Containers continue to mystify security practitioners, mostly because they don’t know how securing them fits into their existing vulnerability program. Is it a virtual machine that gets scanned by the same tools used for over a decade? Or is it an application package that should be tested by SCA, SAST and DAST tools? How do you manage the image or runtime vulnerabilities vs. the application security issues? This talk will focus on container security as a supply chain lifecycle problem and how to integrate validation at multiple points to achieve the ultimate goal of *assurance.* The talk is tool agnostic, because security of the supply chain is more about a alignment with the software development process than the integration of a single, magical tool.
Improving Response Times at Optum with Elastic APMElasticsearch
Doc360 is a document management system developed by UnitedHealth Group to replace a legacy system and handle billions of health records while maintaining fast search times. Elastic APM was implemented to help identify performance issues with the legacy system and improve Doc360. APM provided insight into slow database tables and helped increase supported concurrent users. Future plans include using APM data to optimize performance testing and infrastructure scaling.
This document discusses the partnership between Microsoft Azure and GE's Predix platform for industrial IoT. For Microsoft, the partnership will help existing industrial customers build and operate IIoT solutions using Azure's capabilities in artificial intelligence, data analytics, and security. For GE, Predix will benefit from Azure's large global footprint and hybrid cloud capabilities. The combination of Predix and Azure aims to bridge the gap between operational technology and information technology for industrial customers worldwide.
Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...DataStax
Drew Johnson, Vice President of Engineering at Aeris Communications, will present on how Aeris and Cassandra provide an IoT solution to help automakers create connected cars. The presentation will cover IoT trends, the anatomy of an IoT platform as a service (PaaS), challenges customers face without a PaaS, how the Aeris AerCloud PaaS works, why Cassandra is chosen over relational databases, and a case study of how automotive OEMs leverage Aeris and Cassandra. The presentation aims to demonstrate how Aeris and Cassandra can help automakers move forward in connecting their vehicles.
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessElasticsearch
See how Elastic is helping eStruxture unify millions of divergent data points, transforming them into human readable and actionable items, and helping eStruxture build a new model for alarming and alerting. Watch video: https://www.elastic.co/elasticon/tour/2019/toronto/how-estruxture-data-centers-is-using-ece-to-rapidly-scale-their-business
The Evolution of OpenStack – From Infancy to EnterpriseRackspace
As OpenStack turns 5 this year, we thought it would be a good time to take a look back at the evolution of OpenStack. We start with a quick overview of what OpenStack is, how OpenStack came to be and describe the OpenStack Foundation. Next we describe the problem that OpenStack helps to solve, the components of OpenStack and the timeline for when these components came to be. Last, we outline the current features and benefits that make OpenStack ready for the enterprise with supporting Enterprise use case examples. Blog can be found here (
https://developer.rackspace.com/blog/evolution-of-openstack-from-infancy-to-enterprise/) and webinar can be found here (https://www.brighttalk.com/webcast/11427/138613)
How to Build Continuous Ingestion for the Internet of ThingsCloudera, Inc.
The Internet of Things is moving into the mainstream and this new world of data-driven products is transforming a vast number of industry sectors and technologies.
However, IoT creates a new challenge: how to build and operationalize continual data ingestion from such a wide and ever-changing array of endpoints so that the data arrives consumption-ready and can drive analysis and action within the business.
In this webinar, Sean Anderson from Cloudera and Kirit Busu, Director of Product Management at StreamSets, will discuss Hadoop's ecosystem and IoT capabilities and provide advice about common patterns and best practices. Using specific examples, they will demonstrate how to build and run end-to-end IOT data flows using StreamSets and Cloudera infrastructure.
The document discusses Apache Cassandra and how it can be used for Internet of Things (IoT) applications. It highlights Cassandra's ability to handle large volumes of time series data generated by IoT devices through horizontal scaling. It also emphasizes Cassandra's high performance, availability and tunable consistency for mission critical IoT workloads. Various data modeling techniques for storing time series data in Cassandra are presented, along with how to integrate streaming data sources using the Spark Cassandra connector.
Improving Response Times at Optum with Elastic APMElasticsearch
Doc360 is a document management system developed by UnitedHealth Group to replace a legacy system and handle billions of health records while maintaining fast search times. Elastic APM was implemented to help identify performance issues with the legacy system and improve Doc360. APM provided insight into slow database tables and helped increase supported concurrent users. Future plans include using APM data to optimize performance testing and infrastructure scaling.
This document discusses the partnership between Microsoft Azure and GE's Predix platform for industrial IoT. For Microsoft, the partnership will help existing industrial customers build and operate IIoT solutions using Azure's capabilities in artificial intelligence, data analytics, and security. For GE, Predix will benefit from Azure's large global footprint and hybrid cloud capabilities. The combination of Predix and Azure aims to bridge the gap between operational technology and information technology for industrial customers worldwide.
Aeris + Cassandra: An IOT Solution Helping Automakers Make the Connected Car ...DataStax
Drew Johnson, Vice President of Engineering at Aeris Communications, will present on how Aeris and Cassandra provide an IoT solution to help automakers create connected cars. The presentation will cover IoT trends, the anatomy of an IoT platform as a service (PaaS), challenges customers face without a PaaS, how the Aeris AerCloud PaaS works, why Cassandra is chosen over relational databases, and a case study of how automotive OEMs leverage Aeris and Cassandra. The presentation aims to demonstrate how Aeris and Cassandra can help automakers move forward in connecting their vehicles.
