Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments.
https://www.delve-labs.com
Overview of Docker 1.11 features(Covers Docker release summary till 1.11, runc/containerd, dns load balancing ipv6 service discovery, labels, macvlan/ipvlan)
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
Join us for this informative session on "Enhancing OpenShift Security." Andrew Toth from Red Hat will outline typical threats and security measures to protect container deployments and will share information on built-in security features of OpenShift and Kubernetes.
Glen Kosaka from NeuVector will present how to enhance security for Kubernetes and OpenShift by using advanced run-time security features to improve visibility and protection in production.
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerDocker, Inc.
Join SwarmKit maintainers Drew and Nishant as they showcase features that have made Swarm Mode even more powerful, without compromising the operational simplicity it was designed with. They will discuss the implementation of new features that streamline deployments, increase security, and reduce downtime. These substantial additions to Swarm Mode are completely transparent and straightforward to use, and users may not realize they're already benefiting from these improvements under the hood.
Overview of Docker 1.11 features(Covers Docker release summary till 1.11, runc/containerd, dns load balancing ipv6 service discovery, labels, macvlan/ipvlan)
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
Join us for this informative session on "Enhancing OpenShift Security." Andrew Toth from Red Hat will outline typical threats and security measures to protect container deployments and will share information on built-in security features of OpenShift and Kubernetes.
Glen Kosaka from NeuVector will present how to enhance security for Kubernetes and OpenShift by using advanced run-time security features to improve visibility and protection in production.
Under the Hood with Docker Swarm Mode - Drew Erny and Nishant Totla, DockerDocker, Inc.
Join SwarmKit maintainers Drew and Nishant as they showcase features that have made Swarm Mode even more powerful, without compromising the operational simplicity it was designed with. They will discuss the implementation of new features that streamline deployments, increase security, and reduce downtime. These substantial additions to Swarm Mode are completely transparent and straightforward to use, and users may not realize they're already benefiting from these improvements under the hood.
Rooting Out Root: User namespaces in DockerPhil Estes
This talk on the progress to bring user namespace support into Docker was presented by Phil Estes at LinuxCon/ContainerCon 2015 on Wednesday, Aug. 19th, 2015
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Docker, Inc.
At Docker, we are striving to enable the extensibility of Docker via "Plugins" and make them available for developers and enterprises alike. Come attend this talk to understand what it takes to build, ship, store and run plugins. We will deep dive into plugin lifecycle management on a single engine and across a swarm cluster. We will also demonstrate how you can integrate plugins from other enterprises or developers into your ecosystem. There will be fun demos accompanying this talk! This will be session will be beneficial to you if you: 1) Are an ops team member trying to integrate Docker with your favorite storage or network vendor 2) Are Interested in extending or customizing Docker; or 3) Want to become a Docker partner, and want to make the technology integration seamless.
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
Sematext engineer Rafal Kuc (@kucrafal) walks through the details of running high-performance, fault tolerant Elasticsearch clusters on Docker. Topics include: Containers vs. Virtual Machines, running the official Elasticsearch container, container constraints, good network practices, dealing with storage, data-only Docker volumes, scaling, time-based data, multiple tiers and tenants, indexing with and without routing, querying with and without routing, routing vs. no routing, and monitoring. Talk was delivered at DevOps Days Warsaw 2015.
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
A Docker security talk that Salman Baset and Phil Estes presented at the Tokyo OpenStack Summit on October 29th, 2015. In this talk we provided an overview of the security constraints available to Docker cloud operators and users and then walked through a "lessons learned" from experiences operating IBM's public Bluemix container cloud based on Docker container technology.
Covers overview of CoreOS and current status of CoreOS projects. Presented at Open source meetup, Bangalore(http://www.meetup.com/Bangalore-Open-Source-Meetup/events/229763724/)
Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.
Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
It's presentation for technet 2015 in korea.
I changed the format to pptx,
목차는 아래와 같습니다.
