Securing Docker Containers

•

3 likes•5,947 views

Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.

Technology

Securing Docker
Containers
Randy Kilmon
VP Engineering
Black Duck Software

How Pervasive is Open Source?
• > 98% of the applications
tested used open source
• On average, open source
comprised over 30% of the
code base
Open
Source
Custom
Code
Composition of software tested across
1400 Black Duck customers
Reference:Black Duck Softwareaudits

Building Trust & Confidence is Critical to Adoption of Docker
Security is ranked as the #1 adoption challenge for containers
• 60% of customers are concerned about container security and lack of
certification/image provenance
• 40% of available container images in contain High Priority Vulnerabilities
• 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed,
Shellshock, Venom, Ghost
3Black Duck Customer Conference

Docker Infrastructure
Docker Daemon / Docker Socket
• Docker itself must run as root on the host system
• attacks targeting the host system coming in through Docker would
have root privs
• Many Docker containers run with the –privileged flag set which extends
privileges of the container allowing it to access all devices on the host
system (BAD Idea).
5Black Duck Customer Conference

Responses
Linux adaptations to counter the threat
• Red Hat Atomic Host
• SE linux (multi-tenancy)
• “Locked down” system (read-only /usr)
• Intended to change configurations only in /var & /etc
• No yum package manager
• VMware Photon and Lightwave
• Photon is an optimized and secured Linux host designed for running
containers at scale
• Lightwave used for managing authorization and identity management
6Black Duck Customer Conference

Container Contents
Containers can be vulnerable by virtue of the code that runs inside
them
• OSS components running inside containers represent potential attack
vectors in the same way they can in traditional deployment models
• Could cause problems for the application itself
• Could cause more problems if the container is running with the –
privileged flag set
• Different OS flavors and versions, as well as different module versions
• Based on any one of many Linux distributions
• Patches must be managed carefully
• Security, but also compatibility & supportability
7Black Duck Customer Conference

Responses
Manage and monitor container content carefully
• Dockerfile analysis is insufficient
• .tar, .zip files could have anything inside them
• Other layers are just referenced from other registries
• Asking the package manager is insufficient
• Not all modules are under package manager’s purview
• Application layer code (.jar’s, e.g.) is never managed in this way
• File inspection (scanning) is the only way to be sure about what’s there!!
8Black Duck Customer Conference

Microservices
The more containers you spin up, the larger attack surface you expose
• Speed is critical
• Speed to detection of problems
• Speed to remediation
9Black Duck Customer Conference

The Black Duck Solution
Black Duck key differentiators
• Platform-agnostic support in Hub for analyzing all content (whether
inside containers or not)
• Signature-based file identification
• Automated identification
• Able to show in which layer the component was introduced
• Vulnerability reporting over time / alerting
10Black Duck Customer Conference

Key Integration Points
Many options for workflow
• Scan on any Docker host by accessing images through the Docker
daemon
• Scan on RH Atomic Host with file system level integration
• Scan directly against a Docker registry
• CI tools: Jenkins, Bamboo, etc.
• OpenShift (currently in development)*
11Black Duck Customer Conference

Q&A
13Black Duck Customer Conference
Let’s talk about how you are using or plan to use Docker in your
organizations

Integration and automation are cornerstones of DevOps. Black Duck Hub provides integrations to CI/CD solutions like Jenkins and TeamCity, but what if you are using a different solution or maybe even your own custom tools? Never fear! Black Duck Hub API's allow you to leverage Black Duck open source scanning and policies into your environment. In this session we'll roll up our sleeves and dig into some coding examples to show you how to do it.

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Black Duck by Synopsys

According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.

