SlideShare a Scribd company logo

Finding Your Way in Container Security

K
Ksenia Peguero

In the last few years, the popularity of DevSecOps and rich cloud services have been driving the adoption of containers in the software industry. Container architectures become increasingly complex, and organizations cannot escape using them. At the same time, attackers are finding new ways of exploiting containers and container architectures. Are you still new to containerization and infrastructure as code? Do you feel that your knowledge of application security suddenly doesn’t apply to the way applications are built and deployed using containers? Do you get lost in the IaC and container terminology soup? If so, this talk will help clear things up and answer your questions. We start with an introduction into container technologies, briefly go through the key terminology, explain the value that containers bring today, and why they are so popular. Then we will talk about the challenges that DevSecOps engineers have when using contains and the security aspects that they face. This presentation includes descriptions of common container threats and real-world examples of recent attacks. These threats will guide our discussion of the typical vulnerabilities and attack vectors. We will touch on well-known standards and resources for container security, such as OWASP Docker Top 10 project, Container Security Verification Standard, NIST Application Container Security Guide, and CIS Benchmarks. And we conclude with guidelines on how to secure containers and listing best practices that most organizations follow today.

1 of 28
Download to read offline
Ksenia Peguero October 20, 2022 Finding Your Way in Container Security
© 2022 Synopsys, Inc. 2 Synopsys Confidential Information whoami • Current: Sr. Manager of Research Engineering at Synopsys Software Integrity Group • Prior: Principal Consultant at Cigital/Synopsys • PhD in Computer Science • Mother • Ballroom dancing & diving • @KseniaDmitrieva
© 2022 Synopsys, Inc. 3 Synopsys Confidential Information Agenda • Introduction to container technologies • Challenges for DevSecOps engineers • Common container threats and real-world attacks • How to secure components of container infrastructure • Standards and resources for container security • Best practices to secure containers
© 2022 Synopsys, Inc. 4 Synopsys Confidential Information What is a container? • Containerization is not new. The first ones appeared in 1999 as FreeBSD Jails • Modern containers took off in 2013 (Docker) Containers is an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud. (IBM) • Containers use operating system virtualization – Uses namespaces and cgroups to isolate processes, CPU, memory, disk
© 2022 Synopsys, Inc. 5 Synopsys Confidential Information Containers vs Virtual Machines Hypervisor Hardware • Isolation of machines • Hardware virtualization Host OS Kernel Hardware • Process isolation • Operating system virtualization > Application virtualization C 1 C 2 C 3 C 4 Containers Virtual Machines VM1 OS VM2 OS VM3 OS VM4 OS
© 2022 Synopsys, Inc. 7 Synopsys Confidential Information Components of container infrastructure Container image image creation Image registry image storage and retrieval Orchestrator automating deployment, management, scaling, security management Container runtime >_ loading container images, spinning up containers, managing network, local resources Host OS running the container runtime
© 2022 Synopsys, Inc. 8 © 2022 Synopsys, Inc. 8 Synopsys Confidential Information Main benefits: • Lightweight • Portable and platform independent • Support modern development and architecture • Improve utilization of CPU and memory According to IBM report (2020), “containers are delivering real- world business benefits”: • Improved application quality • Faster time to market • Improved employee productivity • Higher customer satisfaction • Reduced application downtime https://www.ibm.com/downloads/cas/VG8KRPRM Benefits of using containers This Photo by Unknown Author is licensed under CC BY
© 2022 Synopsys, Inc. 9 Synopsys Confidential Information https://www.ibm.com/downloads/cas/VG8KRPRM Challenges of using containers (in 2020) Talent and knowledge Insufficient internal expertise Complexity of learning containerization strategies and technologies Challenges in redesigning existing on-premises enterprise application for containers Costs Uncertainty regarding the time and costs involved in container projects No clear way to assess ROI or track benefits concretely Difficulty predicting container performance, undermining confidence in meeting SLAs Management Difficulty cataloging, curating and managing containers as they proliferate across our environment Difficulty managing, sharing and securing data across containers Tooling Immaturity of internal, homegrown tools for container development and management Lack of enterprise-grade security capabilities
© 2022 Synopsys, Inc. 10 Synopsys Confidential Information Examples of Container Vulnerabilities • CVE-2014-9357 • CVE-2019-5021 • CVE-2019-15752 • CVE-2019-11246