How eStruxture Data Centers is Using ECE to Rapidly Scale Their BusinessElasticsearch
See how Elastic is helping eStruxture unify millions of divergent data points, transforming them into human readable and actionable items, and helping eStruxture build a new model for alarming and alerting. Watch video: https://www.elastic.co/elasticon/tour/2019/toronto/how-estruxture-data-centers-is-using-ece-to-rapidly-scale-their-business
The Evolution of OpenStack – From Infancy to EnterpriseRackspace
As OpenStack turns 5 this year, we thought it would be a good time to take a look back at the evolution of OpenStack. We start with a quick overview of what OpenStack is, how OpenStack came to be and describe the OpenStack Foundation. Next we describe the problem that OpenStack helps to solve, the components of OpenStack and the timeline for when these components came to be. Last, we outline the current features and benefits that make OpenStack ready for the enterprise with supporting Enterprise use case examples. Blog can be found here (
https://developer.rackspace.com/blog/evolution-of-openstack-from-infancy-to-enterprise/) and webinar can be found here (https://www.brighttalk.com/webcast/11427/138613)
How to Build Continuous Ingestion for the Internet of ThingsCloudera, Inc.
The Internet of Things is moving into the mainstream and this new world of data-driven products is transforming a vast number of industry sectors and technologies.
However, IoT creates a new challenge: how to build and operationalize continual data ingestion from such a wide and ever-changing array of endpoints so that the data arrives consumption-ready and can drive analysis and action within the business.
In this webinar, Sean Anderson from Cloudera and Kirit Busu, Director of Product Management at StreamSets, will discuss Hadoop's ecosystem and IoT capabilities and provide advice about common patterns and best practices. Using specific examples, they will demonstrate how to build and run end-to-end IOT data flows using StreamSets and Cloudera infrastructure.
The document discusses Apache Cassandra and how it can be used for Internet of Things (IoT) applications. It highlights Cassandra's ability to handle large volumes of time series data generated by IoT devices through horizontal scaling. It also emphasizes Cassandra's high performance, availability and tunable consistency for mission critical IoT workloads. Various data modeling techniques for storing time series data in Cassandra are presented, along with how to integrate streaming data sources using the Spark Cassandra connector.
With the explosive growth of IoT, the edge is predicted to grow to 25 billion connected devices by 2020. But, enterprises are still struggling to manage hundreds of devices that they have deployed. Not from a device management standpoint but more from a data management standpoint. Enterprises are unable to capture and process data directly from the edge devices for immediate analysis and gaining real-time actionable intelligence. So, if that is not possible, IoT initiatives are failing to become successful. How can an enterprise gather real-time data from edge devices? How can it change the behavior of such data collection processes? How can it ensure that data will be analyzed immediately? How can it understand the lineage of the data from edge to enterprise? How can it manage edge agents? What is an edge management hub? Attend this session to get a detailed understanding of key edge management challenges and how to address them with the correct solutions.
The document provides tips for IT organizations to transition to an IT service broker model where they broker services from multiple vendors rather than manage applications and infrastructure internally. It recommends cataloging all current applications, categorizing them for public, private or hybrid cloud, developing a list of potential providers, doing due diligence on providers, selecting the best provider for each workload, and monitoring vendors with a scorecard. The goal is for IT to become more strategic by selecting cost-effective third-party services while still managing service delivery.
Cloudera - The Modern Platform for AnalyticsCloudera, Inc.
This presentation provides an overview of Cloudera and how a modern platform for Machine Learning and Analytics better enables a data-driven enterprise.
S3 Deduplication with StorReduce and CloudianCloudian
Deduplication appliances today support the CIFS & NFS protocols. What about your cloud based applications that use the S3 API? How do you deduplicate S3 data to save on storage and network bandwidth? Leverage your backup systems S3 API and get the deduplication needed!
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%Cloudera, Inc.
Kelley Blue Book Customer Use Case In this webinar, you will learn how KBB has: - Experienced a 37% increase in ad spend efficiency - Drove an incremental 1 billion impressions from its target segments - Observed a 24% lift in website engagement
Cloudera training secure your cloudera cluster 7.10.18Cloudera, Inc.
Exclusively through Cloudera OnDemand, Cloudera Security Training introduces you to the tools and techniques that Cloudera's solution architects use to protect the clusters our customers rely on for critical machine learning and analytics workloads. This webinar will give you a sneak peek at our new on-demand security course and show you the immense scope of Cloudera training. From authentication and authorization to encryption, auditing, and everything in between, this course gives you the skills you need to properly secure your Cloudera cluster.
Migrate and Modernize Hadoop-Based Security Policies for DatabricksDatabricks
Data teams are faced with a variety of tasks when migrating Hadoop-based platforms to Databricks. A common pitfall happens during the migration step where often overlooked access control policies can block adoption. This session will focus on the best practices to migrate and modernize Hadoop-based policies to govern data access (such as those in Apache Ranger or Apache Sentry). Data architects must consider new, fine-grained access control requirements when migrating from Hadoop architectures to Databricks in order to deliver secure access to as many data sets and data consumers as possible. This session will provide guidance across open source, AWS, Azure and partner tools, such as Immuta, on how to scale existing Hadoop-based policies to dynamically support more classes of users, implement fine-grained access control and leverage automation to protect sensitive data while maximizing utility — without manual effort
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...Cloudera, Inc.
Le cloud public est une proposition attractive pour les entreprises à la recherche d’agilité dans leurs projets big data, qu’il s’agisse de traiter des données en masse ou d’y exécuter des analyses complexes pour une meilleure prise de décision.
