This document discusses container and Kubernetes security. It notes that Gartner predicts more than 75% of organizations will be running containerized applications by 2022. It outlines some recent Kubernetes vulnerabilities and common container security concerns. It then provides recommendations for securing the build pipeline, building on a secure foundation, securing applications, securing container hosts, securing networking environments, and securing management stacks. It discusses how to validate infrastructure created or that will be created in the cloud for applications. It concludes that containers offer benefits if the right policies, practices, and security tools are used to protect against vulnerabilities and attacks.

1. Protecting Pipeline
DevOps and IaC
Fernando Cardoso
Solution Architect for AWS Alliance

2. © 2021 Trend Micro Inc.
2
Surprising facts about Containers

3. © 2021 Trend Micro Inc.
3
Surprising facts about Containers
Gartner predicts that by 2022, more than 75% of global organiza;ons will be running
containerized applica;ons in produc;on, up from less than 30% today.

4. © 2021 Trend Micro Inc.
4
Security facts about Containers and Kubernetes
• CVE-2019-11253 (High)
• CVE-2020-8559 (Medium)
• CVE-2020-8555 (Medium)
• CVE-2020-8551 (Medium)
• CVE-2020-8554 (Medium)
• CVE-2020-8558 (Low)
Some of the recently
Kubernetes Vulnerabilities:

5. © 2021 Trend Micro Inc.
5
Container security concerns broadly relate to:
• The foundation layers of your application
• Possible vulnerabilities in the platform and dependencies used by microservices
• The security of your application within the container
• The integrity of the build pipeline
• Container network traffic
• The security of the container host
• Privileged container
• Malicious behavior from containers
• Securing your container management stack

6. © 2021 Trend Micro Inc.
6
Blame Game
Source: https://www.devseccon.com/devops-with-a-spice-of-culture-secadvent-day-23/

7. © 2021 Trend Micro Inc.
7
1º Secure your build pipeline
Endpoint
Protection Least Privilege Access to
repository, application, and
infrastructure
Make sure the
Runtime Protection is
in place

8. © 2021 Trend Micro Inc.
8
2º Build on a secure founda;on
Dockerfile
DockerHub
Snyk Dependencies
Scanning

9. © 2021 Trend Micro Inc.
9
2º Build on a secure foundation
• Detect the Vulnerabilities in the
Operation System used by your
container Image
• Detect the Vulnerabilities in the
Application Platform
• Detect the Vulnerabilities in the
Dependencies from your Application

10. © 2021 Trend Micro Inc.
10
3º Secure your applica;on
• Unit Test - are typically automated tests written and run by software developers to ensure
that a section of an application meets its design and behaves as intended.
• SAST - Static code analysis is a method of debugging done by examining an application’s
source code before a program is run. This is usually done by analyzing the code against a
given set of rules or coding standards.
• DAST - Dynamic code analysis is the method of debugging by examining an application
during or after a program is run. Since the source code could be run with a variety of
different inputs, there isn’t a given set of rules that can cover this style.

11. © 2021 Trend Micro Inc.
11
Open-Source tool that
performs static code
analysis
C#
Java
Kotlin
Python
Ruby
Golang
Terraform
Javascript
Typescript
Kubernetes
PHP
C
HTML
JSON
Dart
Elixir
Shell

12. © 2021 Trend Micro Inc.
12
4º Secure the container host

13. © 2021 Trend Micro Inc.
13
5º Secure the networking environment
Docker Engine
Operating System
Kubernetes
App
A
App
B
App
C
App
D
App
E
App
F
Containerized Apps
Internet
• Traffic moving north-south, to and from the
internet to stop attacks and filter malicious
content.
• Monitor east-west, inner-container, traffic.
After attackers gain a foothold in a network,
they look to move laterally to expand their
reach
Ability to Detect and Prevent

14. © 2021 Trend Micro Inc.
14
6º Secure your management stack
Container
Image
Scanning
integrated to
Container
Registries
Protect the Master
and
API’s communication
Protect the Node
and apply
security policies
for microservices

15. © 2021 Trend Micro Inc.
15
Full Architecture

16. © 2021 Trend Micro Inc.
16
But, how can I
validate the
infrastructure
created or that will
be create in the
cloud for my
Applications?

17. © 2021 Trend Micro Inc.
17
Git
Repository
CI/CD
Cloud
Build
Template Scanner
𝒇(𝑥) 𝒇(𝑥)
IDE – Plugin
VSCode
Template Scanner
through the APIs
Instances / Container Hosts
Serverless
Storages / Database
Cloud Secure
Posture
Management
• Multi-Cloud Visibility
• Compliance
• Real-time Monitoring
Infrastructure as a Code - Pipeline
Support Ticket System
GitHub Actions
Integration

18. © 2021 Trend Micro Inc.
18
Shift-Left Security – Plugin in the IDE
GitHub with some examples

19. © 2021 Trend Micro Inc.
19
Conclusion
"The containers/microservices offers numerous benefits
for your business, as long you have the right policies,
“right use“, and security tools to protect it from possible
mistakes, vulnerabilities and attacks in this very agile
environment that are containers."

20. © 2021 Trend Micro Inc.
20

21. © 2021 Trend Micro Inc.
21
Fernando Cardoso
fernando_cardoso@trendmicro.com
@fernando0stc
Fernando0stc