© 2022 Synopsys, Inc. 11 Synopsys Confidential Information • Docker 1.3.2 – Used chroot sandboxing to extract archives – Victim calls docker pull to automatically unpack a malicious image or build • Attacker includes malicious xz binaries in the image or build • Victim creates a container using the malicious image or build • Privilege escalation => Attacker runs as root on the host OS • CVE severity – Critical • Vulnerability was fixed in Docker 1.3.3 CVE-2014-9357 Arbitrary code execution with root privileges
© 2022 Synopsys, Inc. 12 Synopsys Confidential Information Blank root password • Affects containers built with the Alpine Linux Docker image versions 3, 4, 5. • System credentials are typically stored in etc/shadow • Authentication mechanisms can be customized with different packages – Alpine Linux + shadow/PAM packages • Empty password for root user • Attacker hacks into container => easily switches to root • CVE Severity - Critical CVE-2019-5021 Root users on Alpine Linux containers have blank passwords.
© 2022 Synopsys, Inc. 13 Synopsys Confidential Information Trojan horse • Not the virus trojan horse • Docker Desktop Community Edition versions prior to 2.1.0.1 • Docker startup or authenticate invokes docker-credential-wincred.exe • Access controls of containing folder %PROGRAMDATA%DockerDesktopversi on-bin • Exploit: Replace the executable, keep the name • When Docker starts, the executable runs with user’s privilege (what if it was admin?) • CVE Severity - High CVE-2019-15752 Docker folder uses the default windows access control.
© 2022 Synopsys, Inc. 14 Synopsys Confidential Information • Affects Kubernetes versions older than 1.12.9, 1.13.6, and 1.14.2 • Command kubectl cp – copy files between host and containers – Packs into archive using tar – Transfers over network – Unpacks on the host • Compromised tar binary on the container => access to the host file system: – Adding malicious files – Overwriting existing files • CVE Severity - High CVE-2019-11246 Kubernetes File Manipulation
© 2022 Synopsys, Inc. 15 Synopsys Confidential Information Securing Containers: Risks and Mitigations • Container image • Image registry • Container runtime • Host OS • Orchestrator Container image Image registry Orchestrator Container runtime >_ Host OS
© 2022 Synopsys, Inc. 16 Synopsys Confidential Information Securing container images Mitigations • Use a minimalistic base OS, like Alpine Linux and Windows Nano Server • Keep the software in container images up-to-date • Periodically scan the containers for: – Known vulnerabilities / CVEs in the container layers – Misconfigurations of containers (Containerfiles/Dockerfiles) with a scanner (port misconfigurations, protocols, certificates, running as privileged users, etc.) – Malware – Hard-coded secrets • An organization should have a set of vetted images that are used across all teams • Maintain application security requirements for the code deployed on the container: – Maintain the frameworks/libraries/components up-to-date – Scan the internally-developed applications • Base OS functionality and components • Components missing critical security updates (component become outdated over time) • Configuration defects • Embedded malware • Leaking clear text secrets Risks
© 2022 Synopsys, Inc. 17 Synopsys Confidential Information Securing image registries Mitigations • Use private registry • Use secure connections to the registry • Harden the registry host • Use authentication and access control – E.g. developers can only write to the specific repository • Regularly monitor • Prune stale images • Only publish trusted images (that passed security requirements) • Ensure that only containers from your private registry can be used within the organization • Insecure connection • Leaking IP from the registry • Stale images Risks
© 2022 Synopsys, Inc. 18 Synopsys Confidential Information Securing container runtime Mitigations • Monitor container runtime for vulnerabilities (CVEs) and update it often • Control egress network traffic sent by containers – Traffic in the virtual network is encrypted. Therefore, traditional network controls (firewalls) may not work. – Dynamic IP assigned automatically. Therefore, IP- based controls won’t work. – Use app-aware tools • Use mandatory access control (MAC) technologies (file system, processes, network sockets, etc.) • CIS Benchmark for Docker • Use OS kernel level controls • Network risks between containers in the same runtime • Runtime misconfigurations: • Containers running in privileged mode • Containers mounting volumes in sensitive directories on the host OS Risks
© 2022 Synopsys, Inc. 19 Synopsys Confidential Information Securing host OS Mitigations • Use slim OS with additional kernel protection (e.g. SELinux) • Keep the OS up-to-date, monitor for vulnerabilities • Limit logins to the host OS, audit authentication • Monitoring for any unexpected behavior on the host (network, file system, processes, etc.) • Running “busted” containers • Malicious containers • Rogue containers • Containers with vulnerable layers • Containers with application security defects • Large attack surface • Shared kernel • Host OS components • Shared file system (mounting volumes) • Additional users of the OS Risks
