Trenches: Successful Production Deployment 3
  • 7. Ops“please,developers,can you write secure code?” Devs“please,ops,can you secure the environment for our code?” 7
  • 8. DevOps“This service needs to do these things and access these other services” DevOps“Ok,I will restrict its access in test and production to those actions” 8
  • 9. To get to this we need a domain specific manifest of types of actions a program can do,and a way to restrict it to just these. We want defence in depth –a single way of imposing restrictions only needs a single circumvention. 9
  • 11. 11
  • 12. Android permissions and intents were a good early model •  Certainly conversational... •  Good apart from the bit where the user clicks “Allow” 12
  • 13. 13
  • 14. pledge(2) •  System call to reduce ability to do things, grouped into different classes •  stdio rpath wpath cpath dpath tmppath fattr flock inet dns unix sendfd recvfd proc getpw tty ioctl prot_exec exec settime ps vminfo id pf audio 14
  • 15. if (pledge("stdio rpath wpath cpath", NULL) == -1) { perror("pledge"); exit(2); } 01. 02. 03. 04. 15
  • 16. Usability •  Within 6 months it had been introduced to over 400 programs •  Not a typical coding community, true •  Not the sole means of defence, adds defence in depth. •  There are only 8000 SELinux profiles on github after 18 years, and most are the same ones. 16
  • 18. •  Probably you are not writing Unix commands for OpenBSD •  Very domain specific rules eg exactly which files can be read •  Some of the specifics are less of a concern •  However, microservices are modelled on the Unix process model 18
  • 19. Content Security Policy for Web Applications •  Content headers for browsers limiting actions, defines none, urls or local only, or similar •  default-src script-src object-src style-src img-src media-src frame-src font-src connect-src form-action sandbox script-nonce plugin-types reflected-xss report-uri •  http://w3c.github.io/webappsec-csp/ •  Creating a CSP Policy from Scratch 19
  • 20. Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self' https://www.slideshare.net; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'none'; base-uri diogomonica.com www.diogomonica.com; report-uri https://report-uri.io/report/59e303e8e117668e8e166508913a6d1d;" 01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11. 20
  • 22. Docker supports lots of security mechanisms •  Namespaces, capabilities, SELinux, Apparmor, seccomp, iptables, networks (Linux likes different security subsystems) •  The defaults are really good, and work for almost everyone •  Containers are a very secure environment to run code. 22
  • 23. Not so friendly {"name": "accept4", "action": "SCMP_ACT_ALLOW", "args": []}, deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, docker run --cap-drop=sys_admin 01. 02. 03. 23
  • 24. Next steps •  Make the customisation easier for your use cases •  Increase uniformity •  Correlate the different types of option, so set different options in lockstep 24
  • 25. Types of role for microservices •  Client, server, or both •  Connects to specified hosts outside local network •  May not connect to certain types of host (finance, production) •  Must use encrypted connections to these hosts •  Document clear contracts about what is allowed 25
  • 26. Summary •  First talk about what your application needs to do •  Human readable and understandable •  Machine readable, testable and debuggable. •  Declarative •  Domain specific 26
  • 27. Talk!