Secure Application Development in the Age of Continuous Delivery

Black Duck by Synopsys

As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Myths and Misperceptions of Open Source Security

Black Duck by Synopsys

Customer Case Study: ScienceLogic - Many Paths to Compliance

Black Duck by Synopsys

Contain your risk: Deploy secure containers with trust and confidence

Black Duck by Synopsys

Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption. The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present. In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn: • Why container environments present new application security challenges, including those posed by ever-increasing open source use. • How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities. • Best practices and methodologies for deploying secure containers with trust and confidence.

PCI and Vulnerability Assessments - What’s Missing

Black Duck by Synopsys

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck

Black Duck by Synopsys

Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck. Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things. While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers. Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about: • The evolving DevOps and software security assurance lifecycle in the age of open source • The software security considerations CISOs, security, and development teams must address when using open source • An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.

Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.

Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015

Black Duck by Synopsys

Flight East 2018 Presentation–Continuous Integration––An Overview

Synopsys Software Integrity Group

BlackDuck Suite

jeff cheng

Flight East 2018 Presentation–Black Duck at Docusign

Synopsys Software Integrity Group

The How and Why of Container Vulnerability Management

Tim Mackey

As presented at OpenShift Commons Sept 8, 2016. Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform. In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.

Hp fortify source code analyzer(sca)

Nagaraju Repala

Thick client application security assessment

Sanjay Kumar (Seeking options outside India)

Secure Application Development in the Age of Continuous Delivery

Tim Mackey

As delivered at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Open Source KMIP Implementation

sedukull

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...

Synopsys Software Integrity Group

The Future of Security and Productivity in Our Newly Remote World

DevOps.com

Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated. This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks. See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.

Containers for Lawyers Richard Fontana

Black Duck by Synopsys

Donu’t Let Vulnerabilities Create a Hole in Your Organization

DevOps.com

Open source code is everywhere, helping developers deliver code quickly and efficiently. But, if those open source components are insecure, the result can be a catastrophic data breach. To prevent this from happening, companies are turning to Software Composition Analysis (SCA) solutions to identify vulnerabilities in the open source libraries they’re using. Join Veracode to learn how your development teams can easily identify open source libraries in use, their vulnerabilities, licenses, and risks to their applications – helping you protect both your applications and customer data. Want to learn more about the latest solutions?

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2

NetSPI

App Security? There’s a metric for that! (Part 1 of 2) Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management. In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs. Be sure to check out Part 2 of this presentation for a more "Hands On" approach. http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2

AWS Community Day - Vitaliy Shtym - Pragmatic Container Security

AWS Chicago

Securing the Container Pipeline

Salesforce Engineering

Talk given by Cem Gürkök, Lead InfoSec Engineer at Salesforce, at DockerCon 16 in June 2016 Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment. In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.

5 Ways to Secure Your Containers for Docker and Beyond

Black Duck by Synopsys

Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17. To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk. Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as: 1. Network security 2. Access control 3. Tamper management and trust 4. Denial of service and SLAs 5. Vulnerabilities Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats. Watch the webinar on BrightTalk: http://bit.ly/2bpdswg

What's hot

Integrating Black Duck into your Agile DevOps Environment

Black Duck by Synopsys

Making the Transition from Suite to the Hub

Black Duck by Synopsys

The 4 Levels of Open Source Risk Management

Black Duck by Synopsys

Practical Steps to Scale Legal Support for Open Source

Black Duck by Synopsys

Don't Let Open Source be the Deal Breaker In Your M&A

Black Duck by Synopsys

Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015

Black Duck by Synopsys

Flight East 2018 Presentation–Continuous Integration––An Overview

Synopsys Software Integrity Group

BlackDuck Suite

jeff cheng

Flight East 2018 Presentation–Black Duck at Docusign

Synopsys Software Integrity Group

The How and Why of Container Vulnerability Management

Tim Mackey

Hp fortify source code analyzer(sca)

Nagaraju Repala

Thick client application security assessment

Sanjay Kumar (Seeking options outside India)

Secure Application Development in the Age of Continuous Delivery

Tim Mackey

Open Source KMIP Implementation

sedukull

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...