This document is a presentation on Big Data by Oleksiy Razborshchuk from Oracle Canada. The presentation covers Big Data concepts, Oracle's Big Data solution including its differentiators compared to DIY Hadoop clusters, and use cases and implementation examples. The agenda includes discussing Big Data, Oracle's solution, and use cases. Key points covered are the value of Oracle's Big Data Appliance which provides faster time to value and lower costs compared to building your own Hadoop cluster, and how Oracle provides an integrated Big Data environment and analytics platform. Examples of Big Data solutions for financial services are also presented.
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...Cloudera, Inc.
This presentation provides detail on how we are now in the 6th wave of automation, that is based on Machine Learning. In this 6th wave, Cloudera plays a critical role in providing the data platform for Machine Learning and Analytics built for the Cloud.
- Oracle is the 2nd largest software company in the world with over 400,000 customers in 145 countries.
- Oracle offers a complete cloud solution including autonomous database capabilities that automate database and infrastructure management.
- Oracle's autonomous database is self-driving, self-securing, and self-repairing to save on human labor, prevent human errors, and require no human intervention.
The Vision & Challenge of Applied Machine LearningCloudera, Inc.
Learn how Cloudera provides a unified platform that breaks down data silos commonly seen in organizations. By unifying the data needed for applied machine learning, organizations are better equipped to gather valuable insights from their data.
Cloudera Data Impact Awards 2021 - Finalists Cloudera, Inc.
The document outlines the 2021 finalists for the annual Data Impact Awards program, which recognizes organizations using Cloudera's platform and the impactful applications they have developed. It provides details on the challenges, solutions, and outcomes for each finalist project in the categories of Data Lifecycle Connection, Cloud Innovation, Data for Enterprise AI, Security & Governance Leadership, Industry Transformation, People First, and Data for Good. There are multiple finalists highlighted in each category demonstrating innovative uses of data and analytics.
This document summarizes new features of Cloudian HyperStore 5.0, an S3 cloud storage platform. It introduces three appliance models for different use cases and price points of around $1 per gigabyte per month. The high-capacity and enterprise models offer more storage, flash optimization, and redundancy. The document also lists enhanced enterprise-ready software features of HyperStore 5.0 like system management, monitoring, diagnostics, and a new install wizard.
Big data journey to the cloud maz chaudhri 5.30.18Cloudera, Inc.
We hope this session was valuable in teaching you more about Cloudera Enterprise on AWS, and how fast and easy it is to deploy a modern data management platform—in your cloud and on your terms.
To disrupt and innovate, you need access to data. All of your data. The challenge for many organisations is that the data they need is locked away in a variety of silos. And there's perhaps no bigger silo than one of the most a widely deployed business application: SAP. Bringing together all your data for analytics and machine learning unlocks new insights and business value. Together, Cloudera and Datavard hold the key to breaking SAP data out of its silo, providing access to unlimited and untapped opportunities that currently lay hidden.
Workload Experience Manager (XM) gives you the visibility necessary to efficiently migrate, analyze, optimize, and scale workloads running in a modern data warehouse. In this recorded webinar we discuss common challenges running at scale with modern data warehouse, benefits of end-to-end visibility into workload lifecycles, overview of Workload XM and live demo, real-life customer before/after scenarios, and what's next for Workload XM.
The document discusses Timothy Spann, a Senior Solutions Engineer at Cloudera who has been running Big Data meetups in Princeton since 2015. It provides links to his profiles on various websites and details some of the topics he has spoken about at conferences, including Apache NiFi, Deep Learning, and Streaming. The rest of the document focuses on use cases for data integration and movement using Apache NiFi, as well as concepts like blockchain, distributed data stores, and accessing blockchain and Ethereum data.
Kubernetes consulting companies ensure that their clients leverage all possibilities from automated deployment to scaling based on real-time demand. They can step in at any stage and bring hands-on Kubernetes experience to the table.
Are Your Containers as Secure as You Think?DevOps.com
With the growing popularity of Container technology comes the growth of container-based attacks – but understanding your security needs will keep you ahead of the game.
Container adoption is skyrocketing, growing 40% in the last year. And it makes sense – the agility, operational efficiencies and cost savings of containerized environments are huge benefits. But as more organizations rush to leverage containers, security is increasingly becoming a major concern and is the top roadblock to container deployment. What do you need to know (and do) to keep your container environments safe?
With the explosive growth of IoT, the edge is predicted to grow to 25 billion connected devices by 2020. But, enterprises are still struggling to manage hundreds of devices that they have deployed. Not from a device management standpoint but more from a data management standpoint. Enterprises are unable to capture and process data directly from the edge devices for immediate analysis and gaining real-time actionable intelligence. So, if that is not possible, IoT initiatives are failing to become successful. How can an enterprise gather real-time data from edge devices? How can it change the behavior of such data collection processes? How can it ensure that data will be analyzed immediately? How can it understand the lineage of the data from edge to enterprise? How can it manage edge agents? What is an edge management hub? Attend this session to get a detailed understanding of key edge management challenges and how to address them with the correct solutions.
The document provides tips for IT organizations to transition to an IT service broker model where they broker services from multiple vendors rather than manage applications and infrastructure internally. It recommends cataloging all current applications, categorizing them for public, private or hybrid cloud, developing a list of potential providers, doing due diligence on providers, selecting the best provider for each workload, and monitoring vendors with a scorecard. The goal is for IT to become more strategic by selecting cost-effective third-party services while still managing service delivery.
