SlideShare a Scribd company logo

Owasp appsec container_security_supply_chain

Michele Chubirka
Michele Chubirka

Containers continue to mystify security practitioners, mostly because they don’t know how securing them fits into their existing vulnerability program. Is it a virtual machine that gets scanned by the same tools used for over a decade? Or is it an application package that should be tested by SCA, SAST and DAST tools? How do you manage the image or runtime vulnerabilities vs. the application security issues? This talk will focus on container security as a supply chain lifecycle problem and how to integrate validation at multiple points to achieve the ultimate goal of *assurance.* The talk is tool agnostic, because security of the supply chain is more about a alignment with the software development process than the integration of a single, magical tool.

Technology
1 of 39
PRESENTED BY: Michele Chubirka Container Security: It’s All About the Supply Chain
Container Security: It’s All About the Supply Chain • Michele Chubirka, aka "Mrs. Y.,” Chief Security Architect and professional contrarian. • Creator of the Healthy Paranoia Security Podcast and the Security SOC Puppets • Analyst, researcher, blogger, B2B writer, and Infosec Bene Gesserit • Pontificates on security architecture and “best practices.” • Views: those of my puppet sidekicks. chubirka@postmodernsecurity.com http://postmodernsecurity.com @MrsYisWhy Who Am I? Who Am I?
Container Security: It’s All About the Supply Chain Poll Where is your organization with using containers? 1. Just getting started, mostly using in development as we refactor applications for cloud-native technologies. 2. Evenly split between containers and full VMs and/or bare metal with an OS and application stack. 3. What’s a container?
Container Security: It’s All About the Supply Chain The Software Supply Chain Wait, Containers are Software?
Container Security: It’s All About the Supply Chain A set of processes that build a product. What is a Software Supply Chain?
Container Security: It’s All About the Supply Chain Container Supply Chain
Container Security: It’s All About the Supply Chain Supply Chain Threats From SLSA Security Framework Project https://slsa.dev/
Container Security: It’s All About the Supply Chain Software Supply Chain Risks From NIST “Defending Against Software Supply Chain Attacks.” 2021
Container Security: It’s All About the Supply Chain Example: Trojan Source The bidirectional algorithm in the Unicode specification allows reordering of characters through control sequences. You can use this to create source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. The attack uses control characters embedded in comments and strings to reorder source code characters in a way that changes its logic but is not visible to human reviewers. Attackers could target open source projects by injecting vulnerabilities, causing software dependent on these projects to inherit the vulnerability.
Container Security: It’s All About the Supply Chain What Is Supply Chain Security? Adding assurance to the software development process. • Creating confidence and trust in the source material and practices used. • Holistic view for protecting each stage in the software development lifecycle. • Approaching the SDLC as a set of business processes. • Validating the final product meets a reasonable set of security criteria to ensure it isn’t vulnerable. • Although not new, recent high-impact attacks (i.e. SolarWinds) have heightened the attention on software supply chains by governments and large private-sector organizations.
Container Security: It’s All About the Supply Chain What Is a Container? A Bunch of Software Ingredients
Container Security: It’s All About the Supply Chain A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. https://www.docker.com/resources/what-container
Container Security: It’s All About the Supply Chain https://www.docker.com/resources/what-container Container Runtimes:containerd,CRIO-O, runc,gVisor,kata Past and Future: Virtual Machines vs. Containerization A container runtime is responsible for: running a container and other associated tasks such as downloading or unpacking the image.
Container Security: It’s All About the Supply Chain What’s Cooking? User Space vs Kernel Space • Virtual Machines run their own isolated kernels. There is no shared memory or execution space between these “guests” which run applications. • Without the addition of a virtual machine technology (e.g. Kata, Firecracker or gVisor), containers share the same host kernel.* • Linux Namespaces, Capabilities, Seccomp, SELinux, Apparmor and Cgroups can be used to enhance segregation between running container instances on the host.
Container Security: It’s All About the Supply Chain Images are filesystem bundles, built of layers corresponding to instructions in scripts or a dockerfile.
Container Security: It’s All About the Supply Chain What about lazy pulling? https://medium.com/nttlabs/startup-containers-in-lightning-speed-with-lazy-image-distribution-on-containerd-243d94522361
Container Security: It’s All About the Supply Chain https://merlijn.sebrechts.be/blog/2020-01-docker-podman-kata-cri-o/
Container Security: It’s All About the Supply Chain Huh?
Container Security: It’s All About the Supply Chain Container Mistakes • Container != full virtual machine or an AMI, you don’t want bloat. • You should avoid putting your entire monolithic application stack in a container. • The running instance != an image. Most use the term “container” interchangeably, but it’s important to know the difference. A container is just a software package, including its dependencies (libraries and application runtime) that will run in a dedicated area of user space. This is why the security of the supply chain is critical.
Container Security: It’s All About the Supply Chain Where Do You Get Your Container?
Container Security: It’s All About the Supply Chain Recipes for Container Images • Pull a base image from a public or private registry, add your code and configuration (i.e., layers). • Use a multi-stage build, selectively copying what you need in the image. • Without using a base or parent image, build an entire OCI-compliant image with a tool like Buildah. • Create a single-layer image “from scratch” using a statically compiled binary. • Make a distroless image that only includes the application and runtime dependencies.
