Contain your risk: Deploy secure containers with trust and confidence
Download as PPTX, PDF2 likes1,041 views
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption. The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present. In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn: • Why container environments present new application security challenges, including those posed by ever-increasing open source use. • How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities. • Best practices and methodologies for deploying secure containers with trust and confidence.
![Free Container Tools and Information
Free Docker Container Security Scanner
• https://info.blackducksoftware.com/Security-Scan.html
14 Day Free Trial to Black Duck Hub
• https://info.blackducksoftware.com/Hub-Free-Trial.html
Red Hat Atomic Host Integration (Requires Black Duck Hub)
1. atomic install blackducksoftware/atomic
2. atomic scan --scanner blackduck [container]
Red Hat Container Content
• https://www.redhat.com/en/insights/containers
• https://www.redhat.com/en/technologies/topic/containers](https://image.slidesharecdn.com/finalslides-160923134157/85/Contain-your-risk-Deploy-secure-containers-with-trust-and-confidence-34-320.jpg)
Ad
More Related Content
What's hot (20)
Viewers also liked (16)
![[Impact Lab] IT инструменты для проекта](https://cdn.slidesharecdn.com/ss_thumbnails/it-150904044847-lva1-app6892-thumbnail.jpg?width=560&fit=bounds)
Ad
Similar to Contain your risk: Deploy secure containers with trust and confidence (20)
Ad
More from Black Duck by Synopsys (20)
Recently uploaded (20)
Contain your risk: Deploy secure containers with trust and confidence
- 1. Contain your risk: Deploy secure containers with trust and confidence
- 2. Speakers Brent Baude Principal Software Engineer- Atomic and Docker Development, Red Hat Randy Kilmon VP, Engineering, Black Duck
- 3. Today’s Topics 1. Overview of Red Hat and Black Duck Container Security Partnership 2. State of Application Security and Open Source 3. Container Security Best Practices 3
- 4. Joint Value for Container Security Partnership • Greater adoption of Docker containers with trust and confidence • Move from test/dev to production workloads • High-value or security-sensitive applications • Address CISO & Security needs • Use existing and proven Black Duck-based risk management programs Value to Customers (Enterprises & ISVs) • Automate security of Linux containers in production with CI/CD integrations and trusted platform (OpenShift / Atomic Host) • Differentiate with integration of enterprise-grade Risk Assessment by Black Duck
- 5. Open Source Embraced By The Enterprise OPEN SOURCE • Needed functionality without acquisition costs • Faster time to market • Lower development costs • Broad support from communities CUSTOM CODE • Proprietary functionality • Core enterprise IP • Competitive differentiation OPEN SOURCE CUSTOM CODE Reference: Black Duck Software audits • On average, open source comprised over 30% of the code base • > 98% of the applications tested used open source
- 6. OPEN SOURCE CODE INTERNAL CODE OUTSOURCED CODE LEGACY CODE REUSED CODE SUPPLY CHAIN CODE THIRD PARTY CODE DELIVERED CODE Open Source Enters the Code Base in Many Ways
- 7. 4 Factors That Make Open Source Different 7 Easy access to code Exploits readily availableVulnerabilities are public Used Everywhere
- 8. Safe and Trusted Use of Containers Is Critical to Adoption Security is ranked as the #1 adoption challenge for containers 60% of customers are concerned about container security and lack of certification/image provenance 40% of general container images in contain High Priority Vulnerabilities 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed, Shellshock, Venom, Ghost 98% of companies are using open source software they don’t know about
- 10. Top 3 Container Security Concerns Security of Docker and its infrastructure Authenticity and provenance of the images Content within the containers Docker runs
- 11. Docker Infrastructure Docker Daemon / Docker Socket • Docker itself must run as root on the host system • Attacks targeting the host system coming in through Docker would have root privs • Many Docker containers run with the –privileged flag set which extends privileges of the container allowing it to access all devices on the host system (BAD Idea).