Cloudera - The Modern Platform for AnalyticsCloudera, Inc.
This presentation provides an overview of Cloudera and how a modern platform for Machine Learning and Analytics better enables a data-driven enterprise.
S3 Deduplication with StorReduce and CloudianCloudian
Deduplication appliances today support the CIFS & NFS protocols. What about your cloud based applications that use the S3 API? How do you deduplicate S3 data to save on storage and network bandwidth? Leverage your backup systems S3 API and get the deduplication needed!
Kelley Blue Book Uses Big Data to Increase User Engagement Over 100%Cloudera, Inc.
Kelley Blue Book Customer Use Case In this webinar, you will learn how KBB has: - Experienced a 37% increase in ad spend efficiency - Drove an incremental 1 billion impressions from its target segments - Observed a 24% lift in website engagement
Cloudera training secure your cloudera cluster 7.10.18Cloudera, Inc.
Exclusively through Cloudera OnDemand, Cloudera Security Training introduces you to the tools and techniques that Cloudera's solution architects use to protect the clusters our customers rely on for critical machine learning and analytics workloads. This webinar will give you a sneak peek at our new on-demand security course and show you the immense scope of Cloudera training. From authentication and authorization to encryption, auditing, and everything in between, this course gives you the skills you need to properly secure your Cloudera cluster.
Migrate and Modernize Hadoop-Based Security Policies for DatabricksDatabricks
Data teams are faced with a variety of tasks when migrating Hadoop-based platforms to Databricks. A common pitfall happens during the migration step where often overlooked access control policies can block adoption. This session will focus on the best practices to migrate and modernize Hadoop-based policies to govern data access (such as those in Apache Ranger or Apache Sentry). Data architects must consider new, fine-grained access control requirements when migrating from Hadoop architectures to Databricks in order to deliver secure access to as many data sets and data consumers as possible. This session will provide guidance across open source, AWS, Azure and partner tools, such as Immuta, on how to scale existing Hadoop-based policies to dynamically support more classes of users, implement fine-grained access control and leverage automation to protect sensitive data while maximizing utility — without manual effort
Comment développer une stratégie Big Data dans le cloud public avec l'offre P...Cloudera, Inc.
Le cloud public est une proposition attractive pour les entreprises à la recherche d’agilité dans leurs projets big data, qu’il s’agisse de traiter des données en masse ou d’y exécuter des analyses complexes pour une meilleure prise de décision.
This document is a presentation on Big Data by Oleksiy Razborshchuk from Oracle Canada. The presentation covers Big Data concepts, Oracle's Big Data solution including its differentiators compared to DIY Hadoop clusters, and use cases and implementation examples. The agenda includes discussing Big Data, Oracle's solution, and use cases. Key points covered are the value of Oracle's Big Data Appliance which provides faster time to value and lower costs compared to building your own Hadoop cluster, and how Oracle provides an integrated Big Data environment and analytics platform. Examples of Big Data solutions for financial services are also presented.
The 6th Wave of Automation: Automation of Decisions | Cloudera Analytics & Ma...Cloudera, Inc.
This presentation provides detail on how we are now in the 6th wave of automation, that is based on Machine Learning. In this 6th wave, Cloudera plays a critical role in providing the data platform for Machine Learning and Analytics built for the Cloud.
- Oracle is the 2nd largest software company in the world with over 400,000 customers in 145 countries.
- Oracle offers a complete cloud solution including autonomous database capabilities that automate database and infrastructure management.
- Oracle's autonomous database is self-driving, self-securing, and self-repairing to save on human labor, prevent human errors, and require no human intervention.
The Vision & Challenge of Applied Machine LearningCloudera, Inc.
Learn how Cloudera provides a unified platform that breaks down data silos commonly seen in organizations. By unifying the data needed for applied machine learning, organizations are better equipped to gather valuable insights from their data.
Cloudera Data Impact Awards 2021 - Finalists Cloudera, Inc.
The document outlines the 2021 finalists for the annual Data Impact Awards program, which recognizes organizations using Cloudera's platform and the impactful applications they have developed. It provides details on the challenges, solutions, and outcomes for each finalist project in the categories of Data Lifecycle Connection, Cloud Innovation, Data for Enterprise AI, Security & Governance Leadership, Industry Transformation, People First, and Data for Good. There are multiple finalists highlighted in each category demonstrating innovative uses of data and analytics.
This document summarizes new features of Cloudian HyperStore 5.0, an S3 cloud storage platform. It introduces three appliance models for different use cases and price points of around $1 per gigabyte per month. The high-capacity and enterprise models offer more storage, flash optimization, and redundancy. The document also lists enhanced enterprise-ready software features of HyperStore 5.0 like system management, monitoring, diagnostics, and a new install wizard.
Big data journey to the cloud maz chaudhri 5.30.18Cloudera, Inc.
We hope this session was valuable in teaching you more about Cloudera Enterprise on AWS, and how fast and easy it is to deploy a modern data management platform—in your cloud and on your terms.
To disrupt and innovate, you need access to data. All of your data. The challenge for many organisations is that the data they need is locked away in a variety of silos. And there's perhaps no bigger silo than one of the most a widely deployed business application: SAP. Bringing together all your data for analytics and machine learning unlocks new insights and business value. Together, Cloudera and Datavard hold the key to breaking SAP data out of its silo, providing access to unlimited and untapped opportunities that currently lay hidden.