© 2022 Synopsys, Inc. 20 Synopsys Confidential Information Host OS Can we forget about application security? Scenario: vulnerable application in a container Secure/vetted Container Container Marketing web app Public Internet DB Engine SQL injection Payload: SQLi to RCE Container Container Container Mitigations: • Limit egress: to an internal subnet or (better) application protocols • No internet access • Only needed internal network access • Restrict DB user: deny running OS commands Service managing bounties for Bug Bounty program RCE: network scan
© 2022 Synopsys, Inc. 21 Synopsys Confidential Information Securing orchestration platforms Risks • Unnecessary administrative access • Unauthorized access (to containers and data storage volumes) • Compliance risk – encrypting data at rest • Network risks – traffic from different applications sharing the same virtual network • Orchestrator node trust Mitigations • Limit the number of privileged users • Access control linked to the company user directory • Encrypting data storage volumes • Segmentation, segmentation, segmentation: – Virtual networks by sensitivity level (if by app is not possible) – Host “pinning” by sensitivity levels (individually managed clusters) Aerial view of the Forbidden City, Beijing (© Google Earth 2021) Defense in depth
© 2022 Synopsys, Inc. 22 Synopsys Confidential Information Container Security Resources
© 2022 Synopsys, Inc. 23 Synopsys Confidential Information OWASP Docker Top 10 Draft in progress. Not a list of top 10 vulnerabilities or risks, but a list of top 10 controls. Document: https://github.com/OWASP/Docker- Security/blob/main/dist/owasp-docker- security.pdf • Use it as guidance during the design phase, for auditing an existing environment, or procuring a new one • Focuses on Docker, but could be applied to containers in general • Orchestrator security risks are out of scope for this list, but container networking is in scope D01 - Secure User Mapping D02 - Patch Management Strategy D03 - Network Segmentation and Firewalling D04 - Secure Defaults and Hardening D05 - Maintain Security Contexts D06 - Protect Secrets D07 - Resource Protection D08 - Container Image Integrity and Origin D09 - Follow Immutable Paradigm D10 - Logging https://owasp.org/www-project-docker-top-10/
© 2022 Synopsys, Inc. 24 Synopsys Confidential Information OWASP Container Security Verification Standard (CSVS) • The structure is based on the OWASP Application Security Verification Standard (ASVS) • Has overlap with Docker Top 10, but covers broader categories: – V1: Organizational (processes & people) – V2: Infrastructure – V3: Containers (Docker Top 10) – V4: Orchestration Management – V5: Image Distribution – V6: Secrets and Keys – V7: Network – V8: Storage – V9: Logging & Monitoring – V10: Integration – V11: Disaster Recovery – V12: Testing • This is a shorter standard, compared to CIS Benchmarks and NIST Application Container Security Guide https://owasp.org/www-project-container-security-verification-standard/migrated_content • Provides 3 security verification levels 1. For all containers 2. Containers with sensitive data or business logic 3. Critical containers (high value transactions, PII, medical data)
© 2022 Synopsys, Inc. 25 Synopsys Confidential Information NIST Special Publication 800-190 Application Container Security Guide https://doi.org/10.6028/NIST.SP.800-190 • Overview of Container Technology • Explains basic concepts of container and orchestrations • Discusses risks to the core components of container technologies • Contains a section on countermeasures for the listed risks • Provides threat scenario examples and considerations for the container technology life cycle NIST Application Container Security Guide Container Technology Architecture and Lifecycle Phases NIST SP 800-190
© 2022 Synopsys, Inc. 26 Synopsys Confidential Information Center for Internet Security (CIS) developed "more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats." • CIS Benchmarks include hardening guidelines for manual and automated steps CIS Docker Benchmark provides detailed guidelines in the following categories: • Host • Docker daemon and its config files • Container images and build files • Container runtime • Docker security operations • Docker Swarm CIS Docker Benchmark https://www.cisecurity.org/benchmark/docker
© 2022 Synopsys, Inc. 27 Synopsys Confidential Information 1. Harden all the systems 2. Use segmentation at all levels (clusters, hosts, networks) 3. Monitor all the components: scan, scan, scan 4. Introduce gates before publishing your images 5. Use vetted base images 6. Generate a Software Bill of Materials (SBOM) for every container image 7. Use an Application Security Orchestration and Correlation tool (ASOC) – Collects data from various AppSec sources – Consolidates and correlates the findings, prioritizing remediation efforts Best Practices of Securing Containers Defense in Depth
© 2022 Synopsys, Inc. 28 Synopsys Confidential Information Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software
Thank You