- 12. Linux Adaptations to Counter Infrastructure Threats Red Hat Atomic Host • SE Linux (multi-tenancy) • “Locked down” system (read-only /usr) • Intended to change configurations only in /var & /etc • No yum package manager VMware Photon and Lightwave • Photon is an optimized and secured Linux host designed for running containers at scale • Lightwave used for managing authorization and identity management
- 13. Container Content Vulnerabilities Containers can be at risk by virtue of the code that runs inside them • OSS components running inside containers represent potential attack vectors • Could cause problems for the application itself • Could cause more problems if the container is running with the –privileged flag set • Different open source flavors and versions, as well as different module versions
- 14. Ensuring Content Integrity Manage and monitor container content carefully… • Dockerfile analysis is insufficient .tar, .zip files could have anything inside them Other layers are just referenced from other registries • Asking the package manager is insufficient Not all modules are under package manager’s purview Application layer code (.jar’s, e.g.) is never managed in this way • File inspection (scanning) is the only way to be sure about what’s there!!
- 15. Container Security - Industry Efforts Docker Founder Solomon Hykes announced Nautilus project in opening day keynote speech of DockerCon EU in November. • Focused only on their 91 “official” (read: carefully/manually curated) images • Some static analysis Red Hat Container Certification Program • Tested, certified, signed, supported container images for Red Hat and partner offerings • Dockerfile inspection
- 16. Red Hat Container Certification UNTRUSTED ● Will what’s inside the containers compromise your infrastructure? ● How and when will apps and libraries be updated? ● Will it work from host to host? RED HAT CERTIFIED ● Trusted source for the host and the containers ● Trusted content inside the container with security fixes available as part of an enterprise lifecycle ● Portability across hosts ● Container Development Kit ● Certification as a service ● Certification catalog ● Red Hat Container Registry HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP
- 17. Black Duck – Level 2 Container Security • Platform-agnostic support in Hub for analyzing all content (whether inside containers or not) • Docker host integration for scanning images • Signature-based file identification • Automated identification • Able to show in which layer the component was introduced • Vulnerability reporting over time / alerting
- 18. The Black Duck KnowledgeBase
- 19. Red Hat Atomic + Black Duck Hub Integration
- 20. Red Hat container scanning API Enabling multiple container scanners via a simple interface RED HAT CONTAINER SCANNING INTERFACE MORE SECURE CONTAINERS WITH PLUGGABLE SCANNING CAPABILITY
- 21. User-friendly wrapper for containers Significant function add focused on ease-of-use Scan sub-command • Scan sub-command is modular, allows for scan- based plugins. • Intended for ISVs or customized plug-ins Atomic CLI (https://github.com/projectatomic/atomic)
- 22. List shows which scanners are configured for the system • For RHEL, atomic is pre- configured with the openscap scanner Atomic Scan
- 23. Installing the Black Duck Scanner is Simple with Atomic Pulls the correct image from the registry Runs a configuration script
- 24. Use --scanner to choose the desired scanner Default scanner can be defined /etc/atomic.conf Black Duck Scanner - Installed
- 25. Scanning an Image Local Docker daemon shows 3 images. Lets scan one.
- 26. Scanning is Easy Simple test scanning the RHEL7 image from the Red Hat registry. At the end of the scan, you receive a URL to examine the report on the Black Duck web interface.
- 27. Scan one or more containers and/or images --containers, --images, --all --rootfs allows you to scan a mounted filesystem Think libguestfs mounts of your VM’s Additional Scan Options
- 28. • Scan code to identify OSS components in use • Understand risk factors (security, license, operational) • Identify licenses, versions, community activity • View known security vulnerabilities associated with OSS in use within your projects • Monitor for new vulnerabilities Identify OSS and Understand Risk
- 29. Review project vulnerabilities Assess, triage and prioritize Schedule and track planned and actual remediation dates Review Bill of Materials
- 30. Review project vulnerabilities Assess, triage and prioritize Schedule and track planned and actual remediation dates Triage & Remediate Vulnerabilities
- 31. Monitor for New Vulnerabilities
- 32. Cockpit – Browser Based Administration Tool http://cockpit-project.org/ Can manage containers New proposed features: Working to display vulnerable images|containers Allow users to scan from the web UI
- 33. Next Steps ... Identify critical container images Perform a free scan of those images Identify Hub integration points in your development process Transition to a minimal container host Implement policy to monitor for security risk
- 34. Free Container Tools and Information Free Docker Container Security Scanner • https://info.blackducksoftware.com/Security-Scan.html 14 Day Free Trial to Black Duck Hub • https://info.blackducksoftware.com/Hub-Free-Trial.html Red Hat Atomic Host Integration (Requires Black Duck Hub) 1. atomic install blackducksoftware/atomic 2. atomic scan --scanner blackduck [container] Red Hat Container Content • https://www.redhat.com/en/insights/containers • https://www.redhat.com/en/technologies/topic/containers