Container Security: It’s All About the Supply Chain Use the Best Ingredients Trust Use a trusted source for base images. Validate Validate the image with a container security tool and/or Software Composition Analysis (SCA) tool to identify vulnerabilities. Economize Only add elements necessary for your microservice. Reduce Follow least privilege: don’t run root processes, don’t run the container as privileged. Limit Limit syscalls. Parameterize Don’t hardcode configs or embed credentials/secrets in the image, parameterize instead. Immutable Don’t add a shell, you shouldn’t login to a running instance. It should be immutable and ephemeral. Minimize Use techniques like Distroless or “from scratch” to eliminate unnecessary elements and layers. Automate Use the automation of a DevOps pipeline to ensure security validation is automatically performed with every build or change to the image.
Container Security: It’s All About the Supply Chain • Fry - Custom built or extended 3rd party images, deployed but changed during bootstrapping activity (eg. apt-get, curl), cannot attest • Bake - Custom built or extended 3rd party images, fully created with all dependencies as part of supply chain, attested and immutable • Buy - 3rd party or vendor images, deployed without changes, attested and immutable Bake or Buy, but never fry Fry, Bake, Buy
Container Security: It’s All About the Supply Chain Container Security Validation
Container Security: It’s All About the Supply Chain What Are Container Orchestrators? • An orchestrator handles the deployment and runtime lifecycle of running instances. • Scales instances up and down to meet demand. • Offers redundancy and availability options for running instances and hosts. • Load balancing, service discovery and health monitoring of container hosts and instances. • Ability to create virtual clusters with granular management of resources • Provides multi-tenant segregation through network segmentation and resource restrictions • Examples include Kubernetes, OpenShift, Mesos, Nomad • Cloud provider managed orchestrators: Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS) • Capability to use policies with an entrypoint that ensures only instances that pass are allowed to run (Admission Control). Orchestrators provide the last “gate” for a container prior to runtime. With Kubernetes, various policy mechanisms (i.e. admission control) can validate and enforce attestation of the image.
Container Security: It’s All About the Supply Chain Poll What Container Orchestrator Are You Using? 1. Self-managed K8s FTW! 2. Cloud-provider managed K8s 3. OpenShift 4. Nomad or Mesos 5. I'm still betting on Docker Swarm
Container Security: It’s All About the Supply Chain CNCF – Principles of Supply Chain Security Establish and verify “trust” at every step in the process through a combination of code-signing, metadata, and cryptographic validation. Everything that can be automated should be automated and documented. This helps to prevent accidental errors and makes it easier to spot when things have gone wrong. Each step in the software build and supply chain process should be clearly defined with a precise, limited scope. Every actor within the supply chain (whether human or machine) must have a clearly defined role. This allows us to limit the permissions of these actors to exactly those needed. Every entity in a system must engage in “mutual authentication.” This means that no human, software process, or machine should be trusted to be who they say they are, they must demonstrate it.
Cloud Native Security Landscape
OWASP Software Component Verification Standard (SCVS) “The SCVS is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.” V4 of the Package Management Control Objective includes: • Centralized Repositories • Repositories use strong authentication and TLS • Auditability • Code signing and verification
Container Security: It’s All About the Supply Chain Tiers of Container Technology Architecture From NIST SP 800-190 “Application Container Security Guide”
Container Security: It’s All About the Supply Chain BOMs, SBOMs, and DBOM, Oh My… An SBOM (software bill of materials) is a formal list of your software ingredients, including open source components and licenses. In response to recent software supply chain attacks, White House Executive Order 14028 defined software supply chain security criteria for federal information systems. This includes providing an SBOM (software bill of materials) to the purchaser for each product or publishing it on a web site. You can generate an SBOM for your software before packaging into a container or after, using tools such as Syft or Tern.
Container Security: It’s All About the Supply Chain DevSecOps Decisioning Principles • Security tools should integrate as decision points in a pipeline. • DevSecOps tool(s) should have a policy engine that can respond with a pass/fail decision for the pipeline. • Optimizes response time. “Fast and frugal” pipeline decisioning is preferred over customized scoring to better support velocity and consistency. • Supports separation of duties (SoD). • Save contextual risk scoring for release decisioning. • Does not exclude the need for detailed information provided as pipeline output. • Full inspection of the supply chain element to be decisioned, aka “slow path,” should be used when an element is unknown to the pipeline decisioner. • Minimal or incremental inspection of the supply chain element to be decisioned, aka “fast path,” should be used when an element is recognized (e.g. hash) by the pipeline decisioner. • Decision points should have a “fast path” available, where possible, to minimize any latency introduced from security decisioning. • Security policy engines should not be managed by the pipeline team, but externally by a security SME, to comply with SoD and reduce opportunities for subversion of security policy decisions during automation. • The goal is to optimize coverage. https://postmodernsecurity.com/2020/11/14/devsecops-decisioning-principles/
Container Security: It’s All About the Supply Chain What’s in Your Container Kitchen? A Real-World Use-Case