Synopsys Software Integrity Group

The Future of Security and Productivity in Our Newly Remote World

DevOps.com

Containers for Lawyers Richard Fontana

Black Duck by Synopsys

Donu’t Let Vulnerabilities Create a Hole in Your Organization

DevOps.com

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2

NetSPI

AWS Community Day - Vitaliy Shtym - Pragmatic Container Security

AWS Chicago

What's hot (20)

Integrating Black Duck into your Agile DevOps Environment

Making the Transition from Suite to the Hub

The 4 Levels of Open Source Risk Management

Practical Steps to Scale Legal Support for Open Source

Don't Let Open Source be the Deal Breaker In Your M&A

Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015

Flight East 2018 Presentation–Continuous Integration––An Overview

BlackDuck Suite

Flight East 2018 Presentation–Black Duck at Docusign

The How and Why of Container Vulnerability Management

Hp fortify source code analyzer(sca)

Thick client application security assessment

Secure Application Development in the Age of Continuous Delivery

Open Source KMIP Implementation

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...

The Future of Security and Productivity in Our Newly Remote World

Containers for Lawyers Richard Fontana

Donu’t Let Vulnerabilities Create a Hole in Your Organization

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2

AWS Community Day - Vitaliy Shtym - Pragmatic Container Security

Similar to Securing Docker Containers

Securing the Container Pipeline

Salesforce Engineering

5 Ways to Secure Your Containers for Docker and Beyond

Black Duck by Synopsys

Containers and Security for DevOps

Salesforce Engineering

Understanding container security

John Kinsella

Docker

Codeister Technolgoies

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. By doing so, thanks to the container, the developer can rest assured that the application will run on any other Linux machine regardless of any customized settings that machine might have that could differ from the machine used for writing and testing the code. In a way, Docker is a bit like a virtual machine. But unlike a virtual machine, rather than creating a whole virtual operating system, Docker allows applications to use the same Linux kernel as the system that they’re running on and only requires applications be shipped with things not already running on the host computer. This gives a significant performance boost and reduces the size of the application.

Finding Your Way in Container Security

Ksenia Peguero

In the last few years, the popularity of DevSecOps and rich cloud services have been driving the adoption of containers in the software industry. Container architectures become increasingly complex, and organizations cannot escape using them. At the same time, attackers are finding new ways of exploiting containers and container architectures. Are you still new to containerization and infrastructure as code? Do you feel that your knowledge of application security suddenly doesn’t apply to the way applications are built and deployed using containers? Do you get lost in the IaC and container terminology soup? If so, this talk will help clear things up and answer your questions. We start with an introduction into container technologies, briefly go through the key terminology, explain the value that containers bring today, and why they are so popular. Then we will talk about the challenges that DevSecOps engineers have when using contains and the security aspects that they face. This presentation includes descriptions of common container threats and real-world examples of recent attacks. These threats will guide our discussion of the typical vulnerabilities and attack vectors. We will touch on well-known standards and resources for container security, such as OWASP Docker Top 10 project, Container Security Verification Standard, NIST Application Container Security Guide, and CIS Benchmarks. And we conclude with guidelines on how to secure containers and listing best practices that most organizations follow today.

Docker Security and Content Trust

ehazlett

Docker Containers Security

Stephane Woillez

Finding Your Way in Container Security

Ksenia Peguero

Securing the Container Pipeline at Salesforce by Cem Gurkok

Docker, Inc.

Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment. In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.

Containers 101

Black Duck by Synopsys

Dockerized containers are the current wave that promising to revolutionize IT. Everybody is talking about containers, but a lot of people remain confused on how they work and why they are different or better than virtual machines. In this session, Black Duck container and virtualization expert Tim Mackey will demystify containers, explain their core concepts, and compare and contrast them with the virtual machine architectures that have been the staple of IT for the last decade.

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...

