SlideShare a Scribd company logo

Can Containers be Secured in a PaaS?

Tom Kranz
Tom Kranz

Slidedeck from a talk I gave at Pivotal London - Cloud Native Apps Meetup: http://www.meetup.com/London-Pivotal-Cloud-Native-Apps-Meetup/events/224945388/

1 of 25
Download to read offline
© Copyright 2015 Pivotal. All rights reserved.
Can containers be secured
in a PaaS?
Tom Kranz
tkranz@pivotal.io
1
© Copyright 2015 Pivotal. All rights reserved.
Introductions: who am I?
UNIX sysadmin
Technical architect
Principal Field Engineer
Account Manager
Security person
Get in touch on LinkedIn or Twitter
2
© Copyright 2015 Pivotal. All rights reserved.
Can containers be secured in a PaaS?
Maybe ….
Not about features
Context is important
And implementation is key!
And always remember:
You will get hacked. Eventually.
3
© Copyright 2015 Pivotal. All rights reserved.
So what’s the context?
Who are our attackers?
Where are they attacking from?
What are they attacking?
What data is at risk?
This gives us a risk profile we can use to evaluate the security of
an *implementation*
Evaluating the security of a product in isolation - without context
- is bad, and leads to bad risk profiles and poor decisions
4
© Copyright 2015 Pivotal. All rights reserved.
Who are our attackers?
Opportunists?
Someone with a grudge?
Professionals?
Nation states?
5
© Copyright 2015 Pivotal. All rights reserved.
August 2015 cyber attack stats
6
Stats from http://www.hackmageddon.com/

Recommended

Can containers be secured in paas?
Can containers be secured in paas?Can containers be secured in paas?
Can containers be secured in paas?Sufyaan Kazi
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Software Integrity Group
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightningKevin Gilpin
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 

More Related Content

What's hot

Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyKevin Gilpin
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systemscentralohioissa
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019]  AST Platform and the importance of multi-layered application secu...[OPD 2019]  AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 

What's hot (20)

Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and Transparency
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019]  AST Platform and the importance of multi-layered application secu...[OPD 2019]  AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
Fortify dev ops (002)
Fortify   dev ops (002)Fortify   dev ops (002)
Fortify dev ops (002)
 

Similar to Can Containers be Secured in a PaaS?

[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - PivotalOpenStack Korea Community
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Apigee | Google Cloud
 
Accelerating the Software Delivery Pipelinewith Mirantis OpenStack
Accelerating the Software Delivery Pipelinewith Mirantis OpenStackAccelerating the Software Delivery Pipelinewith Mirantis OpenStack
Accelerating the Software Delivery Pipelinewith Mirantis OpenStackBob Sokol
 
Securing serverless system
Securing serverless systemSecuring serverless system
Securing serverless systemNUS-ISS
 
Securing Serverless Systems
Securing Serverless SystemsSecuring Serverless Systems
Securing Serverless SystemsVincent Lau
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
The New Possible: How Platform-as-a-Service Changes the Game
 The New Possible: How Platform-as-a-Service Changes the Game The New Possible: How Platform-as-a-Service Changes the Game
The New Possible: How Platform-as-a-Service Changes the GameInside Analysis
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart BeatBalwinder Kaur
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Pivotal cf for_devops_mkim_20141209
Pivotal cf for_devops_mkim_20141209Pivotal cf for_devops_mkim_20141209
Pivotal cf for_devops_mkim_20141209minseok kim
 
Cloud Native Application Framework
Cloud Native Application FrameworkCloud Native Application Framework
Cloud Native Application FrameworkVMware Tanzu
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Pivotal Cloud Platform Roadshow Keynote
Pivotal Cloud Platform Roadshow KeynotePivotal Cloud Platform Roadshow Keynote
Pivotal Cloud Platform Roadshow Keynotecornelia davis
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...CA Technologies
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence &  Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence &  Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security
 

