SlideShare a Scribd company logo

Is Docker Secure?

Manideep Konakandla
Manideep Konakandla

This document summarizes a presentation on the security of Docker containers. It begins with introductions and then outlines the container pipeline and risk areas. It discusses security issues related to images, the container runtime, and approaches for enterprises. It presents a holistic view of the container security pipeline and risks at different stages. It concludes by taking questions and providing references for further information.

Technology
1 of 24
Download to read offline
Is Docker Secure? Grehack’16 @France Manideep K Carnegie Mellon University
2 Shameless Bragging • Masters Student + Security Researcher at Carnegie Mellon, Cylab • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • Trained 15,000+ people in Infosec including corporates, students & cyber cops • 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc. • Ex Team Lead – Core Security & Data Analytics at TCS • Interest areas : Container Security, Application Security etc. More details about me on www.manideepk.com
3 What am I upto with Containers? • Co-Authored CIS Docker 1.12 Benchmark • Cloud Security Research Intern @Adobe • Extensive research at Carnegie Mellon
4 Before we start • How many of you know what containers are? • How many of you used containers? Personal / Enterprise development or production • How many of you did not adopt containers because of security issues?
5 6-7 months research in 30 minutes Tough task but we will do it 
6 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
7 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
8 Quick “60 second” Intro Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces : Isolation (PID, User, Network, IPC, Mount, UTS) Cgroups : Isolates, limits and accounts resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com Containers in 60 seconds
9 Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Container Pipeline & Risk Areas Ref: Modified version of image on www.docker.com
10 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
11 Containers do not contain 53% of decision makers are worried about security of containers* Containers are not production-ready Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week Containers are the “FUTURE” * Forrester/Red Hat Report , January 2015 ** You have to make them secure
12 “Images” Security Lifecycle of An Image • Where can I get Images? - Docker hub public - Docker Private Store (Beta) • Can I use them (directly)? - No! Not Docker hub (at least general images) for enterprises (personal?) - How about Docker Private store? • Official images are scanned with Nautilus (general images are not) - Reports can be seen by opening tags on Hub
13 My Analysis with Images • Downloaded 50 images from hub & the first image analyzed has XSS, CSRF vulns www.vulnerability-lab.com/get_content.php?id=1802 www.vulnerability-lab.com/get_content.php?id=1803 • Some others (which includes official images) are using vulnerable versions of OpenSSL, glibc, tar, bash etc. and are vulnerable to Heartbleed, Shellshock etc. • Manual and also analyzed with Twistlock tool
14 Quick Facts from Banyanops 2015 Analysis report* 30% official images are vulnerable 70% general images are vulnerable How well the stats of the report stay good today? * Ref: https://banyanops.com/blog/analyzing-docker-hub/
15 Manideep, What to do now?  Enterprises - Build your own in-house registry by referring CIS Docker 1.12 doc • Write Dockerfiles securely (version pinning mechanisms, creating user etc.) • Maintain, Consume them securely (Docker content trust, frequent scanning etc.)  Personal users - HMM….HMm...Hmm..mmm (Private store?)
16 Container Runtime - Messy Slide, Sorry! • Breakout of container and attack host / other containers • Major problem is “shared kernel” • Beware & Fix bizarre Docker defaults (few below) else you will be in big trouble a) Containers can consume entire memory causing DOS b) Containers can communicate with each other leading to sniffing etc. c) Containers are on the same bridge leading to ARP spoofing, MITM etc. d) Containers have no fork limit causing fork bomb e) Containers run as root – do you still want to know the impact? f) Docker daemon access users have effective root privileges • Isolation / Security Namespaces - Beware of non-namespaced kernel keyring, SYS_TIME etc. and do not share namespaces unless and until needed Seccomp - How a single vulnerability in a system call ripped off / torn apart containers (Linux vulnerability but impacted Docker – Cansecwest’16) LSM’s - SELinux and Apparmor Capabilities - Do not use privileged containers and try to set flag for not acquiring any additional privileges
17 Hello enterprises (applies for personal users too) • Use tools (Ex: Twistlock, Scalock, Nautilus) which allow you to (not all of them do every task) a) Use only signed/ XYZ images b) Scan images “efficiently” and frequently c) Automatic container profiling etc. • Tune CIS benchmark as per your org requirements and adhere to it - Seccomp profiles, Apparmor/Selinux modules, SIEM/monitoring etc. • Group containers on VM (basing on trust, operational categories etc.) • Employ separate patch management, vulnerability assessment etc. procedures for containers
18 What’s next?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
19 Container pipeline (Holistic View) Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Img Ref: Modified version of image on www.docker.com * *
20 What’s next?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
21 So, what did you learn today? Docker Containers are not secure, you have to make them secure…!
22 It’s not good to keep questions in your mind Throw them out and I am here to catch 
23 References 1. CIS Docker Benchmark 1.12 2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 3. www.oreilly.com/webops-perf/free/files/docker-security.pdf 4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 5. http://www.slideshare.net/Docker/docker-security-workshop-slides 6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 7. https://docs.docker.com/engine/security/ 8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
24TCS Confidential Hope you enjoyed…! Reach me on www.manideepk.com for any questions