Container Security: It’s All About the Supply Chain Reminders • Small is beautiful: make your images compact, leaving out unnecessary libraries or binaries you don’t need for your individual microservice. • Who do you trust? What are the “trusted registries” that supply your base images? • Validate Validate Validate your images. They should be free of vulnerable libraries and components. • Container images shouldn’t need to run as privileged or have processes that run as root. • Don’t put credentials, keys or tokens into your image. • Reduce the listening ports needed in your container image, it just increases the attack surface and resources that need to be secured. • Make sure to use a standard runtime. Your current security tools might not support every possible flavor. • A container isn’t a host, it’s an ephemeral drop of rain. You shouldn’t be logging in and trying to change it, because it’s going to evaporate. Think drift prevention. • Only attested, immutable container images should run in your environment. • Automate, automate, automate your container builds and deploys. • Constantly re-evaluate your supply chain: verify source code, verify dependencies, sign and protect pipelines and artifacts.
References Container Basics https://washraf.gitbooks.io/the-docker ecosystem/content/Chapter%201/docker_vs_virtual_machines.html https://www.docker.com/resources/what-container https://opencontainers.org/ https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016 Unikernels, Microkernels, MicroVMs, container sandboxes https://nabla-containers.github.io/ https://gvisor.dev/docs/ https://katacontainers.io/ https://ubuntu.com/blog/what-is-kata-containers https://jornfranke.wordpress.com/2019/09/14/unikernels-software-containers-and-serverless-architecture-road-to-modularity/ https://firecracker-microvm.github.io/ Building Containers https://hub.docker.com/_/scratch#:~:text=0%20(specifically%2C%20docker%2Fdocker,1%2Dlayer%20image%20instead).&text=You%20can%20use %20Docker's%20reserved,starting%20point%20for%20building%20containers. https://buildah.io/ https://github.com/opencontainers/image-spec https://medium.com/better-programming/how-to-harden-your-containers-with-distroless-docker-images-c2abd7c71fdb https://github.com/GoogleContainerTools/distroless
References User space vs kernel space with containers: https://www.redhat.com/en/blog/architecting-containers-part-1-why-understanding-user-space-vs-kernel-space- matters#:~:text=Kernel%20Space%20Matters,- July%2029%2C%202015&text=While%20containers%20are%20sometimes%20treated,resources%20they%20need%20access%20to.&text=These%20file s%20and%20programs%20make%20up%20what%20is%20known%20as%20user%20space. Linux Namespaces: https://opensource.com/article/19/10/namespaces-and-containers-linux SELinux is a MAC mechanism used to provide fine-grained access control to a Linux host: https://www.projectatomic.io/docs/docker-and-selinux/ https://www.youtube.com/watch?v=_WOKRaM-HI4 Composition of a container image: https://dzone.com/articles/docker-layers-explained https://jfrog.com/knowledge-base/a-beginners-guide-to-understanding-and-building-docker-images/ Union Filesystem: https://washraf.gitbooks.io/the-docker-ecosystem/content/Chapter%201/Section%203/union_file_system.html https://blog.knoldus.com/unionfs-a-file-system-of-a-container/ https://containerd.io/scope/ https://docs.docker.com/storage/storagedriver/ https://github.com/opencontainers/runtime-spec/blob/master/bundle.md Hardening and minimizing a container image: https://www.secjuice.com/how-to-harden-docker-containers/ https://www.thoughtworks.com/radar/techniques/distroless-docker-images https://github.com/docker-slim/docker-slim https://medium.com/faun/how-to-build-a-docker-container-from-scratch-docker-basics-a-must-know-395cba82897b Recommended secrets patterns with containers: https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/ Injecting Vault Secrets into K8s Pods via a Sidecar https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/
References The difference between a high-level and low-level container runtime: low-level runtimes focus on mechanics of actually running a container, while high-level runtimes add features such as management of container images, unpacking the image, and hand-off to the low-level runtime. https://merlijn.sebrechts.be/blog/2020-01-docker-podman-kata-cri-o/ https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r While Docker was a key player in helping to popularize and standardize the image and runtime formats, it has since donated documentation and code to the OCI to further the mission of containerization as a vendor agnostic technology. https://opencontainers.org/faq/ Think of Docker to containers as Kleenex is to tissue. https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r What is Kubernetes? https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is OpenShift? https://www.openshift.com/learn/what-is-openshift What is Mesos? http://mesos.apache.org/documentation/latest/ Good case study for container takeover https://unit42.paloaltonetworks.com/azure-container-instances/ Container SBOM tools: https://github.com/anchore/syft https://github.com/tern-tools/tern
References White House Executive Order 14028 https://www.whitehouse.gov/briefing-room/presidential- actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Dept of Commerce and NTIA The Minimum Elements For a Software Bill of Materials (SBOM) https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf Generate a Software Bill of Materials for a Container Image with Syft https://thenewstack.io/generate-a-software-bill-of-materials-for-a-container-image-with-syft/ SLSA framework https://slsa.dev/ OWASP Software Component Verification Standard https://owasp.org/www-project-software-component-verification- standard/ BUILDING RESILIENT SUPPLY CHAINS, REVITALIZING AMERICAN MANUFACTURING, AND FOSTERING BROAD-BASED GROWTH https://www.whitehouse.gov/wp-content/uploads/2021/06/100-day-supply-chain-review-report.pdf CNCF – Evaluating Your Supply Chain Security https://github.com/cncf/tag-security/blob/main/supply-chain- security/supply-chain-security-paper/secure-supply-chain-assessment.md CNCF – Software Supply Chain Best Practices https://github.com/cncf/tag-security/blob/main/supply-chain- security/supply-chain-security-paper/CNCF_SSCP_v1.pdf NIST Cyber Supply Chain Risk Management C-SCRM https://csrc.nist.gov/projects/cyber-supply-chain-risk-management NIST SP 800-190 Application Container Security Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