Similar to Can Containers be Secured in a PaaS? (20)

[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture
 
Accelerating the Software Delivery Pipelinewith Mirantis OpenStack
Accelerating the Software Delivery Pipelinewith Mirantis OpenStackAccelerating the Software Delivery Pipelinewith Mirantis OpenStack
Accelerating the Software Delivery Pipelinewith Mirantis OpenStack
 
Securing serverless system
Securing serverless systemSecuring serverless system
Securing serverless system
 
Securing Serverless Systems
Securing Serverless SystemsSecuring Serverless Systems
Securing Serverless Systems
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
The New Possible: How Platform-as-a-Service Changes the Game
 The New Possible: How Platform-as-a-Service Changes the Game The New Possible: How Platform-as-a-Service Changes the Game
The New Possible: How Platform-as-a-Service Changes the Game
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Pivotal cf for_devops_mkim_20141209
Pivotal cf for_devops_mkim_20141209Pivotal cf for_devops_mkim_20141209
Pivotal cf for_devops_mkim_20141209
 
Cloud Native Application Framework
Cloud Native Application FrameworkCloud Native Application Framework
Cloud Native Application Framework
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Application Management in Openstack
Application Management in Openstack Application Management in Openstack
Application Management in Openstack
 
Pivotal Cloud Platform Roadshow Keynote
Pivotal Cloud Platform Roadshow KeynotePivotal Cloud Platform Roadshow Keynote
Pivotal Cloud Platform Roadshow Keynote
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence &  Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence &  Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
 

Recently uploaded

Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaISPMAIndia
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1Inbay UK
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfDomotica daVinci
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Product School
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...shaiyuvasv
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfSafe Software
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolProduct School
 
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro KozhevinFwdays
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotelPhilippines
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...htrindia
 
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...MarcovanHurne2
 
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...ISPMAIndia
 

Recently uploaded (20)

Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdf
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product School
 
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company Profile
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
 
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
 
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
 

Can Containers be Secured in a PaaS?