Recommended

BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017
Manideep Konakandla
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
Manideep Konakandla
 
RSA conference poster on Docker container security
RSA conference poster on Docker container securityRSA conference poster on Docker container security
RSA conference poster on Docker container security
Manideep Konakandla
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 

Recommended

BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017
Manideep Konakandla
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
Manideep Konakandla
 
RSA conference poster on Docker container security
RSA conference poster on Docker container securityRSA conference poster on Docker container security
RSA conference poster on Docker container security
Manideep Konakandla
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
John Kinsella
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
Anthony Chow
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
Aqua Security
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
All Things Open
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
Saltmarch Media
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
Frank Victory
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
Finalpresentation
FinalpresentationFinalpresentation
FinalpresentationAnkita Mandekar
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
Amazon Web Services
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 

More Related Content

What's hot

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
John Kinsella
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
Anthony Chow
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
Aqua Security
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
All Things Open
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
Saltmarch Media
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
Frank Victory
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 

What's hot (20)

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Container security Familiar problems in new technology
Container security Familiar problems in new technologyContainer security Familiar problems in new technology
Container security Familiar problems in new technology
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
Finalpresentation
FinalpresentationFinalpresentation
Finalpresentation
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 

Similar to Is Docker Secure?

(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
Amazon Web Services
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEA
Thijs Ebbers
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
Suraj Deshmukh
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
Kevin Lee
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
Massimiliano Mattetti
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
DataArt
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni
 
BRKSDN-2115
BRKSDN-2115 BRKSDN-2115
BRKSDN-2115
Rohit Agarwalla
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
Dr Ganesh Iyer
 

Similar to Is Docker Secure? (20)

(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEA
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
 
BRKSDN-2115
BRKSDN-2115 BRKSDN-2115
BRKSDN-2115
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 

Recently uploaded

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 

Recently uploaded (20)

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 

Is Docker Secure?