Recommended

Improving Response Times at Optum with Elastic APM
Improving Response Times at Optum with Elastic APMImproving Response Times at Optum with Elastic APM
Improving Response Times at Optum with Elastic APM
Elasticsearch
 
Automating security in aws with divvy cloud
Automating security in aws with divvy cloudAutomating security in aws with divvy cloud
Automating security in aws with divvy cloud
John Varghese
 
Azure and Predix
Azure and PredixAzure and Predix
Azure and Predix
Altoros
 
Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...
Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...
Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...
DataStax
 
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessHow eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
Elasticsearch
 
The Evolution of OpenStack – From Infancy to Enterprise
The Evolution of OpenStack – From Infancy to EnterpriseThe Evolution of OpenStack – From Infancy to Enterprise
The Evolution of OpenStack – From Infancy to Enterprise
Rackspace
 
How to Build Continuous Ingestion for the Internet of Things
How to Build Continuous Ingestion for the Internet of ThingsHow to Build Continuous Ingestion for the Internet of Things
How to Build Continuous Ingestion for the Internet of Things
Cloudera, Inc.
 
Cassandra and IoT
Cassandra and IoTCassandra and IoT
Cassandra and IoT
Russell Spitzer
 

Recommended

Improving Response Times at Optum with Elastic APM
Improving Response Times at Optum with Elastic APMImproving Response Times at Optum with Elastic APM
Improving Response Times at Optum with Elastic APM
Elasticsearch
 
Automating security in aws with divvy cloud
Automating security in aws with divvy cloudAutomating security in aws with divvy cloud
Automating security in aws with divvy cloud
John Varghese
 
Azure and Predix
Azure and PredixAzure and Predix
Azure and Predix
Altoros
 
Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...
Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...
Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...
DataStax
 
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessHow eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
How eStruxture Data Centers is Using ECE to Rapidly Scale Their Business
Elasticsearch
 
The Evolution of OpenStack – From Infancy to Enterprise
The Evolution of OpenStack – From Infancy to EnterpriseThe Evolution of OpenStack – From Infancy to Enterprise
The Evolution of OpenStack – From Infancy to Enterprise
Rackspace
 
How to Build Continuous Ingestion for the Internet of Things
How to Build Continuous Ingestion for the Internet of ThingsHow to Build Continuous Ingestion for the Internet of Things
How to Build Continuous Ingestion for the Internet of Things
Cloudera, Inc.
 
Cassandra and IoT
Cassandra and IoTCassandra and IoT
Cassandra and IoT
Russell Spitzer
 
Addressing Challenges with IoT Edge Management
Addressing Challenges with IoT Edge ManagementAddressing Challenges with IoT Edge Management
Addressing Challenges with IoT Edge Management
DataWorks Summit
 
Become an IT Service Broker
Become an IT Service BrokerBecome an IT Service Broker
Become an IT Service Broker
Rackspace
 
Cloudera - The Modern Platform for Analytics
Cloudera - The Modern Platform for AnalyticsCloudera - The Modern Platform for Analytics
Cloudera - The Modern Platform for Analytics
Cloudera, Inc.
 
S3 Deduplication with StorReduce and Cloudian
S3 Deduplication with StorReduce and CloudianS3 Deduplication with StorReduce and Cloudian
S3 Deduplication with StorReduce and Cloudian
Cloudian
 
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
Cloudera, Inc.
 
Cloudera training secure your cloudera cluster 7.10.18
Cloudera training secure your cloudera cluster 7.10.18Cloudera training secure your cloudera cluster 7.10.18
Cloudera training secure your cloudera cluster 7.10.18
Cloudera, Inc.
 
Migrate and Modernize Hadoop-Based Security Policies for Databricks
Migrate and Modernize Hadoop-Based Security Policies for DatabricksMigrate and Modernize Hadoop-Based Security Policies for Databricks
Migrate and Modernize Hadoop-Based Security Policies for Databricks
Databricks
 
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
Cloudera, Inc.
 
Big Data: Myths and Realities
Big Data: Myths and RealitiesBig Data: Myths and Realities
Big Data: Myths and Realities
Toronto-Oracle-Users-Group
 
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
Cloudera, Inc.
 
Enterprise Cloud transformation z pohledu Oracle
Enterprise Cloud transformation z pohledu OracleEnterprise Cloud transformation z pohledu Oracle
Enterprise Cloud transformation z pohledu Oracle
MarketingArrowECS_CZ
 
The Vision & Challenge of Applied Machine Learning
The Vision & Challenge of Applied Machine LearningThe Vision & Challenge of Applied Machine Learning
The Vision & Challenge of Applied Machine Learning
Cloudera, Inc.
 
Cloudera Data Impact Awards 2021 - Finalists
Cloudera Data Impact Awards 2021 - Finalists Cloudera Data Impact Awards 2021 - Finalists
Cloudera Data Impact Awards 2021 - Finalists
Cloudera, Inc.
 
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Cloudera, Inc.
 
Cloudian HyperStore 5.0 Release What's New
Cloudian HyperStore 5.0 Release What's NewCloudian HyperStore 5.0 Release What's New
Cloudian HyperStore 5.0 Release What's New
Cloudian
 
Big data journey to the cloud maz chaudhri 5.30.18
Big data journey to the cloud maz chaudhri 5.30.18Big data journey to the cloud maz chaudhri 5.30.18
Big data journey to the cloud maz chaudhri 5.30.18
Cloudera, Inc.
 
When SAP alone is not enough
When SAP alone is not enoughWhen SAP alone is not enough
When SAP alone is not enough
Cloudera, Inc.
 
Introducing Workload XM 8.7.18
Introducing Workload XM 8.7.18Introducing Workload XM 8.7.18
Introducing Workload XM 8.7.18
Cloudera, Inc.
 
Blockchain and Apache NiFi
Blockchain and Apache NiFiBlockchain and Apache NiFi
Blockchain and Apache NiFi
Timothy Spann
 
Stl meetup cloudera platform - january 2020
Stl meetup cloudera platform - january 2020Stl meetup cloudera platform - january 2020
Stl meetup cloudera platform - january 2020
Adam Doyle
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
Urolime Technologies
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com
 

More Related Content

What's hot

Addressing Challenges with IoT Edge Management
Addressing Challenges with IoT Edge ManagementAddressing Challenges with IoT Edge Management
Addressing Challenges with IoT Edge Management
DataWorks Summit
 
Become an IT Service Broker
Become an IT Service BrokerBecome an IT Service Broker
Become an IT Service Broker
Rackspace
 
Cloudera - The Modern Platform for Analytics
Cloudera - The Modern Platform for AnalyticsCloudera - The Modern Platform for Analytics
Cloudera - The Modern Platform for Analytics
Cloudera, Inc.
 