Recommended

01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
TamalBanerjee16
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Red Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxRed Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptx
ssuser18b1c6
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and image
ejlp12
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
Trang Nguyen
 
Barman (PostgreSql) manual
Barman (PostgreSql) manualBarman (PostgreSql) manual
Barman (PostgreSql) manual
Marcelo Pesallaccia
 
Kubernetes Workshop
Kubernetes WorkshopKubernetes Workshop
Kubernetes Workshop
loodse
 

Recommended

01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
TamalBanerjee16
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Red Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxRed Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptx
ssuser18b1c6
 
Introduction to Docker storage, volume and image
Introduction to Docker storage, volume and imageIntroduction to Docker storage, volume and image
Introduction to Docker storage, volume and image
ejlp12
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
Trang Nguyen
 
Barman (PostgreSql) manual
Barman (PostgreSql) manualBarman (PostgreSql) manual
Barman (PostgreSql) manual
Marcelo Pesallaccia
 
Kubernetes Workshop
Kubernetes WorkshopKubernetes Workshop
Kubernetes Workshop
loodse
 
Kubernetes
KubernetesKubernetes
Kubernetes
erialc_w
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)
Idan Atias
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
SIGHUP
 
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
AWSKRUG - AWS한국사용자모임
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
xKinAnx
 
Linking Metrics to Logs using Loki
Linking Metrics to Logs using LokiLinking Metrics to Logs using Loki
Linking Metrics to Logs using Loki
Knoldus Inc.
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service mesh
Chandresh Pancholi
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
Jo Hoon
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
nexus helm 설치, docker/helm repo 설정과 예제
nexus helm 설치, docker/helm repo 설정과 예제nexus helm 설치, docker/helm repo 설정과 예제
nexus helm 설치, docker/helm repo 설정과 예제
choi sungwook
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)
Opsta
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usage
Docker, Inc.
 
Kubernetes
KubernetesKubernetes
Kubernetes
Linjith Kunnon
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Henning Jacobs
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 

More Related Content

What's hot

Kubernetes
KubernetesKubernetes
Kubernetes
erialc_w
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)
Idan Atias
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
SIGHUP
 
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
AWSKRUG - AWS한국사용자모임
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
xKinAnx
 
Linking Metrics to Logs using Loki
Linking Metrics to Logs using LokiLinking Metrics to Logs using Loki
Linking Metrics to Logs using Loki
Knoldus Inc.
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service mesh
Chandresh Pancholi
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
Jo Hoon
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
nexus helm 설치, docker/helm repo 설정과 예제
nexus helm 설치, docker/helm repo 설정과 예제nexus helm 설치, docker/helm repo 설정과 예제
nexus helm 설치, docker/helm repo 설정과 예제
choi sungwook
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)
Opsta
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
The {code} Team
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usage
Docker, Inc.
 
Kubernetes
KubernetesKubernetes
Kubernetes
Linjith Kunnon
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Henning Jacobs
 

What's hot (20)

Kubernetes
KubernetesKubernetes
Kubernetes
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
 
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
Docker를 활용한 손쉬운 ECS 활용기 - 김민태 (AUSG) :: AWS Community Day Online 2021
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
 
Linking Metrics to Logs using Loki
Linking Metrics to Logs using LokiLinking Metrics to Logs using Loki
Linking Metrics to Logs using Loki
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service mesh
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
 
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
nexus helm 설치, docker/helm repo 설정과 예제
nexus helm 설치, docker/helm repo 설정과 예제nexus helm 설치, docker/helm repo 설정과 예제
nexus helm 설치, docker/helm repo 설정과 예제
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usage
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
 

Similar to Finding Your Way in Container Security

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
Abdul Khan
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
Dr Ganesh Iyer
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
Massimiliano Mattetti
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
DNIF
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
LinuxCon ContainerCon CloudOpen China
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015
WaveMaker, Inc.
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
Manideep Konakandla
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
Amazon Web Services
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Docker
DockerDocker
Docker
Codeister Technolgoies
 