  • 1. Is Docker Secure? Grehack’16 @France Manideep K Carnegie Mellon University
  • 2. 2 Shameless Bragging • Masters Student + Security Researcher at Carnegie Mellon, Cylab • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • Trained 15,000+ people in Infosec including corporates, students & cyber cops • 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc. • Ex Team Lead – Core Security & Data Analytics at TCS • Interest areas : Container Security, Application Security etc. More details about me on www.manideepk.com
  • 3. 3 What am I upto with Containers? • Co-Authored CIS Docker 1.12 Benchmark • Cloud Security Research Intern @Adobe • Extensive research at Carnegie Mellon
  • 4. 4 Before we start • How many of you know what containers are? • How many of you used containers? Personal / Enterprise development or production • How many of you did not adopt containers because of security issues?
  • 5. 5 6-7 months research in 30 minutes Tough task but we will do it 
  • 6. 6 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  • 7. 7 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  • 8. 8 Quick “60 second” Intro Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces : Isolation (PID, User, Network, IPC, Mount, UTS) Cgroups : Isolates, limits and accounts resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com Containers in 60 seconds
  • 9. 9 Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Container Pipeline & Risk Areas Ref: Modified version of image on www.docker.com
  • 10. 10 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  • 11. 11 Containers do not contain 53% of decision makers are worried about security of containers* Containers are not production-ready Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week Containers are the “FUTURE” * Forrester/Red Hat Report , January 2015 ** You have to make them secure
  • 12. 12 “Images” Security Lifecycle of An Image • Where can I get Images? - Docker hub public - Docker Private Store (Beta) • Can I use them (directly)? - No! Not Docker hub (at least general images) for enterprises (personal?) - How about Docker Private store? • Official images are scanned with Nautilus (general images are not) - Reports can be seen by opening tags on Hub
  • 13. 13 My Analysis with Images • Downloaded 50 images from hub & the first image analyzed has XSS, CSRF vulns www.vulnerability-lab.com/get_content.php?id=1802 www.vulnerability-lab.com/get_content.php?id=1803 • Some others (which includes official images) are using vulnerable versions of OpenSSL, glibc, tar, bash etc. and are vulnerable to Heartbleed, Shellshock etc. • Manual and also analyzed with Twistlock tool
  • 14. 14 Quick Facts from Banyanops 2015 Analysis report* 30% official images are vulnerable 70% general images are vulnerable How well the stats of the report stay good today? * Ref: https://banyanops.com/blog/analyzing-docker-hub/
  • 15. 15 Manideep, What to do now?  Enterprises - Build your own in-house registry by referring CIS Docker 1.12 doc • Write Dockerfiles securely (version pinning mechanisms, creating user etc.) • Maintain, Consume them securely (Docker content trust, frequent scanning etc.)  Personal users - HMM….HMm...Hmm..mmm (Private store?)
  • 16. 16 Container Runtime - Messy Slide, Sorry! • Breakout of container and attack host / other containers • Major problem is “shared kernel” • Beware & Fix bizarre Docker defaults (few below) else you will be in big trouble a) Containers can consume entire memory causing DOS b) Containers can communicate with each other leading to sniffing etc. c) Containers are on the same bridge leading to ARP spoofing, MITM etc. d) Containers have no fork limit causing fork bomb e) Containers run as root – do you still want to know the impact? f) Docker daemon access users have effective root privileges • Isolation / Security Namespaces - Beware of non-namespaced kernel keyring, SYS_TIME etc. and do not share namespaces unless and until needed Seccomp - How a single vulnerability in a system call ripped off / torn apart containers (Linux vulnerability but impacted Docker – Cansecwest’16) LSM’s - SELinux and Apparmor Capabilities - Do not use privileged containers and try to set flag for not acquiring any additional privileges
  • 17. 17 Hello enterprises (applies for personal users too) • Use tools (Ex: Twistlock, Scalock, Nautilus) which allow you to (not all of them do every task) a) Use only signed/ XYZ images b) Scan images “efficiently” and frequently c) Automatic container profiling etc. • Tune CIS benchmark as per your org requirements and adhere to it - Seccomp profiles, Apparmor/Selinux modules, SIEM/monitoring etc. • Group containers on VM (basing on trust, operational categories etc.) • Employ separate patch management, vulnerability assessment etc. procedures for containers
  • 18. 18 What’s next?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  • 19. 19 Container pipeline (Holistic View) Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Img Ref: Modified version of image on www.docker.com * *
  • 20. 20 What’s next?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  • 21. 21 So, what did you learn today? Docker Containers are not secure, you have to make them secure…!
  • 22. 22 It’s not good to keep questions in your mind Throw them out and I am here to catch 
  • 23. 23 References 1. CIS Docker Benchmark 1.12 2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 3. www.oreilly.com/webops-perf/free/files/docker-security.pdf 4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 5. http://www.slideshare.net/Docker/docker-security-workshop-slides 6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 7. https://docs.docker.com/engine/security/ 8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
  • 24. 24TCS Confidential Hope you enjoyed…! Reach me on www.manideepk.com for any questions