Workload Experience Manager (XM) gives you the visibility necessary to efficiently migrate, analyze, optimize, and scale workloads running in a modern data warehouse. In this recorded webinar we discuss common challenges running at scale with modern data warehouse, benefits of end-to-end visibility into workload lifecycles, overview of Workload XM and live demo, real-life customer before/after scenarios, and what's next for Workload XM.
The document discusses Timothy Spann, a Senior Solutions Engineer at Cloudera who has been running Big Data meetups in Princeton since 2015. It provides links to his profiles on various websites and details some of the topics he has spoken about at conferences, including Apache NiFi, Deep Learning, and Streaming. The rest of the document focuses on use cases for data integration and movement using Apache NiFi, as well as concepts like blockchain, distributed data stores, and accessing blockchain and Ethereum data.
Kubernetes consulting companies ensure that their clients leverage all possibilities from automated deployment to scaling based on real-time demand. They can step in at any stage and bring hands-on Kubernetes experience to the table.
Are Your Containers as Secure as You Think?DevOps.com
With the growing popularity of Container technology comes the growth of container-based attacks – but understanding your security needs will keep you ahead of the game.
Container adoption is skyrocketing, growing 40% in the last year. And it makes sense – the agility, operational efficiencies and cost savings of containerized environments are huge benefits. But as more organizations rush to leverage containers, security is increasingly becoming a major concern and is the top roadblock to container deployment. What do you need to know (and do) to keep your container environments safe?
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/
Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/
We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT!
Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines.
Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.
In this session, we'll unravel the core and essential pillars of any 'secure' Kubernetes cluster, that you absolutely can't ignore if you are running Kubernetes in production (or plan to). You'll discover the key concepts and strategies pivotal to safeguarding your Kubernetes environments. Our focus will be on practical, real-world applications, demystifying complex security challenges. Regardless if you are from a large organisation or from a small start-up, a seasoned DevOps professiyou will walk away with foundational knowledge and actionable insights, ready to implement stronger security measures in their Kubernetes deployments. Whether you're a seasoned DevOps professional or new to the cloud native arena, this talk will enhance your understanding of Kubernetes security, ensuring you're prepared for the evolving landscape of cloud native security.
Quick talk about the basics of hardening containers in Kubernetes / Openshift. Hosted by Santander.
https://www.youtube.com/watch?v=UvGUKRwcHFg&list=PLwjS7M0kkf3KsE5uFtSrLzJS_IY8Ug7Yv&index=42
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
This document discusses securing the software development lifecycle (SDLC) when using containers. It begins with an introduction to SDLC models like waterfall and agile. It then covers challenges in applying application security with containers, including unclear boundaries and responsibilities. The main body details how to apply security practices at each phase of the SDLC for containers: requirements, design, implementation, testing, and operations. Key practices include threat modeling, secure coding, image validation, and monitoring. It concludes with emphasizing the importance of involving security champions throughout the process.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
IANS information security forum 2019 summaryKarun Chennuri
This document summarizes key sessions from the IANS Information Security Forum 2019 in Seattle. Session topics included the cloud security maturity roadmap, hybrid web application penetration testing, container security, and security tools for multi-cloud environments. Vendors also presented on topics like risk-based vulnerability management, network visibility, bot threats, and cyber exposure platforms. The executive summary highlighted presentations from security leaders at The Pokemon Company and Tanium on building successful security programs and responding to ransomware incidents.
Cloudreach has built a framework for adopting containers within the enterprise. I shared our framework and perspective with the AWS TechConnect audience.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
This document discusses security considerations for Docker containers. It covers three main aspects: securing the platform/infrastructure by hardening the Docker engine and hosts; securing container content through image management, content trust, and secrets management; and securing access and operations through authentication, authorization, access control, auditing, and multi-tenancy. While containers provide isolation and security benefits, the document emphasizes that containers must still follow security best practices to prevent compromise, especially as container usage evolves from individual services to larger applications.
Hacking into your containers, and how to stop it!Eric Smalling
This document discusses hacking into containers and how to stop it. It begins with an overview of increased security responsibilities for developers as containers add operating system level concerns. It then demonstrates hacking techniques and defenses that can be used in depth, such as minimizing images, not running as root, read only root filesystems, secrets management, and network policies. Key takeaways are that fast security feedback is important for developers and implementing known secure practices for building and running containers can help mitigate vulnerabilities.
The document introduces the secure boot pattern, which addresses ensuring the integrity of the software stack loaded on a platform. The pattern uses a chain of trust where each boot stage verifies the integrity of the next stage using cryptographic methods. The root of trust is a first module protected by hardware that verifies the initial integrity. The pattern provides security benefits while introducing complexity and overhead. Variants include authenticated boot, which detects instead of preventing integrity violations.
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
This document summarizes Tim Mackey's presentation at DevSecCon. It discusses the importance of security driven development practices like using trusted components, continuous integration processes that include security testing, and digitally signing container images. It warns that while infrastructure teams aim to provide security, vulnerabilities can still exist, and advocates continually evaluating the trust of components used. The document predicts disclosure of security issues will increase and outlines penalties for data breaches under new regulations like GDPR. It emphasizes automating awareness of open source dependencies to keep pace with DevOps.
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
There’s a constant rise of the container usage in the existing cloud ecosystem.
Most companies are evaluating how to migrate to newer, flexible and automated platform for content and application delivery.
The containers are building themselves alone across the business, but who's securing them?