Openstack 인프라 구축 (4 node 구성) [ 30분]
Openstack 위에 VM 생성 [ 20분 ]
docker 구축 기초 [ 30분]
오픈스택에 docker를 연결 [ 30분]
Docker로 WEB서비스 구축 [ 15분]
Openstack 위에 Docker로 WEB서비스 구축 [ 15분]
Docker로 jenkins 구현 [30분]
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Presentation held by Mr. Davit Maisuradze Head of the Notary and Registration Division, within the Regional Workshop on Georgia's anti-corruption and public service delivery reforms (22-24 September 2011).
Rooting Out Root: User namespaces in DockerPhil Estes
This talk on the progress to bring user namespace support into Docker was presented by Phil Estes at LinuxCon/ContainerCon 2015 on Wednesday, Aug. 19th, 2015
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...Docker, Inc.
At Docker, we are striving to enable the extensibility of Docker via "Plugins" and make them available for developers and enterprises alike. Come attend this talk to understand what it takes to build, ship, store and run plugins. We will deep dive into plugin lifecycle management on a single engine and across a swarm cluster. We will also demonstrate how you can integrate plugins from other enterprises or developers into your ecosystem. There will be fun demos accompanying this talk! This will be session will be beneficial to you if you: 1) Are an ops team member trying to integrate Docker with your favorite storage or network vendor 2) Are Interested in extending or customizing Docker; or 3) Want to become a Docker partner, and want to make the technology integration seamless.
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
Sematext engineer Rafal Kuc (@kucrafal) walks through the details of running high-performance, fault tolerant Elasticsearch clusters on Docker. Topics include: Containers vs. Virtual Machines, running the official Elasticsearch container, container constraints, good network practices, dealing with storage, data-only Docker volumes, scaling, time-based data, multiple tiers and tenants, indexing with and without routing, querying with and without routing, routing vs. no routing, and monitoring. Talk was delivered at DevOps Days Warsaw 2015.
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
A Docker security talk that Salman Baset and Phil Estes presented at the Tokyo OpenStack Summit on October 29th, 2015. In this talk we provided an overview of the security constraints available to Docker cloud operators and users and then walked through a "lessons learned" from experiences operating IBM's public Bluemix container cloud based on Docker container technology.
Covers overview of CoreOS and current status of CoreOS projects. Presented at Open source meetup, Bangalore(http://www.meetup.com/Bangalore-Open-Source-Meetup/events/229763724/)
Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.
Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
It's presentation for technet 2015 in korea.
I changed the format to pptx,
목차는 아래와 같습니다.
Openstack 인프라 구축 (4 node 구성) [ 30분]
Openstack 위에 VM 생성 [ 20분 ]
docker 구축 기초 [ 30분]
오픈스택에 docker를 연결 [ 30분]
Docker로 WEB서비스 구축 [ 15분]
Openstack 위에 Docker로 WEB서비스 구축 [ 15분]
Docker로 jenkins 구현 [30분]
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Presentation held by Mr. Davit Maisuradze Head of the Notary and Registration Division, within the Regional Workshop on Georgia's anti-corruption and public service delivery reforms (22-24 September 2011).
Excel Training
5 minute sessions.
This series was set up to help the team build up excel skills. Meant for short 5 minute sessions.
Good for on the go learning.
Oscon London 2016 - Docker from Development to ProductionPatrick Chanezon
Docker revolutionized how developers and operations teams build, ship, and run applications, enabling them to leverage the latest advancements in software development: the microservice architecture style, the immutable infrastructure deployment style, and the DevOps cultural model.
Existing software layers are not a great fit to leverage these trends. Infrastructure as a service is too low level; platform as a service is too high level; but containers as a service (CaaS) is just right. Container images are just the right level of abstraction for DevOps, allowing developers to specify all their dependencies at build time, building and testing an artifact that, when ready to ship, is the exact thing that will run in production. CaaS gives ops teams the tools to control how to run these workloads securely and efficiently, providing portability between different cloud providers and on-premises deployments.
Patrick Chanezon offers a detailed overview of the latest evolutions to the Docker ecosystem enabling CaaS: standards (OCI, CNCF), infrastructure (runC, containerd, Notary), platform (Docker, Swarm), and services (Docker Cloud, Docker Datacenter). Patrick ends with a demo showing how to do in-container development of a Spring Boot application on a Mac running a preconfigured IDE in a container, provision a highly available Swarm cluster using Docker Datacenter on a cloud provider, and leverage the latest Docker tools to build, ship, and run a polyglot application architected as a set of microservices—including how to set up load balancing.
Data validation is the process of checking database to ensure that the information gathered from different data sources is clean, accurate and in a standard format. Data validation can be simple or complex, depending upon the way it is performed. For example, validating email address, or phone numbers is easy. On the other hand, checking different data fields for consistency and accuracy in a master database will be complex. In a nutshell, data needs to be validated at the same stage/level where it’s most likely to be erroneous.
Introduction to Redis 3.0, and it’s features and improvements. What’s difference between Redis / Memcached / Aerospike ? The strong sides of Redis, and away from the weak sides.
本議程介紹 Redis 3.0 及其歷史,探討 Redis 的特性與改進。並一併分析 Redis / Memcached / Aerospike 三者之間的差異,有助於未來面對業務場景需求提供瞭解與判斷。最後,分享 Redis 適用之場景,及其不適用場景下的備案或整合方案。議程適於 Redis 初學者、對 Redis 想深入瞭解者,及曾經莫名被 Redis 雷擊或坑殺者。
Deploy at scale with CoreOS Kubernetes and Apache StratosChris Haddad
Platform-as-a-Service (PaaS) streamlines DevOps and allows developers to focus on application development. The PaaS handles provisioning, scaling, high availability, and tenancy.
Integration with the Docker platform, CoreOS Linux distribution, and Kubernetes container management system bring more scalability and flexibility to a PaaS. This session will include installing and deploying sample applications using Docker,CoreOS and Kubernetes, and a walkthrough on how it can be extended to support new application containers.
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
True microservices are more than simply bolting a REST interface on your legacy application, packing it in a Docker container and hoping for the best. Security is a key component when designing and building out any new architecture, and it must be considered from top to bottom. Umpa Lumpas might not be considered "real" microservices, but Willy Wonka still has them locked down tight!
In this talk, Aaron will briefly touch on the idea and security benefits of microservices before diving into practical and real world examples of creating a secure microservices architecture. We'll start with designing and building high security Docker containers, using and examining the latest security features in Docker (such as User Namespaces and seccomp-bpf) as well as examine some typically forgotten security principals. Aaron will end on exploring related challenges and solutions in the areas of network security, secrets management and application hardening. Finally, while this talk is geared towards Microservices, it should prove informational for all Docker users, building a PaaS or otherwise.
Vous avez récemment commencé à travailler sur Spark et vos jobs prennent une éternité pour se terminer ? Cette présentation est faite pour vous.
Himanshu Arora et Nitya Nand YADAV ont rassemblé de nombreuses bonnes pratiques, optimisations et ajustements qu'ils ont appliqué au fil des années en production pour rendre leurs jobs plus rapides et moins consommateurs de ressources.
Dans cette présentation, ils nous apprennent les techniques avancées d'optimisation de Spark, les formats de sérialisation des données, les formats de stockage, les optimisations hardware, contrôle sur la parallélisme, paramétrages de resource manager, meilleur data localité et l'optimisation du GC etc.
Ils nous font découvrir également l'utilisation appropriée de RDD, DataFrame et Dataset afin de bénéficier pleinement des optimisations internes apportées par Spark.
