This document discusses securing the container DevOps pipeline. It begins by explaining why the term "DevSecOps" emerged, as integrating security into DevOps practices at scale became important. It then outlines the modern DevOps CI/CD process using containers and APIs. The rest of the document details how to secure different aspects of the container lifecycle, such as the container host, content, registries, builds, deployments, orchestration, networking, storage, APIs, and federated clusters. It argues for taking a lifecycle approach to container security and integrating practices like role-based access controls, network isolation, secure storage, and API management across the container platform.

1. Join the conversation #devseccon
SECURING THE
CONTAINER DEVOPS
PIPELINE
By WILLIAM HENRY

2. WHY DO WE NEED THE TERM DEVSECOPS?
● DevOps “purists” point out that security was always part of
DevOps.
● Did people just not read the book? Are practitioners
skipping security?
● DevSecOps practitioners say it’s about how to better
integrate or automate security.
○ Incorporating security at scale
○ Making security infrastructure more adaptive and programmable
○ Think of it as Continuous Security

3. WHY HAS DEVSECOPS BECOME SO IMPORTANT?
“... we estimate that fewer than 20% of enterprise security architects have
engaged with their DevOps initiatives to actively and systematically
incorporate information security into their DevOps initiatives; and fewer still have
achieved the high degrees of security automation required to qualify as
DevSecOps.”
“By 2019, more than 70% of enterprise DevOps initiatives will have
incorporated automated security vulnerability and configuration scanning for
open source components and commercial packages, up from less than 10% in
2016.”
DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016

4. DEVELOPING AND DEPLOYING CODE TODAY
DEVOPS
LIFECYCLE
SAAS/APP
PAAS
IAAS
A
P
I
Modern Architectures are API driven.
DEVOPS + API
Cloud Based Services
CI/CD

5. DEVOPS BASED CI/CD PROCESS
Project
Repo
Asset
Repo
Monitor
Build Test
Review/
Appr
Deliver Deploy
3rd
Party

6. AUTOMATE ACROSS ENVIRONMENTS
CI/CD PIPELINE
ARTIFACT REPOSITORY
src repo
Dev./Build QA Production
in OHC

7. WHAT ARE CONTAINERS?
It depends on who you ask...
7
● Sandboxed application
processes on a shared
Linux OS kernel
● Simpler, lighter, and denser
than virtual machines
● Portable across different
environments
● Package my application
and all of its dependencies
● Deploy to any environment
in seconds and enable
CI/CD
● Easily access and share
containerized components
INFRASTRUCTURE APPLICATIONS

8. SECURING CONTAINERS: LAYERS AND LIFECYCLE
6. Container Platform
7. Network Isolation
8. Storage
9. API Management
10. Federated Clusters
1. Container Host &
Multi-tenancy
2. Container Content
3. Container Registries
4. Building Containers
5. Deploying Containers

9. CONTAINER HOST & MULTI-TENANCY
Minimized host environment tuned
for running Linux containers while
maintaining the built-in security
features of Red Hat Enterprise
Linux..
A stable, reliable host environment
with built-in security features that
allow you to isolate containers
from other containers and from
the kernel.
SELinux Kernel namespaces Cgroups Seccomp
THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS

10. CONTAINER CONTENT: WHAT IS INSIDE?
● What’s inside the
containers matters.
● Are there known
vulnerabilities in the
application layer?
● Are the runtime and
OS layers up to date?
CONTAINER
OS
RUNTIME
APPLICATION

11. REGISTRIES: WHERE DO YOUR CONTAINERS
COME FROM?
● Policies to control
who can deploy
which containers
● Certification
Catalog
● Trusted content
with security
updates
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP
11
Public and private registries
● What security meta-data is
available for your images?
● Are the images in the
registry updated regularly?
● Are there access controls
on the registry? How
strong are they?

12. MANAGING CONTAINER BUILDS
Security & continuous integration
● Layered packaging model
supports separation of
concerns
● Integrate security testing into
your build / CI process
● Use automated policies to
flag builds with issues
● Trigger automated rebuilds Operations Architects Application
developers

13. MANAGING CONTAINER DEPLOYMENT
Code
Build
Deploy
Security & continuous deployment
● Monitor image registry to
automatically replace affected
images
● Use policies to gate what can
be deployed: e.g. if a container
requires root access, prevent
deployment

14. CONTAINER ORCHESTRATION
AUTHENTICATION & AUTHORISATION
Use a container orchestration platform with
integrated security features including
● Role-based Access Controls with
LDAP and OAuth integration
● Integrated Registry
● Integrated CI/CD with configurable policies
● Integrated host OS with embedded
security features
● Network management
● Storage plug-ins
● API management

15. NETWORK DEFENCE
Use network namespaces to
● Isolate applications from other
applications within a cluster
● Isolate environments (Dev /
Test / Prod) from other
environments within a cluster

16. SECURE ATTACHED STORAGE
Secure storage by using
● SELinux access controls
● Secure mounts
● Supplemental group IDs
for shared storage

17. API MANAGEMENT
Container platform & application APIs
● Service based
● Public versus private
● Authentication and authorization
● LDAP integration
● End-point access controls
● Rate limiting

18. FEDERATED CLUSTERS ROLES & ACCESS CONTROLS
Securing federated clusters
across data centers or
environments
● Authentication and
authorization
● API endpoints
● Secrets
● Namespaces

19. BRING IT ALL TOGETHER
19
Container
Business
Automation
Container
Integration
Container
Data &
Storage
Contaner
Web &
Mobile
Application Lifecycle Management
(CI/CD)
Build Automation Deployment Automation
Service Catalog
(Language Runtimes, Middleware, Databases)
Self-Service
Infrastructure Automation
Networking Storage Registry
Logs &
Metrics
Security
Container Orchestration & Cluster Management
Container Runtime & Packaging
(OCI/Docker)
Enterprise Container Host
RH Enterprise LinuxAtomic Host
Physical
Virtual
Private cloud
Public cloud

20. Join the conversation #devseccon
THANK YOU
@ipbabble
whenry@redhat.com