This presentation discusses the evolution of infrastructure solutions from servers to containers, how can they be secured.
What opensource security options are available today?
Where is the future leading towards container security?
What will come after containers?
Kubernetes offers great solutions for container orchestration. It facilitates automated deployment, scaling, and management with ease, along with which there are increased security concerns. According to the Kubernetes adoption, security, and market trends report by RedHat in 2021, 94% of the respondents experienced at least 1 security incident in their Kubernetes environment in the last 12 months. In this blog post, we will be talking about the security best practices for Kubernetes which can be implemented at each phase of the SDLC.
This document discusses applying security automation principles through a SecDevOps approach. It begins by highlighting lessons from other companies that deployed features in a disabled state using feature flags and integrated security testing in continuous integration. The document then outlines how Kenna applies SecDevOps principles through automation, with examples like using Chef for configuration management and testing security at each code check. It also presents a use case where Kenna loads security scanning results from various tools into its platform via API to enable continuous security testing.
The document discusses securing container environments. It outlines tactics for securing the host, containers, and pipeline. Specific areas of focus include securing AWS EC2 and ECS hosts, restricting IAM roles, adding security controls to the development pipeline like scanning for vulnerabilities and secrets, and educating developers on secure coding practices. The goal is to deliver applications quickly using containers while ensuring security is maintained throughout the development and deployment process.
Similar to Owasp appsec container_security_supply_chain (20)
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
2. Container Security:
It’s All About the Supply Chain
• Michele Chubirka, aka "Mrs. Y.,” Chief
Security Architect and professional
contrarian.
• Creator of the Healthy Paranoia Security
Podcast and the Security SOC Puppets
• Analyst, researcher, blogger, B2B writer, and
Infosec Bene Gesserit
• Pontificates on security architecture and
“best practices.”
• Views: those of my puppet sidekicks.
chubirka@postmodernsecurity.com
http://postmodernsecurity.com
@MrsYisWhy
Who Am I?
Who Am I?
3. Container Security:
It’s All About the Supply Chain
Poll
Where is
your
organization
with using
containers?
1. Just getting started, mostly using in development as
we refactor applications for cloud-native technologies.
2. Evenly split between containers and full VMs and/or
bare metal with an OS and application stack.
3. What’s a container?
7. Container Security:
It’s All About the Supply Chain
Supply Chain Threats
From SLSA Security Framework Project https://slsa.dev/
8. Container Security:
It’s All About the Supply Chain
Software Supply
Chain Risks
From NIST “Defending Against Software Supply Chain Attacks.” 2021
9. Container Security:
It’s All About the Supply Chain
Example: Trojan Source
The bidirectional algorithm in the Unicode specification allows reordering of characters through
control sequences.
You can use this to create source code that renders different logic than the logical ordering of
tokens ingested by compilers and interpreters.
The attack uses control characters embedded in comments and strings to reorder source code
characters in a way that changes its logic but is not visible to human reviewers.
Attackers could target open source projects by injecting vulnerabilities, causing software
dependent on these projects to inherit the vulnerability.
10. Container Security:
It’s All About the Supply Chain
What Is Supply Chain Security?
Adding assurance to the software development process.
• Creating confidence and trust in the source material and practices
used.
• Holistic view for protecting each stage in the software
development lifecycle.
• Approaching the SDLC as a set of business processes.
• Validating the final product meets a reasonable set of security
criteria to ensure it isn’t vulnerable.
• Although not new, recent high-impact attacks (i.e. SolarWinds)
have heightened the attention on software supply chains by
governments and large private-sector organizations.
12. Container Security:
It’s All About the Supply Chain
A container is a standard unit of software that
packages up code and all its dependencies so the
application runs quickly and reliably from one
computing environment to another. A Docker
container image is a lightweight, standalone,
executable package of software that includes
everything needed to run an application: code,
runtime, system tools, system libraries and settings.
https://www.docker.com/resources/what-container
13. Container Security:
It’s All About the Supply Chain
https://www.docker.com/resources/what-container
Container Runtimes:containerd,CRIO-O, runc,gVisor,kata
Past and Future: Virtual Machines vs. Containerization
A container runtime is responsible for: running a container
and other associated tasks such as downloading or
unpacking the image.
14. Container Security:
It’s All About the Supply Chain
What’s Cooking?
User Space vs Kernel Space
• Virtual Machines run their own isolated kernels.
There is no shared memory or execution space
between these “guests” which run applications.
• Without the addition of a virtual machine
technology (e.g. Kata, Firecracker or gVisor),
containers share the same host kernel.*
• Linux Namespaces, Capabilities, Seccomp, SELinux,
Apparmor and Cgroups can be used to enhance
segregation between running container instances
on the host.
15. Container Security:
It’s All About the Supply Chain
Images are filesystem bundles, built of layers corresponding to instructions in scripts or a dockerfile.
16. Container Security:
It’s All About the Supply Chain
What about lazy pulling?
https://medium.com/nttlabs/startup-containers-in-lightning-speed-with-lazy-image-distribution-on-containerd-243d94522361
17. Container Security:
It’s All About the Supply Chain
https://merlijn.sebrechts.be/blog/2020-01-docker-podman-kata-cri-o/
19. Container Security:
It’s All About the Supply Chain
Container Mistakes
• Container != full virtual machine or an AMI, you don’t want
bloat.
• You should avoid putting your entire monolithic application
stack in a container.
• The running instance != an image. Most use the term
“container” interchangeably, but it’s important to know the
difference.