NETWAYS

They provide the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of containers.by using kata containers, instead of namespace, small virtual machines are created on the kernel and be strongly isolated. The technology of Kata Containers is based on KVM hypervisor. That’s why the level of isolation is equivalent to typical hypervisors. This session will focus on a live production phase when choosing kata instead of docker, and why they are preferable Although containers provides software-level isolation of resources, the kernel needs to be shared. That’s why the isolation level in terms of security is not so high when compared with hypervisors.This learns to shift from Docker as the de facto standard to Kata containers and learn how to obtain higherl level of security

Container Security

Salman Baset

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Denim Group

The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors. This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.

Linuxcon secureefficientcontainerimagemanagementharbor

LinuxCon ContainerCon CloudOpen China

DCSF19 Container Security: Theory & Practice at Netflix

Docker, Inc.

Michael Wardrop, Netflix Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads. As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.

OpenStack SummitDocker, Inc.

Docker Security

antitree

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4

Qualcomm Developer Network

The How and Why of Container Vulnerability Management

Black Duck by Synopsys

Presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software on September 8, 2016 with OpenShift Commons. Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform. In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.

Similar to Securing Docker Containers (20)

Securing the Container Pipeline

5 Ways to Secure Your Containers for Docker and Beyond

Containers and Security for DevOps

Understanding container security

Docker

Finding Your Way in Container Security

Docker Security and Content Trust

Docker Containers Security

Finding Your Way in Container Security

Securing the Container Pipeline at Salesforce by Cem Gurkok

Containers 101

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...

Container Security

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Linuxcon secureefficientcontainerimagemanagementharbor

DCSF19 Container Security: Theory & Practice at Netflix

OpenStack Summit

Docker Security

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4

The How and Why of Container Vulnerability Management

More from Black Duck by Synopsys

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...

Black Duck by Synopsys

Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included: A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises. For more information, please visit us at www.blackducksoftware.com

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...

Black Duck by Synopsys

Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub

Black Duck by Synopsys

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...

Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Black Duck by Synopsys

Open-Source- Sicherheits- und Risikoanalyse 2018

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

Black Duck by Synopsys

At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

Black Duck by Synopsys

Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - From Protex to Hub

Black Duck by Synopsys

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Black Duck by Synopsys

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Black Duck by Synopsys

Open Source Rookies and Community

Black Duck by Synopsys

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Black Duck by Synopsys

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year. Open Source Insight is your weekly news resource for open source security and cybersecurity news!

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Black Duck by Synopsys

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Black Duck by Synopsys

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Black Duck by Synopsys

This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions. Read on for all the open source security and cybersecurity news you need to know this week.

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Black Duck by Synopsys

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk. Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Black Duck by Synopsys

This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.

More from Black Duck by Synopsys (20)

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Open-Source- Sicherheits- und Risikoanalyse 2018

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

FLIGHT Amsterdam Presentation - From Protex to Hub

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Open Source Rookies and Community

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

The Metaverse and AI: how can decision-makers harness the Metaverse for their...

Jen Stirrup

The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives? How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

UiPath Community Day Dubai: AI at Work..

UiPathCommunity

Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking. 📕 Curious on our agenda? Wait no more! 10:00 Welcome note - UiPath Community in Dubai Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank 10:20 A UiPath cross-region MEA overview Ashraf El Zarka, VP and Managing Director MEA, UiPath 10:35: Customer Success Journey Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank 11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more Boris Krumrey, Global VP, Automation Innovation, UiPath 12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services. Brendan Lingam, Director of Sales and Business Development, Marc Ellis

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

Quantum Computing: Current Landscape and the Future Role of APIs

Vlad Stirbu

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

Monitoring Java Application Security with JDK Tools and JFR Events

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

A tale of scale & speed: How the US Navy is enabling software delivery from l...

Video Streaming: Then, Now, and in the Future

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

By Design, not by Accident - Agile Venture Bolzano 2024

PCI PIN Basics Webinar from the Controlcase Team

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

The Metaverse and AI: how can decision-makers harness the Metaverse for their...

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

DevOps and Testing slides at DASA Connect

UiPath Community Day Dubai: AI at Work..

Epistemic Interaction - tuning interfaces to provide information for AI support

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Quantum Computing: Current Landscape and the Future Role of APIs

Securing Docker Containers

1. Securing Docker Containers Randy Kilmon VP Engineering Black Duck Software

2. How Pervasive is Open Source? • > 98% of the applications tested used open source • On average, open source comprised over 30% of the code base Open Source Custom Code Composition of software tested across 1400 Black Duck customers Reference:Black Duck Softwareaudits

3. Building Trust & Confidence is Critical to Adoption of Docker Security is ranked as the #1 adoption challenge for containers • 60% of customers are concerned about container security and lack of certification/image provenance • 40% of available container images in contain High Priority Vulnerabilities • 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed, Shellshock, Venom, Ghost 3Black Duck Customer Conference

4. Areas of Concern Docker security issues fall into three main categories • Docker itself and the infrastructure it uses • The authenticity and provenance of the images themselves • The security profile of the content within the containers Docker runs 4Black Duck Customer Conference

5. Docker Infrastructure Docker Daemon / Docker Socket • Docker itself must run as root on the host system • attacks targeting the host system coming in through Docker would have root privs • Many Docker containers run with the –privileged flag set which extends privileges of the container allowing it to access all devices on the host system (BAD Idea). 5Black Duck Customer Conference

6. Responses Linux adaptations to counter the threat • Red Hat Atomic Host • SE linux (multi-tenancy) • “Locked down” system (read-only /usr) • Intended to change configurations only in /var & /etc • No yum package manager • VMware Photon and Lightwave • Photon is an optimized and secured Linux host designed for running containers at scale • Lightwave used for managing authorization and identity management 6Black Duck Customer Conference

7. Container Contents Containers can be vulnerable by virtue of the code that runs inside them • OSS components running inside containers represent potential attack vectors in the same way they can in traditional deployment models • Could cause problems for the application itself • Could cause more problems if the container is running with the – privileged flag set • Different OS flavors and versions, as well as different module versions • Based on any one of many Linux distributions • Patches must be managed carefully • Security, but also compatibility & supportability 7Black Duck Customer Conference

8. Responses Manage and monitor container content carefully • Dockerfile analysis is insufficient • .tar, .zip files could have anything inside them • Other layers are just referenced from other registries • Asking the package manager is insufficient • Not all modules are under package manager’s purview • Application layer code (.jar’s, e.g.) is never managed in this way • File inspection (scanning) is the only way to be sure about what’s there!! 8Black Duck Customer Conference

9. Microservices The more containers you spin up, the larger attack surface you expose • Speed is critical • Speed to detection of problems • Speed to remediation 9Black Duck Customer Conference

10. The Black Duck Solution Black Duck key differentiators • Platform-agnostic support in Hub for analyzing all content (whether inside containers or not) • Signature-based file identification • Automated identification • Able to show in which layer the component was introduced • Vulnerability reporting over time / alerting 10Black Duck Customer Conference

11. Key Integration Points Many options for workflow • Scan on any Docker host by accessing images through the Docker daemon • Scan on RH Atomic Host with file system level integration • Scan directly against a Docker registry • CI tools: Jenkins, Bamboo, etc. • OpenShift (currently in development)* 11Black Duck Customer Conference

12. Demo 12Black Duck Customer Conference

13. Q&A 13Black Duck Customer Conference Let’s talk about how you are using or plan to use Docker in your organizations

Securing Docker Containers

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Securing Docker Containers

Similar to Securing Docker Containers (20)

More from Black Duck by Synopsys

More from Black Duck by Synopsys (20)

Recently uploaded

Recently uploaded (20)

Securing Docker Containers