Similar to Finding Your Way in Container Security (20)

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
Containers 101
Containers 101Containers 101
Containers 101
 
Docker
DockerDocker
Docker
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 

Finding Your Way in Container Security

  • 1. Ksenia Peguero October 20, 2022 Finding Your Way in Container Security
  • 2. © 2022 Synopsys, Inc. 2 Synopsys Confidential Information whoami • Current: Sr. Manager of Research Engineering at Synopsys Software Integrity Group • Prior: Principal Consultant at Cigital/Synopsys • PhD in Computer Science • Mother • Ballroom dancing & diving • @KseniaDmitrieva
  • 3. © 2022 Synopsys, Inc. 3 Synopsys Confidential Information Agenda • Introduction to container technologies • Challenges for DevSecOps engineers • Common container threats and real-world attacks • How to secure components of container infrastructure • Standards and resources for container security • Best practices to secure containers
  • 4. © 2022 Synopsys, Inc. 4 Synopsys Confidential Information What is a container? • Containerization is not new. The first ones appeared in 1999 as FreeBSD Jails • Modern containers took off in 2013 (Docker) Containers is an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud. (IBM) • Containers use operating system virtualization – Uses namespaces and cgroups to isolate processes, CPU, memory, disk
  • 5. © 2022 Synopsys, Inc. 5 Synopsys Confidential Information Containers vs Virtual Machines Hypervisor Hardware • Isolation of machines • Hardware virtualization Host OS Kernel Hardware • Process isolation • Operating system virtualization > Application virtualization C 1 C 2 C 3 C 4 Containers Virtual Machines VM1 OS VM2 OS VM3 OS VM4 OS
  • 6. © 2022 Synopsys, Inc. 7 Synopsys Confidential Information Components of container infrastructure Container image image creation Image registry image storage and retrieval Orchestrator automating deployment, management, scaling, security management Container runtime >_ loading container images, spinning up containers, managing network, local resources Host OS running the container runtime
  • 7. © 2022 Synopsys, Inc. 8 © 2022 Synopsys, Inc. 8 Synopsys Confidential Information Main benefits: • Lightweight • Portable and platform independent • Support modern development and architecture • Improve utilization of CPU and memory According to IBM report (2020), “containers are delivering real- world business benefits”: • Improved application quality • Faster time to market • Improved employee productivity • Higher customer satisfaction • Reduced application downtime https://www.ibm.com/downloads/cas/VG8KRPRM Benefits of using containers This Photo by Unknown Author is licensed under CC BY
  • 8. © 2022 Synopsys, Inc. 9 Synopsys Confidential Information https://www.ibm.com/downloads/cas/VG8KRPRM Challenges of using containers (in 2020) Talent and knowledge Insufficient internal expertise Complexity of learning containerization strategies and technologies Challenges in redesigning existing on-premises enterprise application for containers Costs Uncertainty regarding the time and costs involved in container projects No clear way to assess ROI or track benefits concretely Difficulty predicting container performance, undermining confidence in meeting SLAs Management Difficulty cataloging, curating and managing containers as they proliferate across our environment Difficulty managing, sharing and securing data across containers Tooling Immaturity of internal, homegrown tools for container development and management Lack of enterprise-grade security capabilities
  • 9. © 2022 Synopsys, Inc. 10 Synopsys Confidential Information Examples of Container Vulnerabilities • CVE-2014-9357 • CVE-2019-5021 • CVE-2019-15752 • CVE-2019-11246
  • 10. © 2022 Synopsys, Inc. 11 Synopsys Confidential Information • Docker 1.3.2 – Used chroot sandboxing to extract archives – Victim calls docker pull to automatically unpack a malicious image or build • Attacker includes malicious xz binaries in the image or build • Victim creates a container using the malicious image or build • Privilege escalation => Attacker runs as root on the host OS • CVE severity – Critical • Vulnerability was fixed in Docker 1.3.3 CVE-2014-9357 Arbitrary code execution with root privileges
  • 11. © 2022 Synopsys, Inc. 12 Synopsys Confidential Information Blank root password • Affects containers built with the Alpine Linux Docker image versions 3, 4, 5. • System credentials are typically stored in etc/shadow • Authentication mechanisms can be customized with different packages – Alpine Linux + shadow/PAM packages • Empty password for root user • Attacker hacks into container => easily switches to root • CVE Severity - Critical CVE-2019-5021 Root users on Alpine Linux containers have blank passwords.