S3 Deduplication with StorReduce and Cloudian
S3 Deduplication with StorReduce and CloudianS3 Deduplication with StorReduce and Cloudian
S3 Deduplication with StorReduce and Cloudian
Cloudian
 
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
Cloudera, Inc.
 
Cloudera training secure your cloudera cluster 7.10.18
Cloudera training secure your cloudera cluster 7.10.18Cloudera training secure your cloudera cluster 7.10.18
Cloudera training secure your cloudera cluster 7.10.18
Cloudera, Inc.
 
Migrate and Modernize Hadoop-Based Security Policies for Databricks
Migrate and Modernize Hadoop-Based Security Policies for DatabricksMigrate and Modernize Hadoop-Based Security Policies for Databricks
Migrate and Modernize Hadoop-Based Security Policies for Databricks
Databricks
 
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
Cloudera, Inc.
 
Big Data: Myths and Realities
Big Data: Myths and RealitiesBig Data: Myths and Realities
Big Data: Myths and Realities
Toronto-Oracle-Users-Group
 
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
Cloudera, Inc.
 
Enterprise Cloud transformation z pohledu Oracle
Enterprise Cloud transformation z pohledu OracleEnterprise Cloud transformation z pohledu Oracle
Enterprise Cloud transformation z pohledu Oracle
MarketingArrowECS_CZ
 
The Vision & Challenge of Applied Machine Learning
The Vision & Challenge of Applied Machine LearningThe Vision & Challenge of Applied Machine Learning
The Vision & Challenge of Applied Machine Learning
Cloudera, Inc.
 
Cloudera Data Impact Awards 2021 - Finalists
Cloudera Data Impact Awards 2021 - Finalists Cloudera Data Impact Awards 2021 - Finalists
Cloudera Data Impact Awards 2021 - Finalists
Cloudera, Inc.
 
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Cloudera, Inc.
 
Cloudian HyperStore 5.0 Release What's New
Cloudian HyperStore 5.0 Release What's NewCloudian HyperStore 5.0 Release What's New
Cloudian HyperStore 5.0 Release What's New
Cloudian
 
Big data journey to the cloud maz chaudhri 5.30.18
Big data journey to the cloud maz chaudhri 5.30.18Big data journey to the cloud maz chaudhri 5.30.18
Big data journey to the cloud maz chaudhri 5.30.18
Cloudera, Inc.
 
When SAP alone is not enough
When SAP alone is not enoughWhen SAP alone is not enough
When SAP alone is not enough
Cloudera, Inc.
 
Introducing Workload XM 8.7.18
Introducing Workload XM 8.7.18Introducing Workload XM 8.7.18
Introducing Workload XM 8.7.18
Cloudera, Inc.
 
Blockchain and Apache NiFi
Blockchain and Apache NiFiBlockchain and Apache NiFi
Blockchain and Apache NiFi
Timothy Spann
 
Stl meetup cloudera platform - january 2020
Stl meetup cloudera platform - january 2020Stl meetup cloudera platform - january 2020
Stl meetup cloudera platform - january 2020
Adam Doyle
 

What's hot (20)

Addressing Challenges with IoT Edge Management
Addressing Challenges with IoT Edge ManagementAddressing Challenges with IoT Edge Management
Addressing Challenges with IoT Edge Management
 
Become an IT Service Broker
Become an IT Service BrokerBecome an IT Service Broker
Become an IT Service Broker
 
Cloudera - The Modern Platform for Analytics
Cloudera - The Modern Platform for AnalyticsCloudera - The Modern Platform for Analytics
Cloudera - The Modern Platform for Analytics
 
S3 Deduplication with StorReduce and Cloudian
S3 Deduplication with StorReduce and CloudianS3 Deduplication with StorReduce and Cloudian
S3 Deduplication with StorReduce and Cloudian
 
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%
 
Cloudera training secure your cloudera cluster 7.10.18
Cloudera training secure your cloudera cluster 7.10.18Cloudera training secure your cloudera cluster 7.10.18
Cloudera training secure your cloudera cluster 7.10.18
 
Migrate and Modernize Hadoop-Based Security Policies for Databricks
Migrate and Modernize Hadoop-Based Security Policies for DatabricksMigrate and Modernize Hadoop-Based Security Policies for Databricks
Migrate and Modernize Hadoop-Based Security Policies for Databricks
 
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...
 
Big Data: Myths and Realities
Big Data: Myths and RealitiesBig Data: Myths and Realities
Big Data: Myths and Realities
 
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...
 
Enterprise Cloud transformation z pohledu Oracle
Enterprise Cloud transformation z pohledu OracleEnterprise Cloud transformation z pohledu Oracle
Enterprise Cloud transformation z pohledu Oracle
 
The Vision & Challenge of Applied Machine Learning
The Vision & Challenge of Applied Machine LearningThe Vision & Challenge of Applied Machine Learning
The Vision & Challenge of Applied Machine Learning
 
Cloudera Data Impact Awards 2021 - Finalists
Cloudera Data Impact Awards 2021 - Finalists Cloudera Data Impact Awards 2021 - Finalists
Cloudera Data Impact Awards 2021 - Finalists
 
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
 
Cloudian HyperStore 5.0 Release What's New
Cloudian HyperStore 5.0 Release What's NewCloudian HyperStore 5.0 Release What's New
Cloudian HyperStore 5.0 Release What's New
 
Big data journey to the cloud maz chaudhri 5.30.18
Big data journey to the cloud maz chaudhri 5.30.18Big data journey to the cloud maz chaudhri 5.30.18
Big data journey to the cloud maz chaudhri 5.30.18
 
When SAP alone is not enough
When SAP alone is not enoughWhen SAP alone is not enough
When SAP alone is not enough
 