A container is just a software package, including its dependencies
(libraries and application runtime) that will run in a dedicated
area of user space. This is why the security of the supply chain is
critical.
21. Container Security:
It’s All About the Supply Chain
Recipes for
Container Images
• Pull a base image from a public or
private registry, add your code and
configuration (i.e., layers).
• Use a multi-stage build, selectively
copying what you need in the image.
• Without using a base or parent
image, build an entire OCI-compliant
image with a tool like Buildah.
• Create a single-layer image “from
scratch” using a statically compiled
binary.
• Make a distroless image that only
includes the application and runtime
dependencies.
22. Container Security:
It’s All About the Supply Chain
Use the Best Ingredients
Trust Use a trusted source for base images.
Validate Validate the image with a container security tool and/or Software Composition Analysis (SCA) tool to identify
vulnerabilities.
Economize Only add elements necessary for your microservice.
Reduce Follow least privilege: don’t run root processes, don’t run the container as privileged.
Limit Limit syscalls.
Parameterize Don’t hardcode configs or embed credentials/secrets in the image, parameterize instead.
Immutable Don’t add a shell, you shouldn’t login to a running instance. It should be immutable and ephemeral.
Minimize Use techniques like Distroless or “from scratch” to eliminate unnecessary elements and layers.
Automate Use the automation of a DevOps pipeline to ensure security validation is automatically performed with every
build or change to the image.
23. Container Security:
It’s All About the Supply Chain
• Fry - Custom built or extended 3rd party images, deployed but changed during
bootstrapping activity (eg. apt-get, curl), cannot attest
• Bake - Custom built or extended 3rd party images, fully created with all
dependencies as part of supply chain, attested and immutable
• Buy - 3rd party or vendor images, deployed without changes, attested and
immutable
Bake or Buy, but never fry
Fry, Bake, Buy
25. Container Security:
It’s All About the Supply Chain
What Are Container Orchestrators?
• An orchestrator handles the deployment and runtime lifecycle of running instances.
• Scales instances up and down to meet demand.
• Offers redundancy and availability options for running instances and hosts.
• Load balancing, service discovery and health monitoring of container hosts and instances.
• Ability to create virtual clusters with granular management of resources
• Provides multi-tenant segregation through network segmentation and resource restrictions
• Examples include Kubernetes, OpenShift, Mesos, Nomad
• Cloud provider managed orchestrators: Amazon Elastic Kubernetes Service (EKS), Google
Kubernetes Engine (GKE), Azure Kubernetes Service (AKS)
• Capability to use policies with an entrypoint that ensures only instances that pass are allowed to
run (Admission Control).
Orchestrators provide the last “gate” for a container prior to runtime. With Kubernetes, various
policy mechanisms (i.e. admission control) can validate and enforce attestation of the image.
26. Container Security:
It’s All About the Supply Chain
Poll
What Container
Orchestrator Are
You Using?
1. Self-managed K8s FTW!
2. Cloud-provider managed K8s
3. OpenShift
4. Nomad or Mesos
5. I'm still betting on Docker Swarm
27. Container Security:
It’s All About the Supply Chain
CNCF – Principles of Supply Chain Security
Establish and verify “trust” at every step in the process through a combination of code-signing,
metadata, and cryptographic validation.
Everything that can be automated should be automated and documented. This helps to prevent
accidental errors and makes it easier to spot when things have gone wrong.
Each step in the software build and supply chain process should be clearly defined with a precise,
limited scope. Every actor within the supply chain (whether human or machine) must have a clearly
defined role. This allows us to limit the permissions of these actors to exactly those needed.
Every entity in a system must engage in “mutual authentication.” This means that no human,
software process, or machine should be trusted to be who they say they are, they must
demonstrate it.
29. OWASP Software Component
Verification Standard (SCVS)
“The SCVS is a community-driven effort to establish a
framework for identifying activities, controls, and best
practices, which can help in identifying and reducing risk in a
software supply chain.”
V4 of the Package Management Control Objective includes:
• Centralized Repositories
• Repositories use strong authentication and TLS
• Auditability
• Code signing and verification
30. Container Security:
It’s All About the Supply Chain
Tiers of Container
Technology
Architecture
From NIST SP 800-190 “Application
Container Security Guide”
31. Container Security:
It’s All About the Supply Chain
BOMs, SBOMs, and DBOM, Oh My…
An SBOM (software bill of materials) is a formal list of your software
ingredients, including open source components and licenses.
In response to recent software supply chain attacks, White House Executive
Order 14028 defined software supply chain security criteria for federal
information systems.
This includes providing an SBOM (software bill of materials) to the purchaser
for each product or publishing it on a web site.
You can generate an SBOM for your software before packaging into a
container or after, using tools such as Syft or Tern.
32. Container Security:
It’s All About the Supply Chain
DevSecOps Decisioning Principles
• Security tools should integrate as decision points in a pipeline.
• DevSecOps tool(s) should have a policy engine that can respond with a pass/fail decision for the
pipeline.
• Optimizes response time. “Fast and frugal” pipeline decisioning is preferred over customized
scoring to better support velocity and consistency.
• Supports separation of duties (SoD).
• Save contextual risk scoring for release decisioning.
• Does not exclude the need for detailed information provided as pipeline output.
• Full inspection of the supply chain element to be decisioned, aka “slow path,” should be used when an
element is unknown to the pipeline decisioner.
• Minimal or incremental inspection of the supply chain element to be decisioned, aka “fast path,”
should be used when an element is recognized (e.g. hash) by the pipeline decisioner.