While probably the most prominent, Docker is not the only tool for building and managing containers. Originally meant to be a "chroot on steroids" to help debug systemd, systemd-nspawn provides a fairly uncomplicated approach to work with containers. Being part of systemd, it is available on most recent distributions out-of-the-box and requires no additional dependencies.
This deck will introduce a few concepts involved in containers and will guide you through the steps of building a container from scratch. The payload will be a simple service, which will be automatically activated by systemd when the first request arrives.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
[DockerCon 2020] Hardening Docker daemon with Rootless ModeAkihiro Suda
"Docker supports ""Rootless mode"", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode, will explain how users can get started with Rootless mode. He will also explain the recent updates including support for Cgroup V2 and FUSE-OverlayFS."
https://docker.events.cube365.net/docker/dockercon/content/Videos/wHjxizoWgFgCYu6aF
In addition to authorization policies that control what a user can do, OpenShift Container Platform gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting pods and securing their cluster.
Default security context may be too restrictive for containers pulled down from DockerHub, thorugh this talk we'll explore the various steps to execute for enabling required permissions on selected OpenShift's pods.
présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod".
Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Docker Security in Production Overview
1. Docker Security In Production
#DevOps #Infrastructure #Deployment #Security
2. ➔ CI/CD chain security ( git / notary / registry )
◆ … export DOCKER_CONTENT_TRUST=1
➔ Microservices architecture
◆ … secret management (Vault & al.)
◆ … Orchestration & Deployment Strategies
➔ Keeping binaries & libs. up to date in production
➔ Monitoring / Alerting / Metric / SOC / SIEM / etc.
What this talk is NOT about
3.
4. Infrastructure information leak
Denial of Service
Data corruption
Software & Crypto exploit
Container escape
Root / Kernel exploit
Hypervisor escape
Hardware Implant, etc.
Reconnaissance
Loss of Availability
Loss of Integrity
Loss of Confidentiality
Privilege Escalation to Host
Host Auditability compromised
Pivot to other Host
Tin foil hat & Cryptopocalypse !
Type of attack Threat “hierarchy”
⇦
⇦
⇦
⇦
⇦
⇦
⇦
⇦
5. Docker builds on Kernel & Host Security
➔ Grsecurity kernel
Randomization++, Bound checking,
Fork delay, Hardened seccomp BPF
➔ SELinux / AppArmor
Complex execution profiles, {White,Black}-listing
➔ Sysctl settings
fd limit, IP stack, sysrq, buffers, etc.
➔ Unattended-upgrades
And all the typical hardening
& distro compile flags!
6. Docker Daemon
➔ Limit docker group : docker.sock
Access to socket = root
➔ Authorization plugin API
Docker 1.10+: --authorization-plugin
should help mitigate previous issue soon
➔ docker-machine & TLS
Use --tls-verify (port 2376)
➔ SELinux / AppArmor Profile
apparmor.d/docker + restrictions
limit path, resources, etc.
➔ Export logs outside of host
--log-driver= (syslog, fluentd, ...)
7. cgroups hardware resource limits
➔ Mitigate potential DoS attacks
Limit memory, disk, network I/O & CPU share
➔ cgroups only limit resources share, not access
Not blocking access to:
kcore, modprobe, sysrq, mknod, eth0, ...
➔ You can define your own initial cgroup
--cgroup-parent to inherit a previous context
8. Limiting CPU usage
➔ Limit the total or relative amount of CPU time share
--cpu-shares relative weight (== cpu_shares: 100)
--cpu-period CFS (QoS) period
--cpu-quota CFS (QoS) quota
➔ Limit which CPU or RAM node can be used
--cpuset-cpus CPU affinity (== cpu_set: 0,1)
--cpuset-mems Memory NUMA node (ie: 0-3, 0,1)
10. Device I/O & Filesystems
➔ Put docker on its own partition
/var/lib/docker as a ZFS/BTRFS volume (snapshots, quotas)
➔ Minimum rights
“rwm” options, i.e: --device=/dev/zero:/dev/zero:r
➔ Mount root & volumes as read-only
For volumes: /path:roz (Zz = SELinux label)
for root (/): read_only: true
Use with --shm-size & /dev/shm for pid files, scratch, tmp, etc.
