Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

•

0 likes•616 views

Cohesive Networks - Ensuring a secure foundation for your AWS Containers Chris Swan - AWS London Loft 29 September 2015 AWS has a few ways to run Docker - Elastic Container Service, Elastic Beanstalk or installing Docker into EC2 instances. Whichever you choose Docker makes it easy to build and ship software, so how do you make sure you're building on secure foundations and shipping without known vulnerabilities? Research has shown that many DockerHub images carry vulnerable software; how much of a problem is this for your usage pattern? It’s also possible to build your own images ‘FROM scratch’, what are the pros and cons of doing that? The Docker security benchmark contains recommendations on image contents (amongst many other sensible suggestions), how easy is it to comply with?

Chris Swan, CTO, @cpswan
Ensuring a secure foundation
for your AWS Containers

© 2015
Why me?
Used to do IT security for two major Swiss Banks
Started using Docker July 2013
and decided to incorporate it into our VNS3 product as a plugin mechanism
Docker became part of Cohesive Networks VNS3 in April 2014
real users in production
before Docker itself went 1.0
Regular contributor to InfoQ on Docker, security and containers

© 2015
The Docker promise – Build, Ship, Run

© 2015
Where did that code come FROM
(and is it secure)?

© 2015
Official Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

© 2015
Packages in Official Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

© 2015
General Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

© 2015
Packages in General Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

© 2015
It’s not as bad as it might look
Image bloat can mean lots of potentially vulnerable code that never gets run
leaves something of an unexploded minefield
Taint inheritance
fix the root cause – fix a lot of images
Worst cases lie in deprecated versions
but the continued use of known vulnerable old versions of things is how
we end up with stuff that gets attacked so easily

© 2015
Each active line creates a layer
Base OS
Sources
Update repos
Install nginx
Mod nginx.conf
Mod index.html

© 2015
The image is the unit of deployment

© 2015
What version of OpenSSL is installed?

© 2015
Problem 1 – non determinism
Whilst we want things to be cached in the short term e.g.:
apt-get install nginx
We perhaps don’t want it cached in the long term
What are those durations?

© 2015
Problem 2 – the manifest problem
When I run:
apt-get install nginx
I don’t know which version of nginx I just got
Should I?
nginx –v > some.log
Or maybe?
apt-cache policy nginx > some.log
Or should I have done this in the first place?
apt-get install nginx=1.1.19-1ubuntu0.7

© 2015
NB – These are package manager problems
But Docker is ‘the new package manager’
and it typically wraps the old ones

© 2015
So perhaps use a more sophisticated package manager

© 2015
Or avoid packages altogether
FROM scratch

© 2015
Overview of Docker Content Trust
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

© 2015
Protection against image forgery
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

© 2015
Protection against replay attacks
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

© 2015
Protection against key compromise
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

© 2015
Key components of Docker Content Trust

© 2015
And there’s an accompanying tool
Image credit: https://www.docker.com/docker-security

© 2015
The benchmark covers
1.Host configuration
2.Docker daemon configuration
3.Docker daemon configuration files
4.Container Images and build file
5.Container runtime
6.Docker security operations

© 2015
For more detail
https://www.docker.com/docker-security
http://www.infoq.com/author/Chris-Swan

© 2015
And please check out Docker plugins to our VNS3
39
Isolated Docker containers within VNS3 allows Partners and Customers to
embed features and functions safely and securely into their Cloud Network.
Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container
Router Switch Firewall
Protocol
Redistributor
VPN
Concentrator
Scriptable
SDN
VNS3 Core Components

This document summarizes announcements from Microsoft Ignite about new products and technologies. It discusses Microsoft announcing the general availability of Windows Server 2016 and System Center 2016. It highlights Veeam's integration with Windows Server 2016 and new capabilities in Veeam Backup & Replication 9.5 like application-aware processing and integration with Microsoft enterprise applications like Active Directory, Exchange, SQL Server, and SharePoint. The document also notes Veeam's presence at Microsoft Ignite and availability of sessions on-demand on YouTube.

Migrating Java JBoss EAP Applications to Kubernetes With S2I

Konveyor Community

Watch presentation: https://youtu.be/9hDdg_Beui4 Despite the incredible pace of adoption of container orchestration platforms, the vast majority of EAP workloads are still running on VMs or bare metal. In a lot of cases enterprise operation teams are mandated to modernize and move these workloads to the cloud, and containerization and migration to Kubernetes is the natural destination. When talking about this migration path, we're often asked questions like: What's involved? How easy is it to move these workloads? How can you be sure of no code changes? What tools are there to assist with this effort? What are the benefits of moving workloads to Kubernetes? In this meetup, Philip Hayes, Runtimes Practice Lead at Red Hat, will provide answers to these questions and also include a step-by-step guide to migrating an EAP 7 application to Kubernetes.

CI/CD As first and last line of defence

Jimmy Dahlqvist

CI/CD (continuous integration/continuous delivery) aims to automate software delivery through repeatable processes. It acts as both the first and last line of defense by integrating automated testing into development workflows and deploying to production only when tests pass. The document outlines how CI/CD enables pull request testing, merge testing, nightly testing, blue/green deployments, canary releases, and chaos engineering to catch issues early and validate changes before production.

Continuous Delivery of Containers with Drone & Kontena

Jussi Nummelin

Jenkins in the real world - DevOpsCon 2017

Gianluca Arbezzano

There are a lot of Continuous Integration services but Jenkins is still one of the most used in most programming languages. In this talk I will share the CurrencyFair experience, how our IT Team made of 40 engineers manage CurrencyFair delivery with GitHub, Jenkins, Hubot and Slack on different environments. Artifact to guarantee the stability of your codebase, pipeline and some Jenkins’s plugins in order to create the most comfortable delivery flow for your projects.

Gerenciamento de container docker com kubernetes anselmo pfeifer - daitan g...

Daitan Group

This document provides an overview of Kubernetes presented by Anselmo Pfeifer. It defines Kubernetes as an open-source system for automating deployment, scaling, and management of containerized applications. It describes key Kubernetes concepts like pods, deployments, services, and how it provides portability, extensibility, and self-healing capabilities. The presentation concludes with examples of using Kubernetes locally and on Google Cloud and provides contact information for Anselmo Pfeifer.

Orchestrate Continuous Delivery with Jenkins and Docker

Nicolas De Loof

le "Continuous Delivery" est un sacré buzz word, et "Docker" encore plus, mais les blog que j'ai pu lire sur sujet ne proposent qu'un pipelines naif et minimaliste : compile, test, push docker image, et voilà. En 2015 Jenkins adresse clairement plus que de l'Integration Continue, et avec le support récent du workflow plugin nous pouvons orchestrer avec un DSL des pipelines de grande complexité. L'integration avec Docker lui donne encore plus de puissance. Pendant cette session, je vais construire un pipeline de CD from scratch pour montrer l'utilisation du workflow et sa flexibilité, ainsi que le support de Docker.

This document discusses using components with known vulnerabilities and provides recommendations and tools to address this issue. It begins with an overview of the OWASP top 10 issue of using vulnerable components and provides examples using the NodeJS decompress package and Ruby on Rails rubyzip gem. It then recommends regularly scanning for vulnerabilities, subscribing to security bulletins, and keeping components up-to-date. Finally, it introduces several open source tools for detecting vulnerable components, such as OWASP Dependency-Check and Dependency-Track, as well as standards for application security verification.