Introducing Workload XM 8.7.18
Introducing Workload XM 8.7.18Introducing Workload XM 8.7.18
Introducing Workload XM 8.7.18
 
Blockchain and Apache NiFi
Blockchain and Apache NiFiBlockchain and Apache NiFi
Blockchain and Apache NiFi
 
Stl meetup cloudera platform - january 2020
Stl meetup cloudera platform - january 2020Stl meetup cloudera platform - january 2020
Stl meetup cloudera platform - january 2020
 

Similar to Owasp appsec container_security_supply_chain

Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
Urolime Technologies
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Juan Vicente Herrera Ruiz de Alejo
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri
 
AWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container Adoption
Alex Rhea
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
Eric Smalling
 
Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An Introduction
Marcel Winandy
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in Kubernetes
Fibonalabs
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
Ed Bellis
 
AWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summit Singapore 2019 | Pragmatic Container SecurityAWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summits
 

Similar to Owasp appsec container_security_supply_chain (20)

Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI Pipelines
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
AWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container Adoption
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An Introduction
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in Kubernetes
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
AWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summit Singapore 2019 | Pragmatic Container SecurityAWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summit Singapore 2019 | Pragmatic Container Security
 

Recently uploaded

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 

Recently uploaded (20)

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 

Owasp appsec container_security_supply_chain

  • 1. PRESENTED BY: Michele Chubirka Container Security: It’s All About the Supply Chain
  • 2. Container Security: It’s All About the Supply Chain • Michele Chubirka, aka "Mrs. Y.,” Chief Security Architect and professional contrarian. • Creator of the Healthy Paranoia Security Podcast and the Security SOC Puppets • Analyst, researcher, blogger, B2B writer, and Infosec Bene Gesserit • Pontificates on security architecture and “best practices.” • Views: those of my puppet sidekicks. chubirka@postmodernsecurity.com http://postmodernsecurity.com @MrsYisWhy Who Am I? Who Am I?
  • 3. Container Security: It’s All About the Supply Chain Poll Where is your organization with using containers? 1. Just getting started, mostly using in development as we refactor applications for cloud-native technologies. 2. Evenly split between containers and full VMs and/or bare metal with an OS and application stack. 3. What’s a container?
  • 4. Container Security: It’s All About the Supply Chain The Software Supply Chain Wait, Containers are Software?
  • 5. Container Security: It’s All About the Supply Chain A set of processes that build a product. What is a Software Supply Chain?
  • 6. Container Security: It’s All About the Supply Chain Container Supply Chain
  • 7. Container Security: It’s All About the Supply Chain Supply Chain Threats From SLSA Security Framework Project https://slsa.dev/
  • 8. Container Security: It’s All About the Supply Chain Software Supply Chain Risks From NIST “Defending Against Software Supply Chain Attacks.” 2021
  • 9. Container Security: It’s All About the Supply Chain Example: Trojan Source The bidirectional algorithm in the Unicode specification allows reordering of characters through control sequences. You can use this to create source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. The attack uses control characters embedded in comments and strings to reorder source code characters in a way that changes its logic but is not visible to human reviewers. Attackers could target open source projects by injecting vulnerabilities, causing software dependent on these projects to inherit the vulnerability.
  • 10. Container Security: It’s All About the Supply Chain What Is Supply Chain Security? Adding assurance to the software development process. • Creating confidence and trust in the source material and practices used. • Holistic view for protecting each stage in the software development lifecycle. • Approaching the SDLC as a set of business processes. • Validating the final product meets a reasonable set of security criteria to ensure it isn’t vulnerable. • Although not new, recent high-impact attacks (i.e. SolarWinds) have heightened the attention on software supply chains by governments and large private-sector organizations.
  • 11. Container Security: It’s All About the Supply Chain What Is a Container? A Bunch of Software Ingredients
  • 12. Container Security: It’s All About the Supply Chain A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. https://www.docker.com/resources/what-container
  • 13. Container Security: It’s All About the Supply Chain https://www.docker.com/resources/what-container Container Runtimes:containerd,CRIO-O, runc,gVisor,kata Past and Future: Virtual Machines vs. Containerization A container runtime is responsible for: running a container and other associated tasks such as downloading or unpacking the image.
  • 14. Container Security: It’s All About the Supply Chain What’s Cooking? User Space vs Kernel Space • Virtual Machines run their own isolated kernels. There is no shared memory or execution space between these “guests” which run applications. • Without the addition of a virtual machine technology (e.g. Kata, Firecracker or gVisor), containers share the same host kernel.* • Linux Namespaces, Capabilities, Seccomp, SELinux, Apparmor and Cgroups can be used to enhance segregation between running container instances on the host.
  • 15. Container Security: It’s All About the Supply Chain Images are filesystem bundles, built of layers corresponding to instructions in scripts or a dockerfile.
  • 16. Container Security: It’s All About the Supply Chain What about lazy pulling? https://medium.com/nttlabs/startup-containers-in-lightning-speed-with-lazy-image-distribution-on-containerd-243d94522361
  • 17. Container Security: It’s All About the Supply Chain https://merlijn.sebrechts.be/blog/2020-01-docker-podman-kata-cri-o/
  • 18. Container Security: It’s All About the Supply Chain Huh?