  • 12. © 2022 Synopsys, Inc. 13 Synopsys Confidential Information Trojan horse • Not the virus trojan horse • Docker Desktop Community Edition versions prior to 2.1.0.1 • Docker startup or authenticate invokes docker-credential-wincred.exe • Access controls of containing folder %PROGRAMDATA%DockerDesktopversi on-bin • Exploit: Replace the executable, keep the name • When Docker starts, the executable runs with user’s privilege (what if it was admin?) • CVE Severity - High CVE-2019-15752 Docker folder uses the default windows access control.
  • 13. © 2022 Synopsys, Inc. 14 Synopsys Confidential Information • Affects Kubernetes versions older than 1.12.9, 1.13.6, and 1.14.2 • Command kubectl cp – copy files between host and containers – Packs into archive using tar – Transfers over network – Unpacks on the host • Compromised tar binary on the container => access to the host file system: – Adding malicious files – Overwriting existing files • CVE Severity - High CVE-2019-11246 Kubernetes File Manipulation
  • 14. © 2022 Synopsys, Inc. 15 Synopsys Confidential Information Securing Containers: Risks and Mitigations • Container image • Image registry • Container runtime • Host OS • Orchestrator Container image Image registry Orchestrator Container runtime >_ Host OS
  • 15. © 2022 Synopsys, Inc. 16 Synopsys Confidential Information Securing container images Mitigations • Use a minimalistic base OS, like Alpine Linux and Windows Nano Server • Keep the software in container images up-to-date • Periodically scan the containers for: – Known vulnerabilities / CVEs in the container layers – Misconfigurations of containers (Containerfiles/Dockerfiles) with a scanner (port misconfigurations, protocols, certificates, running as privileged users, etc.) – Malware – Hard-coded secrets • An organization should have a set of vetted images that are used across all teams • Maintain application security requirements for the code deployed on the container: – Maintain the frameworks/libraries/components up-to-date – Scan the internally-developed applications • Base OS functionality and components • Components missing critical security updates (component become outdated over time) • Configuration defects • Embedded malware • Leaking clear text secrets Risks
  • 16. © 2022 Synopsys, Inc. 17 Synopsys Confidential Information Securing image registries Mitigations • Use private registry • Use secure connections to the registry • Harden the registry host • Use authentication and access control – E.g. developers can only write to the specific repository • Regularly monitor • Prune stale images • Only publish trusted images (that passed security requirements) • Ensure that only containers from your private registry can be used within the organization • Insecure connection • Leaking IP from the registry • Stale images Risks
  • 17. © 2022 Synopsys, Inc. 18 Synopsys Confidential Information Securing container runtime Mitigations • Monitor container runtime for vulnerabilities (CVEs) and update it often • Control egress network traffic sent by containers – Traffic in the virtual network is encrypted. Therefore, traditional network controls (firewalls) may not work. – Dynamic IP assigned automatically. Therefore, IP- based controls won’t work. – Use app-aware tools • Use mandatory access control (MAC) technologies (file system, processes, network sockets, etc.) • CIS Benchmark for Docker • Use OS kernel level controls • Network risks between containers in the same runtime • Runtime misconfigurations: • Containers running in privileged mode • Containers mounting volumes in sensitive directories on the host OS Risks
  • 18. © 2022 Synopsys, Inc. 19 Synopsys Confidential Information Securing host OS Mitigations • Use slim OS with additional kernel protection (e.g. SELinux) • Keep the OS up-to-date, monitor for vulnerabilities • Limit logins to the host OS, audit authentication • Monitoring for any unexpected behavior on the host (network, file system, processes, etc.) • Running “busted” containers • Malicious containers • Rogue containers • Containers with vulnerable layers • Containers with application security defects • Large attack surface • Shared kernel • Host OS components • Shared file system (mounting volumes) • Additional users of the OS Risks
  • 19. © 2022 Synopsys, Inc. 20 Synopsys Confidential Information Host OS Can we forget about application security? Scenario: vulnerable application in a container Secure/vetted Container Container Marketing web app Public Internet DB Engine SQL injection Payload: SQLi to RCE Container Container Container Mitigations: • Limit egress: to an internal subnet or (better) application protocols • No internet access • Only needed internal network access • Restrict DB user: deny running OS commands Service managing bounties for Bug Bounty program RCE: network scan
  • 20. © 2022 Synopsys, Inc. 21 Synopsys Confidential Information Securing orchestration platforms Risks • Unnecessary administrative access • Unauthorized access (to containers and data storage volumes) • Compliance risk – encrypting data at rest • Network risks – traffic from different applications sharing the same virtual network • Orchestrator node trust Mitigations • Limit the number of privileged users • Access control linked to the company user directory • Encrypting data storage volumes • Segmentation, segmentation, segmentation: – Virtual networks by sensitivity level (if by app is not possible) – Host “pinning” by sensitivity levels (individually managed clusters) Aerial view of the Forbidden City, Beijing (© Google Earth 2021) Defense in depth
  • 21. © 2022 Synopsys, Inc. 22 Synopsys Confidential Information Container Security Resources
  • 22. © 2022 Synopsys, Inc. 23 Synopsys Confidential Information OWASP Docker Top 10 Draft in progress. Not a list of top 10 vulnerabilities or risks, but a list of top 10 controls. Document: https://github.com/OWASP/Docker- Security/blob/main/dist/owasp-docker- security.pdf • Use it as guidance during the design phase, for auditing an existing environment, or procuring a new one • Focuses on Docker, but could be applied to containers in general • Orchestrator security risks are out of scope for this list, but container networking is in scope D01 - Secure User Mapping D02 - Patch Management Strategy D03 - Network Segmentation and Firewalling D04 - Secure Defaults and Hardening D05 - Maintain Security Contexts D06 - Protect Secrets D07 - Resource Protection D08 - Container Image Integrity and Origin D09 - Follow Immutable Paradigm D10 - Logging https://owasp.org/www-project-docker-top-10/
  • 23. © 2022 Synopsys, Inc. 24 Synopsys Confidential Information OWASP Container Security Verification Standard (CSVS) • The structure is based on the OWASP Application Security Verification Standard (ASVS) • Has overlap with Docker Top 10, but covers broader categories: – V1: Organizational (processes & people) – V2: Infrastructure – V3: Containers (Docker Top 10) – V4: Orchestration Management – V5: Image Distribution – V6: Secrets and Keys – V7: Network – V8: Storage – V9: Logging & Monitoring – V10: Integration – V11: Disaster Recovery – V12: Testing • This is a shorter standard, compared to CIS Benchmarks and NIST Application Container Security Guide https://owasp.org/www-project-container-security-verification-standard/migrated_content • Provides 3 security verification levels 1. For all containers 2. Containers with sensitive data or business logic 3. Critical containers (high value transactions, PII, medical data)
  • 24. © 2022 Synopsys, Inc. 25 Synopsys Confidential Information NIST Special Publication 800-190 Application Container Security Guide https://doi.org/10.6028/NIST.SP.800-190 • Overview of Container Technology • Explains basic concepts of container and orchestrations • Discusses risks to the core components of container technologies • Contains a section on countermeasures for the listed risks • Provides threat scenario examples and considerations for the container technology life cycle NIST Application Container Security Guide Container Technology Architecture and Lifecycle Phases NIST SP 800-190
  • 25. © 2022 Synopsys, Inc. 26 Synopsys Confidential Information Center for Internet Security (CIS) developed "more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats." • CIS Benchmarks include hardening guidelines for manual and automated steps CIS Docker Benchmark provides detailed guidelines in the following categories: • Host • Docker daemon and its config files • Container images and build files • Container runtime • Docker security operations • Docker Swarm CIS Docker Benchmark https://www.cisecurity.org/benchmark/docker
  • 26. © 2022 Synopsys, Inc. 27 Synopsys Confidential Information 1. Harden all the systems 2. Use segmentation at all levels (clusters, hosts, networks) 3. Monitor all the components: scan, scan, scan 4. Introduce gates before publishing your images 5. Use vetted base images 6. Generate a Software Bill of Materials (SBOM) for every container image 7. Use an Application Security Orchestration and Correlation tool (ASOC) – Collects data from various AppSec sources – Consolidates and correlates the findings, prioritizing remediation efforts Best Practices of Securing Containers Defense in Depth
  • 27. © 2022 Synopsys, Inc. 28 Synopsys Confidential Information Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software