• Decision points should have a “fast path” available, where possible, to minimize any latency introduced
from security decisioning.
• Security policy engines should not be managed by the pipeline team, but externally by a security SME,
to comply with SoD and reduce opportunities for subversion of security policy decisions during
automation.
• The goal is to optimize coverage.
https://postmodernsecurity.com/2020/11/14/devsecops-decisioning-principles/
34. Container Security:
It’s All About the Supply Chain
Reminders
• Small is beautiful: make your images compact, leaving out unnecessary libraries
or binaries you don’t need for your individual microservice.
• Who do you trust? What are the “trusted registries” that supply your base
images?
• Validate Validate Validate your images. They should be free of vulnerable libraries
and components.
• Container images shouldn’t need to run as privileged or have processes that run
as root.
• Don’t put credentials, keys or tokens into your image.
• Reduce the listening ports needed in your container image, it just increases the
attack surface and resources that need to be secured.
• Make sure to use a standard runtime. Your current security tools might not
support every possible flavor.
• A container isn’t a host, it’s an ephemeral drop of rain. You shouldn’t be logging
in and trying to change it, because it’s going to evaporate. Think drift prevention.
• Only attested, immutable container images should run in your environment.
• Automate, automate, automate your container builds and deploys.
• Constantly re-evaluate your supply chain: verify source code, verify
dependencies, sign and protect pipelines and artifacts.
37. References
User space vs kernel space with containers:
https://www.redhat.com/en/blog/architecting-containers-part-1-why-understanding-user-space-vs-kernel-space-
matters#:~:text=Kernel%20Space%20Matters,-
July%2029%2C%202015&text=While%20containers%20are%20sometimes%20treated,resources%20they%20need%20access%20to.&text=These%20file
s%20and%20programs%20make%20up%20what%20is%20known%20as%20user%20space.
Linux Namespaces: https://opensource.com/article/19/10/namespaces-and-containers-linux
SELinux is a MAC mechanism used to provide fine-grained access control to a Linux host:
https://www.projectatomic.io/docs/docker-and-selinux/
https://www.youtube.com/watch?v=_WOKRaM-HI4
Composition of a container image:
https://dzone.com/articles/docker-layers-explained
https://jfrog.com/knowledge-base/a-beginners-guide-to-understanding-and-building-docker-images/
Union Filesystem:
https://washraf.gitbooks.io/the-docker-ecosystem/content/Chapter%201/Section%203/union_file_system.html
https://blog.knoldus.com/unionfs-a-file-system-of-a-container/
https://containerd.io/scope/
https://docs.docker.com/storage/storagedriver/
https://github.com/opencontainers/runtime-spec/blob/master/bundle.md
Hardening and minimizing a container image:
https://www.secjuice.com/how-to-harden-docker-containers/
https://www.thoughtworks.com/radar/techniques/distroless-docker-images
https://github.com/docker-slim/docker-slim
https://medium.com/faun/how-to-build-a-docker-container-from-scratch-docker-basics-a-must-know-395cba82897b
Recommended secrets patterns with containers:
https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/
Injecting Vault Secrets into K8s Pods via a Sidecar
https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/
38. References
The difference between a high-level and low-level container runtime: low-level runtimes focus on mechanics of actually running a
container, while high-level runtimes add features such as management of container images, unpacking the image, and hand-off to the
low-level runtime.
https://merlijn.sebrechts.be/blog/2020-01-docker-podman-kata-cri-o/
https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r
While Docker was a key player in helping to popularize and standardize the image and runtime formats, it has since donated
documentation and code to the OCI to further the mission of containerization as a vendor agnostic technology.
https://opencontainers.org/faq/
Think of Docker to containers as Kleenex is to tissue.
https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r
What is Kubernetes?
https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
What is OpenShift?
https://www.openshift.com/learn/what-is-openshift
What is Mesos?
http://mesos.apache.org/documentation/latest/
Good case study for container takeover
https://unit42.paloaltonetworks.com/azure-container-instances/
Container SBOM tools:
https://github.com/anchore/syft
https://github.com/tern-tools/tern
39. References
White House Executive Order 14028 https://www.whitehouse.gov/briefing-room/presidential-
actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Dept of Commerce and NTIA The Minimum Elements For a Software Bill of Materials (SBOM)
https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
Generate a Software Bill of Materials for a Container Image with Syft
https://thenewstack.io/generate-a-software-bill-of-materials-for-a-container-image-with-syft/
SLSA framework https://slsa.dev/
OWASP Software Component Verification Standard https://owasp.org/www-project-software-component-verification-
standard/
BUILDING RESILIENT SUPPLY CHAINS, REVITALIZING AMERICAN MANUFACTURING, AND FOSTERING BROAD-BASED
GROWTH https://www.whitehouse.gov/wp-content/uploads/2021/06/100-day-supply-chain-review-report.pdf
CNCF – Evaluating Your Supply Chain Security https://github.com/cncf/tag-security/blob/main/supply-chain-
security/supply-chain-security-paper/secure-supply-chain-assessment.md
CNCF – Software Supply Chain Best Practices https://github.com/cncf/tag-security/blob/main/supply-chain-
security/supply-chain-security-paper/CNCF_SSCP_v1.pdf
NIST Cyber Supply Chain Risk Management C-SCRM https://csrc.nist.gov/projects/cyber-supply-chain-risk-management
NIST SP 800-190 Application Container Security Guide
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf