Securing the container DevOps pipeline by William Henry

1. Join the conversation #devseccon
SECURING THE
CONTAINER DEVOPS
PIPELINE
By WILLIAM HENRY

2. WHY DO WE NEED THE TERM DEVSECOPS?
● DevOps “purists” point out that security was always part of
DevOps.
● Did people just not read the book? Are practitioners
skipping security?
● DevSecOps practitioners say it’s about how to better
integrate or automate security.
○ Incorporating security at scale
○ Making security infrastructure more adaptive and programmable
○ Think of it as Continuous Security

3. WHY HAS DEVSECOPS BECOME SO IMPORTANT?
“... we estimate that fewer than 20% of enterprise security architects have
engaged with their DevOps initiatives to actively and systematically
incorporate information security into their DevOps initiatives; and fewer still have
achieved the high degrees of security automation required to qualify as
DevSecOps.”
“By 2019, more than 70% of enterprise DevOps initiatives will have
incorporated automated security vulnerability and configuration scanning for
open source components and commercial packages, up from less than 10% in
2016.”
DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016

4. DEVELOPING AND DEPLOYING CODE TODAY
DEVOPS
LIFECYCLE
SAAS/APP
PAAS
IAAS
A
P
I
Modern Architectures are API driven.
DEVOPS + API
Cloud Based Services
CI/CD

5. DEVOPS BASED CI/CD PROCESS
Project
Repo
Asset
Repo
Monitor
Build Test
Review/
Appr
Deliver Deploy
3rd
Party

6. AUTOMATE ACROSS ENVIRONMENTS
CI/CD PIPELINE
ARTIFACT REPOSITORY
src repo
Dev./Build QA Production
in OHC

7. WHAT ARE CONTAINERS?
It depends on who you ask...
7
● Sandboxed application
processes on a shared
Linux OS kernel
● Simpler, lighter, and denser
than virtual machines
● Portable across different
environments
● Package my application
and all of its dependencies
● Deploy to any environment
in seconds and enable
CI/CD
● Easily access and share
containerized components
INFRASTRUCTURE APPLICATIONS

8. SECURING CONTAINERS: LAYERS AND LIFECYCLE
6. Container Platform
7. Network Isolation
8. Storage
9. API Management
10. Federated Clusters
1. Container Host &
Multi-tenancy
2. Container Content
3. Container Registries
4. Building Containers
5. Deploying Containers

9. CONTAINER HOST & MULTI-TENANCY
Minimized host environment tuned
for running Linux containers while
maintaining the built-in security
features of Red Hat Enterprise
Linux..
A stable, reliable host environment
with built-in security features that
allow you to isolate containers
from other containers and from
the kernel.
SELinux Kernel namespaces Cgroups Seccomp
THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS

10. CONTAINER CONTENT: WHAT IS INSIDE?
● What’s inside the
containers matters.
● Are there known
vulnerabilities in the
application layer?
● Are the runtime and
OS layers up to date?
CONTAINER
OS
RUNTIME
APPLICATION

11. REGISTRIES: WHERE DO YOUR CONTAINERS
COME FROM?
● Policies to control
who can deploy
which containers
● Certification
Catalog
● Trusted content
with security
updates
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP
11
Public and private registries
● What security meta-data is
available for your images?
● Are the images in the
registry updated regularly?
● Are there access controls
on the registry? How
strong are they?

12. MANAGING CONTAINER BUILDS
Security & continuous integration
● Layered packaging model
supports separation of
concerns
● Integrate security testing into
your build / CI process
● Use automated policies to
flag builds with issues
● Trigger automated rebuilds Operations Architects Application
developers

13. MANAGING CONTAINER DEPLOYMENT
Code
Build
Deploy
Security & continuous deployment
● Monitor image registry to
automatically replace affected
images
● Use policies to gate what can
be deployed: e.g. if a container
requires root access, prevent
deployment

14. CONTAINER ORCHESTRATION
AUTHENTICATION & AUTHORISATION
Use a container orchestration platform with
integrated security features including
● Role-based Access Controls with
LDAP and OAuth integration
● Integrated Registry
● Integrated CI/CD with configurable policies
● Integrated host OS with embedded
security features
● Network management
● Storage plug-ins
● API management

15. NETWORK DEFENCE
Use network namespaces to
● Isolate applications from other
applications within a cluster
● Isolate environments (Dev /
Test / Prod) from other
environments within a cluster

16. SECURE ATTACHED STORAGE
Secure storage by using
● SELinux access controls
● Secure mounts
● Supplemental group IDs
for shared storage

17. API MANAGEMENT
Container platform & application APIs
● Service based
● Public versus private
● Authentication and authorization
● LDAP integration
● End-point access controls
● Rate limiting

18. FEDERATED CLUSTERS ROLES & ACCESS CONTROLS
Securing federated clusters
across data centers or
environments
● Authentication and
authorization
● API endpoints
● Secrets
● Namespaces

19. BRING IT ALL TOGETHER
19
Container
Business
Automation
Container
Integration
Container
Data &
Storage
Contaner
Web &
Mobile
Application Lifecycle Management
(CI/CD)
Build Automation Deployment Automation
Service Catalog
(Language Runtimes, Middleware, Databases)
Self-Service
Infrastructure Automation
Networking Storage Registry
Logs &
Metrics
Security
Container Orchestration & Cluster Management
Container Runtime & Packaging
(OCI/Docker)
Enterprise Container Host
RH Enterprise LinuxAtomic Host
Physical
Virtual
Private cloud
Public cloud

20. Join the conversation #devseccon
THANK YOU
@ipbabble
whenry@redhat.com