Best Practices for Running and Implementing Kubernetes

DevOps.com

Kubernetes has become the de-facto orchestration platform for the cloud-native era. However, the expensive trial-and-error and proof-of-concept activities associated with the transition can be daunting for many organizations. Join Fairwinds’ Site Reliability Engineers Ivan Fetch and Luke Reed, and President Kendall Miller as they discuss the best practices for running and implementing Kubernetes. They’ll also cover how engineering leaders are successfully using Kubernetes to improve the reliability, security, and scalability of their applications and the key differences between Enterprise and SME Environments. Are you considering Kubernetes, but don't know where to start? Are you running Kubernetes in development, but the complexity is keeping you from pushing to production? This webinar will provide you with the right knowledge and insights for adopting Kubernetes at your organization. Topics include: Considerations and common pitfalls when implementing Kubernetes, Best practices for running Kubernetes in production, Security and cultural implications when adopting Kubernetes, Key differences between Enterprise and SME Environments.

Infrastructure under the magnifying glass

kreuzwerker GmbH

The agile movement is going on for quite a while now and a lot of companies acknowledged the values agile methodologies can generate. Hence agile is getting kind of an old hat and new movements emerge trying to proclaim new best practices for developing modern software. DevOps is one of these movements discussed in the recent days, but both share basic concepts. One of the aims of agile development is to bring development closer to QA. So the logical consequence of connecting both ideas is to also combine testing and operations.‘Why should we test our infrastructure?’ For me the answer to this question is quite simple: ‘Because infrastructure is code !’ Furthermore infrastructure is a crucial part of an application. It is basically the fundament of our app. Everyone just expects infrastructure to work, but the reality is quite different. Often the knowledge about infrastructure and its current status is isolated and if something goes wrong it triggers indescribable panic.Testing the infrastructure not only ensures that it works but also helps spreading knowledge about this black magic and making the current status more transparent to the team.Since the distribution of automated deployments and continuous delivery progresses quite extensively, experience in testing infrastructure will certainly become a skill many companies clamor for. This workshop reveals why this is an important part of the continuous delivery pipeline and includes a hands-on how to automate it.

Building a Scalable CI Platform using Docker, Drone and Rancher

Shannon Williams

In these slides from our online meetup from August of 2015, we discussed using Docker, Drone and Rancher to build a scalable CI/CD platform. Over the course of the session we discussed and demonstrated: • General Benefits of Docker for CI/CD • Why we decided to use Drone • How we deployed Drone with Docker Compose and Rancher • How we automate deployment of testing environments with Rancher • The latest news on Rancher and Docker You can view the recording here: https://youtu.be/86u8pVESbPQ

kreuzwerker about prowler - make best practises best practises

kreuzwerker GmbH

Node.js v15.0.0 is Now Available: A Quick Recap of the Latest Features in Node

Katy Slemon

This blog post summarizes the key features of the latest Node.js v15 release. Some of the major updates include support for AbortController to cancel promises, N-API version 7 for native modules, NPM 7 with workspaces and lockfiles, unhandled rejections now causing crashes, experimental support for the QUIC protocol, and updated V8 engine to version 8.6. While Node.js v15 introduces many new features, the post recommends using the long-term supported Node.js v14 for production as v15 support will end in June 2021.

Docker, the Future of Distributed Applications | Docker Tour de France 2014

Julien Barbier

This document provides a 10-minute overview of Docker by Julien Barbier, Jérôme Petazzoni and Victor Coisne of Zenika, Paris. It discusses how applications have changed from monolithic to distributed and microservices, and the problems this poses. It then introduces Docker as an "intermodal container" that provides consistency across hardware environments like shipping containers standardized global cargo transport. Docker allows applications to be easily developed, deployed and migrated. The document notes many major companies now use Docker and provides a case study of how New Relic migrated to Docker. It concludes by discussing Docker's growth in Europe.

adaptTo 2020 OakPAL in the Cloud Introduction

Mark Adamcin

Microservices - The good, The bad, The does and The don'ts

Frederik Mogensen

Bandit and Gosec - Security Linters

EricBrown328

This document discusses security linters Bandit and Gosec. It provides information on what each linter is, the types of security issues it can detect in Python and Go code respectively, how to configure and use each linter, examples of integrating the linters into development tools and workflows, and how to contribute to the open source projects. It also describes a yet-to-be-named GitHub App the presenter is working on that will automatically scan pull requests with Bandit and Gosec.

Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...

mfrancis

OSGi Community Event 2016 Presentation by David Bosschaert (Adobe) & Carsten Ziegeler (Adobe) Docker is enjoying immense popularity today for deployment of nearly any type of app and new platforms that support Docker appear on a regular basis. While supporting Docker natively, many platforms have specific APIs to get them to work. As a dev you don’t want to lock yourself in to any of these. You want to keep the option open to switch to target platforms if the need arises. This talk outlines the OSGi Compute Management Service RFP 179 that abstracts over mechanisms to create and launch container nodes. It shows a system that allows you to swap Docker deployment platforms without the need to change your deployment management code. We’ll also talk about how OSGi Cloud Ecosystems RFC 183 can be used in this context for discovery of services, containers and frameworks.

Rohit yadav cloud stack internals

ShapeBlue

The document discusses Rohit Yadav and his work with Apache CloudStack. It provides an agenda for understanding CloudStack internals, including getting started as a user or developer, a guided tour of the codebase, common development patterns, and deep dives into key areas like system VMs, networking implementation, and plugins. The document outlines ways to join the CloudStack community and how to contribute code through GitHub pull requests.

Dear IT...I'd Like A Kubernetes Cluster

Shannon Williams

In September of 2016 I presented these slides in Amsterdam at Software Circus. The focus is on how developers and DevOps teams can work with corporate IT to look at developing Kubernetes-as-a-Service in their organization. I also demoed Rancher (http://www.rancher.com/rancher) to show how teams are providing an Enterprise Container Service to allow teams to easily build and deploy Kubernetes, Swarma nd Mesos clusters.

KITE Network Instrumentation: Advanced WebRTC Testing

Alexandre Gouaillard

INFA intern showcase for Summer Project

Arihant Sai Paruchuru

HahahahaAdyna Nala

How Will My Organization Absorb the Influx of New Patients? – Telehealth Cras...

Epstein Becker Green

The implementation of the Affordable Care Act (“ACA”) has forced U.S. health care organizations to think about how best to position themselves to take advantage of such a massive change. It has been estimated that the ACA will expand coverage to approximately 32 million individuals lawfully present in the United States. At the same time, the United States’ rapidly increasing aging population will account for an additional 15 more million seniors covered by Medicare. This incredible influx of elderly and newly insured patients is forcing an already overly burdened U.S. health care system to utilize and implement policies to adequately handle this expanded patient population. But how will health care organizations absorb this radical increase in potential patients? Many are exploring telehealth/telemedicine options as an integral component of their treatment paradigm. They also need to address where the additional health care professionals will come from if the United States is not producing sufficient numbers. In the final installment of EBG’s Telehealth Crash Course series, we will explore the potential health care immigration issues that employers should be aware of, as well as immigrant options that are available to help health care organizations recruit the foreign talent required to keep pace with a changing landscape. Epstein Becker Green Webinar - Presented by Kimberly N. Grant http://www.ebglaw.com/kimberly-n-grant/events/how-will-my-organization-absorb-the-influx-of-new-patients-telehealth-crash-course-webinar-series/ These materials have been provided for informational purposes only and are not intended and should not be construed to constitute legal advice. The content of these materials is copyrighted to Epstein Becker & Green, P.C. ATTORNEY ADVERTISING.

IM World presentation from Chris Swan: Application centric – how the cloud ha...

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Viewers also liked

Viewers also liked (11)

Similar to Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

Similar to Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London (20)

More from Cohesive Networks

More from Cohesive Networks (20)

Recently uploaded

Recently uploaded (20)

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London