--tmpfs /run:rw,noexec,nodev,nosuid,size=8m
➔ Limit allocated I/O bandwidth
--device-read-bps, --device-write-bps
--device-read-iops, --device-write-iops
--blkio-weight-device 10 -> 1000
11. ➔ Create an internal N-Tier architecture
networks: ( docker-compose 1.6+ & version: ‘2’ ) || --net=
➔ Think about inter-container communication
--icc=false + --link= (but deprecated), --ip-forward=
➔ Disable userland-proxy
--userland-proxy=false … saves memory & faster
➔ Use iptables and tc
Limit access and use QoS if necessary.
Networking
12. ➔ Set your typical soft & hard limits
Daemon: --default-ulimit nofile=50:100
Container: --ulimit nofile=50:100
compose 1.6+: ulimit: nofile: soft:50 hard:100
➔ Prevent fork bombs: threads / process limits
compose 1.6+: ulimits: nproc: soft:32 hard:64
Docker 1.11+
& Kernel 4.3+: --pids-limit (cgroup support)
➔ Think about your restart policy
restart: always? no?
System resources & ulimits
13. Namespaces
➔ Currently namespaced resources
Audit, cgroups, IPC, mount, NET, PID, Syslog, UID, UTS
--userns-remap=default (new in 1.10+), *but*:
Per daemon, not per container (--userns=host not yet in compose)
Volumes UID/GID also remapped...
Incompatible with IPC/PID/NET NS sharing...
i.e. --net=container:app1, --readonly filesystem...
➔ NOT (yet) Namespaced
The Kernel, LSM, UID (by default), keyring,
ring buffer (dmesg), /proc/{sys}, /sys, /dev/{shm} ...
➔ A lot of work & cleanup still required for namespaces
Many holes over the years:
CVE-2010-0006, CVE-2011-2189, CVE-2013-1858, CVE-2013-1956, CVE-2013-4205,
CVE-2014-4014, CVE-2014-5206, CVE-2014-5207, CVE-2014-8989, CVE-2015-8709, (!)
15. Seccomp (Secure Computing)
➔ Extremely granular filter
BPF filters of syscalls + arguments
Docker default blacklist (whitelist in the future)
➔ Use tools to create profiles
dockersl.im, genSeccomp.sh, etc.
strace -c -f -S name ls 2>&1 >/dev/null | tail -n +3 | head -n -2 | awk '{print $(NF)}'
➔ --seccomp:/path/profile.json
Disable default Seccomp filtering --seccomp:unconfined
➔ Use security_opt: - no-new-privileges
Keeps UID, GID & LSM Labels + can’t gain Capabilities/SUID
16. ➔ Swarm init / join
Expose master nodes carefully (hold cluster’s secrets)
Mutually auth. TLS, AES-GCM, 12 hours key rotation (Gossip / Raft)
➔ Use overlay network encryption
docker network create -d overlay -o encrypted mynet
- Keys shared with tasks & services, but not «docker run»
➔ Mutually authenticate your microservices too
Microservices should not rely on overlay encryption:
Authenticate & Encrypt [container ↔ container] communications
➔ «docker-compose bundle» - experimental status
Lacks support for most useful runtime security options, maybe in 1.13+?
Swarm Networking [1.12+]
17. ➔ Never use --privileged
Use granular solutions previously described
➔ Run process as a user
Don’t run inside container as root: use nobody
Remove SUID, strip unused files, etc.
➔ Layer as many security features
Not all of them will apply, work, be enabled, etc.
➔ Don’t forget to harden applications!
NGINX configs, exposed services, databases, etc.
Containers Runtime Security