  • 19. Container Security: It’s All About the Supply Chain Container Mistakes • Container != full virtual machine or an AMI, you don’t want bloat. • You should avoid putting your entire monolithic application stack in a container. • The running instance != an image. Most use the term “container” interchangeably, but it’s important to know the difference. A container is just a software package, including its dependencies (libraries and application runtime) that will run in a dedicated area of user space. This is why the security of the supply chain is critical.
  • 20. Container Security: It’s All About the Supply Chain Where Do You Get Your Container?
  • 21. Container Security: It’s All About the Supply Chain Recipes for Container Images • Pull a base image from a public or private registry, add your code and configuration (i.e., layers). • Use a multi-stage build, selectively copying what you need in the image. • Without using a base or parent image, build an entire OCI-compliant image with a tool like Buildah. • Create a single-layer image “from scratch” using a statically compiled binary. • Make a distroless image that only includes the application and runtime dependencies.
  • 22. Container Security: It’s All About the Supply Chain Use the Best Ingredients Trust Use a trusted source for base images. Validate Validate the image with a container security tool and/or Software Composition Analysis (SCA) tool to identify vulnerabilities. Economize Only add elements necessary for your microservice. Reduce Follow least privilege: don’t run root processes, don’t run the container as privileged. Limit Limit syscalls. Parameterize Don’t hardcode configs or embed credentials/secrets in the image, parameterize instead. Immutable Don’t add a shell, you shouldn’t login to a running instance. It should be immutable and ephemeral. Minimize Use techniques like Distroless or “from scratch” to eliminate unnecessary elements and layers. Automate Use the automation of a DevOps pipeline to ensure security validation is automatically performed with every build or change to the image.
  • 23. Container Security: It’s All About the Supply Chain • Fry - Custom built or extended 3rd party images, deployed but changed during bootstrapping activity (eg. apt-get, curl), cannot attest • Bake - Custom built or extended 3rd party images, fully created with all dependencies as part of supply chain, attested and immutable • Buy - 3rd party or vendor images, deployed without changes, attested and immutable Bake or Buy, but never fry Fry, Bake, Buy
  • 24. Container Security: It’s All About the Supply Chain Container Security Validation
  • 25. Container Security: It’s All About the Supply Chain What Are Container Orchestrators? • An orchestrator handles the deployment and runtime lifecycle of running instances. • Scales instances up and down to meet demand. • Offers redundancy and availability options for running instances and hosts. • Load balancing, service discovery and health monitoring of container hosts and instances. • Ability to create virtual clusters with granular management of resources • Provides multi-tenant segregation through network segmentation and resource restrictions • Examples include Kubernetes, OpenShift, Mesos, Nomad • Cloud provider managed orchestrators: Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS) • Capability to use policies with an entrypoint that ensures only instances that pass are allowed to run (Admission Control). Orchestrators provide the last “gate” for a container prior to runtime. With Kubernetes, various policy mechanisms (i.e. admission control) can validate and enforce attestation of the image.
  • 26. Container Security: It’s All About the Supply Chain Poll What Container Orchestrator Are You Using? 1. Self-managed K8s FTW! 2. Cloud-provider managed K8s 3. OpenShift 4. Nomad or Mesos 5. I'm still betting on Docker Swarm
  • 27. Container Security: It’s All About the Supply Chain CNCF – Principles of Supply Chain Security Establish and verify “trust” at every step in the process through a combination of code-signing, metadata, and cryptographic validation. Everything that can be automated should be automated and documented. This helps to prevent accidental errors and makes it easier to spot when things have gone wrong. Each step in the software build and supply chain process should be clearly defined with a precise, limited scope. Every actor within the supply chain (whether human or machine) must have a clearly defined role. This allows us to limit the permissions of these actors to exactly those needed. Every entity in a system must engage in “mutual authentication.” This means that no human, software process, or machine should be trusted to be who they say they are, they must demonstrate it.
  • 29. OWASP Software Component Verification Standard (SCVS) “The SCVS is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.” V4 of the Package Management Control Objective includes: • Centralized Repositories • Repositories use strong authentication and TLS • Auditability • Code signing and verification
  • 30. Container Security: It’s All About the Supply Chain Tiers of Container Technology Architecture From NIST SP 800-190 “Application Container Security Guide”
  • 31. Container Security: It’s All About the Supply Chain BOMs, SBOMs, and DBOM, Oh My… An SBOM (software bill of materials) is a formal list of your software ingredients, including open source components and licenses. In response to recent software supply chain attacks, White House Executive Order 14028 defined software supply chain security criteria for federal information systems. This includes providing an SBOM (software bill of materials) to the purchaser for each product or publishing it on a web site. You can generate an SBOM for your software before packaging into a container or after, using tools such as Syft or Tern.
  • 32. Container Security: It’s All About the Supply Chain DevSecOps Decisioning Principles • Security tools should integrate as decision points in a pipeline. • DevSecOps tool(s) should have a policy engine that can respond with a pass/fail decision for the pipeline. • Optimizes response time. “Fast and frugal” pipeline decisioning is preferred over customized scoring to better support velocity and consistency. • Supports separation of duties (SoD). • Save contextual risk scoring for release decisioning. • Does not exclude the need for detailed information provided as pipeline output. • Full inspection of the supply chain element to be decisioned, aka “slow path,” should be used when an element is unknown to the pipeline decisioner. • Minimal or incremental inspection of the supply chain element to be decisioned, aka “fast path,” should be used when an element is recognized (e.g. hash) by the pipeline decisioner. • Decision points should have a “fast path” available, where possible, to minimize any latency introduced from security decisioning. • Security policy engines should not be managed by the pipeline team, but externally by a security SME, to comply with SoD and reduce opportunities for subversion of security policy decisions during automation. • The goal is to optimize coverage. https://postmodernsecurity.com/2020/11/14/devsecops-decisioning-principles/