  • 1. © Copyright 2015 Pivotal. All rights reserved. Can containers be secured in a PaaS? Tom Kranz tkranz@pivotal.io 1
  • 2. © Copyright 2015 Pivotal. All rights reserved. Introductions: who am I? UNIX sysadmin Technical architect Principal Field Engineer Account Manager Security person Get in touch on LinkedIn or Twitter 2
  • 3. © Copyright 2015 Pivotal. All rights reserved. Can containers be secured in a PaaS? Maybe …. Not about features Context is important And implementation is key! And always remember: You will get hacked. Eventually. 3
  • 4. © Copyright 2015 Pivotal. All rights reserved. So what’s the context? Who are our attackers? Where are they attacking from? What are they attacking? What data is at risk? This gives us a risk profile we can use to evaluate the security of an *implementation* Evaluating the security of a product in isolation - without context - is bad, and leads to bad risk profiles and poor decisions 4
  • 5. © Copyright 2015 Pivotal. All rights reserved. Who are our attackers? Opportunists? Someone with a grudge? Professionals? Nation states? 5
  • 6. © Copyright 2015 Pivotal. All rights reserved. August 2015 cyber attack stats 6 Stats from http://www.hackmageddon.com/
  • 7. © Copyright 2015 Pivotal. All rights reserved. Where are they attacking from? Internal or external? What are they attacking? Infrastructure? Applications? Physical location? All of the above? 7 SPARTA!
  • 8. © Copyright 2015 Pivotal. All rights reserved. What data is at risk? Can use answers to the above to work out what data is at risk and where it is This can form your risk profile This is what you can use to evaluate the security of an implemented solution Evaluate the implementation against the profile - not the product against a checklist! 8
  • 9. © Copyright 2015 Pivotal. All rights reserved. Pivotal Cloud Foundry Architecture recap Ops Manager UI Ops Manager Director Operations Manager Service Service Broker Service Nodes Service Broker Service Nodes Service App Log Aggregator Login Server Dynamic Router Cloud Controller UAA Health Manager DEA Pool Messaging (NATS) Apps Metrics Collection Apps HA Proxy LB Elastic Runtime Containers!
  • 10. © Copyright 2015 Pivotal. All rights reserved. Example: secure PCF implementation 10
  • 11. © Copyright 2015 Pivotal. All rights reserved. Why? Leverage existing, tried and tested security solutions where appropriate (isolation, firewalls) Rely on platform security where appropriate (containers, immutable infrastructure) Change in application delivery also drives a change in security mindset (application centric not server centric) 11
  • 12. © Copyright 2015 Pivotal. All rights reserved. Attack vectors - it’s the apps! 12 Stats from http://www.hackmageddon.com/
  • 13. © Copyright 2015 Pivotal. All rights reserved. Impact of attacks Attacker compromises app, gets access to core data Nothing to do with the platform, nothing we can do to stop this Mitigation: WAF, code audit to help write secure code Attacker compromises app, gets local container access If they break anything, BOSH destroys and re-deploys the container Can’t break out the container to root VM (the DEA) Can’t sniff network traffic Can’t pivot east/west to attack other internal PCF components 13
  • 14. © Copyright 2015 Pivotal. All rights reserved. Gentlemen, we can rebuild him. We have the technology. OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_To p_Ten_Project Make Jenkins do the work: https://wiki.jenkins- ci.org/display/JENKINS/OWASP+Dependency- Check+Plugin Also look at Web Application Attack and Audit Framework: http://w3af.org/ 14
  • 15. © Copyright 2015 Pivotal. All rights reserved. Containerception 15
  • 16. © Copyright 2015 Pivotal. All rights reserved. Current tech: Warden 16
  • 17. © Copyright 2015 Pivotal. All rights reserved. Future tech: Garden 17 More info at http://blog.pivotal.io/pivotal-cloud-foundry/features/cloud-foundry-container-technology-a-garden-overview
  • 18. © Copyright 2015 Pivotal. All rights reserved. Container security in PCF: the nitty gritty Containers provide isolation of resources – CPU, memory, file system, process space, network Containers have their own private network, not accessible from outside the DEA DEA App App App App DEA App App App App
  • 19. © Copyright 2015 Pivotal. All rights reserved. Container Isolation Routers forward requests from outside using the app’s route to the assigned port on the DEA, which does network translation to the container’s internal IP and port Apps are prevented from communicating directly with each other by container firewall rules; they must communicate through published routes DEA App App App App DEA App App App App Dynamic Router HA Proxy LB
  • 20. © Copyright 2015 Pivotal. All rights reserved. Warden/Garden networking in detail 20
  • 21. © Copyright 2015 Pivotal. All rights reserved. Container filesystems 21 Garden container with Buildpacks Garden container with Docker image
  • 22. © Copyright 2015 Pivotal. All rights reserved. Why a different container tech? ie. Why not Docker? Again, context is important: PCF treats containers as disposable ie We don’t care about them, and neither should you Therefore we don’t allow access to them Fundamental difference in design principles - we can lock them down much more tightly To see the implications: http://reventlov.com/advisories/using-the-docker- command-to-root-the-host 22
  • 23. © Copyright 2015 Pivotal. All rights reserved. To summarise - Key points Yes containers can be secured in a PaaS This can mitigate some attacks, doesn’t help with others Doesn’t mean your apps are secure Don’t rely on technology to solve security issues Build security into your apps from the start Profile the risk and mitigate what you can Remember not all risk can be mitigated Context is important! You will get hacked, response is key - whole other topic! 23
  • 24. © Copyright 2015 Pivotal. All rights reserved. THANK YOU! tkranz@pivotal.io https://www.linkedin.com/in/tomkranz @whoopsie 24
  • 25. © Copyright 2015 Pivotal. All rights reserved. 25