  • 33. Container Security: It’s All About the Supply Chain What’s in Your Container Kitchen? A Real-World Use-Case
  • 34. Container Security: It’s All About the Supply Chain Reminders • Small is beautiful: make your images compact, leaving out unnecessary libraries or binaries you don’t need for your individual microservice. • Who do you trust? What are the “trusted registries” that supply your base images? • Validate Validate Validate your images. They should be free of vulnerable libraries and components. • Container images shouldn’t need to run as privileged or have processes that run as root. • Don’t put credentials, keys or tokens into your image. • Reduce the listening ports needed in your container image, it just increases the attack surface and resources that need to be secured. • Make sure to use a standard runtime. Your current security tools might not support every possible flavor. • A container isn’t a host, it’s an ephemeral drop of rain. You shouldn’t be logging in and trying to change it, because it’s going to evaporate. Think drift prevention. • Only attested, immutable container images should run in your environment. • Automate, automate, automate your container builds and deploys. • Constantly re-evaluate your supply chain: verify source code, verify dependencies, sign and protect pipelines and artifacts.
  • 35.
  • 36. References Container Basics https://washraf.gitbooks.io/the-docker ecosystem/content/Chapter%201/docker_vs_virtual_machines.html https://www.docker.com/resources/what-container https://opencontainers.org/ https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016 Unikernels, Microkernels, MicroVMs, container sandboxes https://nabla-containers.github.io/ https://gvisor.dev/docs/ https://katacontainers.io/ https://ubuntu.com/blog/what-is-kata-containers https://jornfranke.wordpress.com/2019/09/14/unikernels-software-containers-and-serverless-architecture-road-to-modularity/ https://firecracker-microvm.github.io/ Building Containers https://hub.docker.com/_/scratch#:~:text=0%20(specifically%2C%20docker%2Fdocker,1%2Dlayer%20image%20instead).&text=You%20can%20use %20Docker's%20reserved,starting%20point%20for%20building%20containers. https://buildah.io/ https://github.com/opencontainers/image-spec https://medium.com/better-programming/how-to-harden-your-containers-with-distroless-docker-images-c2abd7c71fdb https://github.com/GoogleContainerTools/distroless
  • 37. References User space vs kernel space with containers: https://www.redhat.com/en/blog/architecting-containers-part-1-why-understanding-user-space-vs-kernel-space- matters#:~:text=Kernel%20Space%20Matters,- July%2029%2C%202015&text=While%20containers%20are%20sometimes%20treated,resources%20they%20need%20access%20to.&text=These%20file s%20and%20programs%20make%20up%20what%20is%20known%20as%20user%20space. Linux Namespaces: https://opensource.com/article/19/10/namespaces-and-containers-linux SELinux is a MAC mechanism used to provide fine-grained access control to a Linux host: https://www.projectatomic.io/docs/docker-and-selinux/ https://www.youtube.com/watch?v=_WOKRaM-HI4 Composition of a container image: https://dzone.com/articles/docker-layers-explained https://jfrog.com/knowledge-base/a-beginners-guide-to-understanding-and-building-docker-images/ Union Filesystem: https://washraf.gitbooks.io/the-docker-ecosystem/content/Chapter%201/Section%203/union_file_system.html https://blog.knoldus.com/unionfs-a-file-system-of-a-container/ https://containerd.io/scope/ https://docs.docker.com/storage/storagedriver/ https://github.com/opencontainers/runtime-spec/blob/master/bundle.md Hardening and minimizing a container image: https://www.secjuice.com/how-to-harden-docker-containers/ https://www.thoughtworks.com/radar/techniques/distroless-docker-images https://github.com/docker-slim/docker-slim https://medium.com/faun/how-to-build-a-docker-container-from-scratch-docker-basics-a-must-know-395cba82897b Recommended secrets patterns with containers: https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/ Injecting Vault Secrets into K8s Pods via a Sidecar https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/
  • 38. References The difference between a high-level and low-level container runtime: low-level runtimes focus on mechanics of actually running a container, while high-level runtimes add features such as management of container images, unpacking the image, and hand-off to the low-level runtime. https://merlijn.sebrechts.be/blog/2020-01-docker-podman-kata-cri-o/ https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r While Docker was a key player in helping to popularize and standardize the image and runtime formats, it has since donated documentation and code to the OCI to further the mission of containerization as a vendor agnostic technology. https://opencontainers.org/faq/ Think of Docker to containers as Kleenex is to tissue. https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r What is Kubernetes? https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is OpenShift? https://www.openshift.com/learn/what-is-openshift What is Mesos? http://mesos.apache.org/documentation/latest/ Good case study for container takeover https://unit42.paloaltonetworks.com/azure-container-instances/ Container SBOM tools: https://github.com/anchore/syft https://github.com/tern-tools/tern
  • 39. References White House Executive Order 14028 https://www.whitehouse.gov/briefing-room/presidential- actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Dept of Commerce and NTIA The Minimum Elements For a Software Bill of Materials (SBOM) https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf Generate a Software Bill of Materials for a Container Image with Syft https://thenewstack.io/generate-a-software-bill-of-materials-for-a-container-image-with-syft/ SLSA framework https://slsa.dev/ OWASP Software Component Verification Standard https://owasp.org/www-project-software-component-verification- standard/ BUILDING RESILIENT SUPPLY CHAINS, REVITALIZING AMERICAN MANUFACTURING, AND FOSTERING BROAD-BASED GROWTH https://www.whitehouse.gov/wp-content/uploads/2021/06/100-day-supply-chain-review-report.pdf CNCF – Evaluating Your Supply Chain Security https://github.com/cncf/tag-security/blob/main/supply-chain- security/supply-chain-security-paper/secure-supply-chain-assessment.md CNCF – Software Supply Chain Best Practices https://github.com/cncf/tag-security/blob/main/supply-chain- security/supply-chain-security-paper/CNCF_SSCP_v1.pdf NIST Cyber Supply Chain Risk Management C-SCRM https://csrc.nist.gov/projects/cyber-supply-chain-risk-management NIST SP 800-190 Application Container Security Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf