SlideShare a Scribd company logo

DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Container security oct2018

R
raksac

We will address Top 10 Questions/ Challenges around - Building containers - Deploying Containers - Risk management of containers running in your environment

1 of 26
Download to read offline
1
©2017 Lacework, Inc. Confidential and Proprietary. 1 Securing your Containerized workload from Development to Runtime! Meetup: DevSecOps - Secure your Containers Oct 18th 2018
2
©2018 Lacework, Inc. Confidential and Proprietary. Agenda: Secure your Containers 2 ✓ Intro./Activity ✓ Container vs. VM Instance ✓ Anatomy of a Container ✓ Container Attack Surfaces ✓ Container Best Practices ✓ Top Ten Questions ✓ Q & A
3
©2018 Lacework, Inc. Confidential and Proprietary. Feeling Secure 3
4
©2018 Lacework, Inc. Confidential and Proprietary. Trivia 4
5
©2018 Lacework, Inc. Confidential and Proprietary. 5
6
©2018 Lacework, Inc. Confidential and Proprietary. Container: Why is it Important 6
7
©2018 Lacework, Inc. Confidential and Proprietary. Container: World Wide View 7
8
©2018 Lacework, Inc. Confidential and Proprietary. Container: Lightweight VM? ✓ Container Runtime replaces Hypervisor ✓ Not in Kernel ✓ No Boot capability ✓ Control Groups & Resource Isolation ✓ Always in a Container albeit root’s ✓ Management APIs
9
©2018 Lacework, Inc. Confidential and Proprietary. Container: Runtime Engine ✓ LXC ✓ systemd-nspawn (chroot++) ✓ Docker Engine ✓ rkt, runC ✓ OpenVZ ✓ Jails/Zones ✓ They all use the same kernel
10
©2018 Lacework, Inc. Confidential and Proprietary. 10
11
©2018 Lacework, Inc. Confidential and Proprietary. Security: Container Images ✓ Vulnerable Software: Image contains everything but the Linux Kernel — base, runtime and application. Shared responsibility between dev and ops. Responsibility is critical to success bridging the gap between application dependencies and security vulnerabilities. ✓ Image authenticity: Container images are designed to be unchangeable. The best practice for updating an image is to create a new one with the desired changes
12
©2018 Lacework, Inc. Confidential and Proprietary. Security: Runtime Measures ✓ Kernel security: Common Vulnerability Databases (CVDs). Kernel-based vulnerabilities typically are difficult to deal with because of the inherent dependencies on vendor update release cycle and the associated application downtime. ✓ Container runtime compromise: Container runtime is yet another application sanctioned to run in an environment and is subject to similar types of threats and vulnerabilities. ✓ Container escape: Single kernel shared among all the isolated processes, the gatekeeper for all kernel-level system calls. Namespaces simplifies this
13
©2018 Lacework, Inc. Confidential and Proprietary. Security: Runtime Measures ✓ Data exfiltration: Traditionally security posture focuses on the physical perimeter of the network. Weakened with the adoption of microservices and the dynamicity using container orchestration ✓ Resource abuse: Container runtimes have built-in safeguards for the required resources such as CPU, memory and block IO. While deploying containers, one must consider using these guardrails in all instances ✓ Administration of shared secrets: Requirements are to consolidate secret operations— creation, reading, revocation, rotation and auditing under a common head as part of the continuous security model.
14
©2018 Lacework, Inc. Confidential and Proprietary. Container: House of Cards 14 Container Benefits Virtual Machine Benefits Consistent Runtime Environment Application Isolation Run Anywhere Small Size on Disk Low Overhead Dependency
15
©2018 Lacework, Inc. Confidential and Proprietary. • OS • Applications, containers • Kubernetes API • User access & files • Application API • Encryption • Keys and Secrets Workloads & Hosts Container Attack Surface 15 • Static container scanning (services like hub, quay.io) • Image authenticity • Image content with vulnerabilities (CVEs) • Container startup capability • Container misconfiguration • Host based tools are limited • Traditional monitoring tools like osquery, ossec etc don’t work • Linux Kernel is Container blind • Tools like auditd, app armor, SE linux don’t have the context • Container Resource Abuse • Putting hard limits of CPU and Memory are inviting trouble because app profiles are not understood • Container Escape • collision in UID inadvertently grants the process inside container to inherit permissions of the user outside container • Keys and Secrets • Data Exfiltration
16
©2018 Lacework, Inc. Confidential and Proprietary. Container Security DEPLOYMENT MODEL Containers & Properties Network Communication Launch Patterns SOLUTION Files Discover Process in a ContainerContainer in Host
17
©2018 Lacework, Inc. Confidential and Proprietary. What does this mean ✓ Host Security – This is still a shared component ✓ Container Runtime Security – Elasticity makes rules-based approach not feasible. ✓ File Integrity and Vulnerability Analysis – Tampering of configuration and log files is a critical indicator of compromise along with known issues. ✓ Investigations – Containers are short-lived, and any investigation becomes very difficult if data is not collected and correlated in real time.
18
©2018 Lacework, Inc. Confidential and Proprietary. Managing Risk: Know your Enemy First Principles of Container Security ✓ Know contents of your container ✓ Dependencies - Application, Libraries, Configuration ✓ Principle of Least Access – Container-Container, Container-Host ✓ Principle of Isolation – Data Sharing, Client/Server ✓ Protection is key but detection is a must
19
©2018 Lacework, Inc. Confidential and Proprietary. Complete Container Security Solution
20
©2018 Lacework, Inc. Confidential and Proprietary. Security: House of Cards 20 Datacenter Trends Security Challenges Containers, Encryption, Elastic workloads, transient IPs Network is Blind Logs stale, expensive and sampled Low precision alerts and long MTTD No visibility for east-west and application level north-south Insider Threats Dev/Ops responsible for security Lack of Security Skills Scale and velocity Difficult Investigations
21
©2018 Lacework, Inc. Confidential and Proprietary. Lacework Container End-End Security 21
22
©2018 Lacework, Inc. Confidential and Proprietary. Lacework Container End-End Security 22 Container Security ✓ Automated 24x7 monitoring ✓ Host IDS for security & compliance ✓ Behavior - Process, User, Network ✓ File Integrity Monitoring (FIM) ✓ Visibility & Investigations ✓ End-to-end visibility at all layer ✓ Orchestrator APIs
23
©2018 Lacework, Inc. Confidential and Proprietary. Top 10 Questions 23 ✓ How do I assess container risk? ✓ Application hardened by static analysis for years, Do I need to address anything? ✓ Development team is all about speed with release to production each week. How does security fit in the frame? ✓ Provider offers Containers-aaS(PaaS). Do I need additional container security tools? ✓ Containers have more than just code - keys, certificates, passwords and other sensitive information. Is there a way to protect them? ✓ Orchestrators like Kubernetes has a lot of security built in Network isolation, IAM, Secrets Management, proxy services and so on. Why focus on the containers?
24
©2018 Lacework, Inc. Confidential and Proprietary. What does it mean? What Infrastructure Provider does for you What you have to do yourself Application to Secure
25
©2018 Lacework, Inc. Confidential and Proprietary. About: Rakesh Sachdeva 25 ✓ Lacework Founded in 2014 ✓ Founding Engineer at Lacework ✓ Passionate about Security ✓ Thought Leader in Infrastructure development ✓ @raksac ✓ rakesh-sachdeva-raksac
26
©2018 Lacework, Inc. Confidential and Proprietary. Questions and Answers?
©2017 Lacework, Inc. Confidential and Proprietary. 1 Securing your Containerized workload from Development to Runtime! Meetup: DevSecOps - Secure your Containers Oct 18th 2018
©2018 Lacework, Inc. Confidential and Proprietary. Agenda: Secure your Containers 2 ✓ Intro./Activity ✓ Container vs. VM Instance ✓ Anatomy of a Container ✓ Container Attack Surfaces ✓ Container Best Practices ✓ Top Ten Questions ✓ Q & A
©2018 Lacework, Inc. Confidential and Proprietary. Feeling Secure 3
©2018 Lacework, Inc. Confidential and Proprietary. Trivia 4
©2018 Lacework, Inc. Confidential and Proprietary. 5
©2018 Lacework, Inc. Confidential and Proprietary. Container: Why is it Important 6
©2018 Lacework, Inc. Confidential and Proprietary. Container: World Wide View 7
©2018 Lacework, Inc. Confidential and Proprietary. Container: Lightweight VM? ✓ Container Runtime replaces Hypervisor ✓ Not in Kernel ✓ No Boot capability ✓ Control Groups & Resource Isolation ✓ Always in a Container albeit root’s ✓ Management APIs
©2018 Lacework, Inc. Confidential and Proprietary. Container: Runtime Engine ✓ LXC ✓ systemd-nspawn (chroot++) ✓ Docker Engine ✓ rkt, runC ✓ OpenVZ ✓ Jails/Zones ✓ They all use the same kernel
©2018 Lacework, Inc. Confidential and Proprietary. 10
©2018 Lacework, Inc. Confidential and Proprietary. Security: Container Images ✓ Vulnerable Software: Image contains everything but the Linux Kernel — base, runtime and application. Shared responsibility between dev and ops. Responsibility is critical to success bridging the gap between application dependencies and security vulnerabilities. ✓ Image authenticity: Container images are designed to be unchangeable. The best practice for updating an image is to create a new one with the desired changes
©2018 Lacework, Inc. Confidential and Proprietary. Security: Runtime Measures ✓ Kernel security: Common Vulnerability Databases (CVDs). Kernel-based vulnerabilities typically are difficult to deal with because of the inherent dependencies on vendor update release cycle and the associated application downtime. ✓ Container runtime compromise: Container runtime is yet another application sanctioned to run in an environment and is subject to similar types of threats and vulnerabilities. ✓ Container escape: Single kernel shared among all the isolated processes, the gatekeeper for all kernel-level system calls. Namespaces simplifies this
©2018 Lacework, Inc. Confidential and Proprietary. Security: Runtime Measures ✓ Data exfiltration: Traditionally security posture focuses on the physical perimeter of the network. Weakened with the adoption of microservices and the dynamicity using container orchestration ✓ Resource abuse: Container runtimes have built-in safeguards for the required resources such as CPU, memory and block IO. While deploying containers, one must consider using these guardrails in all instances ✓ Administration of shared secrets: Requirements are to consolidate secret operations— creation, reading, revocation, rotation and auditing under a common head as part of the continuous security model.
©2018 Lacework, Inc. Confidential and Proprietary. Container: House of Cards 14 Container Benefits Virtual Machine Benefits Consistent Runtime Environment Application Isolation Run Anywhere Small Size on Disk Low Overhead Dependency
©2018 Lacework, Inc. Confidential and Proprietary. • OS • Applications, containers • Kubernetes API • User access & files • Application API • Encryption • Keys and Secrets Workloads & Hosts Container Attack Surface 15 • Static container scanning (services like hub, quay.io) • Image authenticity • Image content with vulnerabilities (CVEs) • Container startup capability • Container misconfiguration • Host based tools are limited • Traditional monitoring tools like osquery, ossec etc don’t work • Linux Kernel is Container blind • Tools like auditd, app armor, SE linux don’t have the context • Container Resource Abuse • Putting hard limits of CPU and Memory are inviting trouble because app profiles are not understood • Container Escape • collision in UID inadvertently grants the process inside container to inherit permissions of the user outside container • Keys and Secrets • Data Exfiltration
©2018 Lacework, Inc. Confidential and Proprietary. Container Security DEPLOYMENT MODEL Containers & Properties Network Communication Launch Patterns SOLUTION Files Discover Process in a ContainerContainer in Host
©2018 Lacework, Inc. Confidential and Proprietary. What does this mean ✓ Host Security – This is still a shared component ✓ Container Runtime Security – Elasticity makes rules-based approach not feasible. ✓ File Integrity and Vulnerability Analysis – Tampering of configuration and log files is a critical indicator of compromise along with known issues. ✓ Investigations – Containers are short-lived, and any investigation becomes very difficult if data is not collected and correlated in real time.
©2018 Lacework, Inc. Confidential and Proprietary. Managing Risk: Know your Enemy First Principles of Container Security ✓ Know contents of your container ✓ Dependencies - Application, Libraries, Configuration ✓ Principle of Least Access – Container-Container, Container-Host ✓ Principle of Isolation – Data Sharing, Client/Server ✓ Protection is key but detection is a must
©2018 Lacework, Inc. Confidential and Proprietary. Complete Container Security Solution
©2018 Lacework, Inc. Confidential and Proprietary. Security: House of Cards 20 Datacenter Trends Security Challenges Containers, Encryption, Elastic workloads, transient IPs Network is Blind Logs stale, expensive and sampled Low precision alerts and long MTTD No visibility for east-west and application level north-south Insider Threats Dev/Ops responsible for security Lack of Security Skills Scale and velocity Difficult Investigations
©2018 Lacework, Inc. Confidential and Proprietary. Lacework Container End-End Security 21
©2018 Lacework, Inc. Confidential and Proprietary. Lacework Container End-End Security 22 Container Security ✓ Automated 24x7 monitoring ✓ Host IDS for security & compliance ✓ Behavior - Process, User, Network ✓ File Integrity Monitoring (FIM) ✓ Visibility & Investigations ✓ End-to-end visibility at all layer ✓ Orchestrator APIs
©2018 Lacework, Inc. Confidential and Proprietary. Top 10 Questions 23 ✓ How do I assess container risk? ✓ Application hardened by static analysis for years, Do I need to address anything? ✓ Development team is all about speed with release to production each week. How does security fit in the frame? ✓ Provider offers Containers-aaS(PaaS). Do I need additional container security tools? ✓ Containers have more than just code - keys, certificates, passwords and other sensitive information. Is there a way to protect them? ✓ Orchestrators like Kubernetes has a lot of security built in Network isolation, IAM, Secrets Management, proxy services and so on. Why focus on the containers?
©2018 Lacework, Inc. Confidential and Proprietary. What does it mean? What Infrastructure Provider does for you What you have to do yourself Application to Secure
©2018 Lacework, Inc. Confidential and Proprietary. About: Rakesh Sachdeva 25 ✓ Lacework Founded in 2014 ✓ Founding Engineer at Lacework ✓ Passionate about Security ✓ Thought Leader in Infrastructure development ✓ @raksac ✓ rakesh-sachdeva-raksac
©2018 Lacework, Inc. Confidential and Proprietary. Questions and Answers?
Ad

Recommended

Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
Mirantis
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge Cloud
Mirantis
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
Veritis Group, Inc
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native Security
Mighty Guides, Inc.
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
Michelle Ribeiro
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 

More Related Content

What's hot (20)

Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
Veritis Group, Inc
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native Security
Mighty Guides, Inc.
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
Michelle Ribeiro
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
Veritis Group, Inc
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Monitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in KubernetesMonitoring & Securing Microservices in Kubernetes
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native Security
Mighty Guides, Inc.
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
Michelle Ribeiro
 

Similar to DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Container security oct2018 (20)

Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container Vulnerabilities
Mighty Guides, Inc.
 
Containers At-Risk A Review of 21,000 Cloud Environments
Containers At-Risk A Review of 21,000 Cloud EnvironmentsContainers At-Risk A Review of 21,000 Cloud Environments
Containers At-Risk A Review of 21,000 Cloud Environments
Lacework
 
Containers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environmentsContainers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environments
dhubbard858
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Containers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud EnvironmentsContainers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud Environments
Lacework
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Juan Vicente Herrera Ruiz de Alejo
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
Eric Smalling
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container Vulnerabilities
Mighty Guides, Inc.
 
Containers At-Risk A Review of 21,000 Cloud Environments
Containers At-Risk A Review of 21,000 Cloud EnvironmentsContainers At-Risk A Review of 21,000 Cloud Environments
Containers At-Risk A Review of 21,000 Cloud Environments
Lacework
 
Containers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environmentsContainers at risk a review of 21,000 cloud environments
Containers at risk a review of 21,000 cloud environments
dhubbard858
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Containers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud EnvironmentsContainers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud Environments
Lacework
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Juan Vicente Herrera Ruiz de Alejo
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
Eric Smalling
 
Ad

Recently uploaded (20)

Compliance-as-a-Service document pdf text
Compliance-as-a-Service document pdf textCompliance-as-a-Service document pdf text
Compliance-as-a-Service document pdf text
Earthling security
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Shashikant Jagtap
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
AI Creative Generates You Passive Income Like Never Before
AI Creative Generates You Passive Income Like Never BeforeAI Creative Generates You Passive Income Like Never Before
AI Creative Generates You Passive Income Like Never Before
SivaRajan47
 
How to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptxHow to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Trends Report: Artificial Intelligence (AI)
Trends Report: Artificial Intelligence (AI)Trends Report: Artificial Intelligence (AI)
Trends Report: Artificial Intelligence (AI)
Brian Ahier
 
Domino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use CasesDomino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use Cases
panagenda
 
DevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical PodcastDevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical Podcast
Chris Wahl
 
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | BluebashMCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
Bluebash
 
Introduction to Typescript - GDG On Campus EUE
Introduction to Typescript - GDG On Campus EUEIntroduction to Typescript - GDG On Campus EUE
Introduction to Typescript - GDG On Campus EUE
Google Developer Group On Campus European Universities in Egypt
 
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdfTop 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
SOFTTECHHUB
 
Create Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent BuilderCreate Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent Builder
DianaGray10
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdfHow Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
Rejig Digital
 
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto CertificateCybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
VICTOR MAESTRE RAMIREZ
 
Compliance-as-a-Service document pdf text
Compliance-as-a-Service document pdf textCompliance-as-a-Service document pdf text
Compliance-as-a-Service document pdf text
Earthling security
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Shashikant Jagtap
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
AI Creative Generates You Passive Income Like Never Before
AI Creative Generates You Passive Income Like Never BeforeAI Creative Generates You Passive Income Like Never Before
AI Creative Generates You Passive Income Like Never Before
SivaRajan47
 
How to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptxHow to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Trends Report: Artificial Intelligence (AI)
Trends Report: Artificial Intelligence (AI)Trends Report: Artificial Intelligence (AI)
Trends Report: Artificial Intelligence (AI)
Brian Ahier
 
Domino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use CasesDomino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use Cases
panagenda
 
DevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical PodcastDevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical Podcast
Chris Wahl
 
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | BluebashMCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
Bluebash
 
Introduction to Typescript - GDG On Campus EUE
Introduction to Typescript - GDG On Campus EUEIntroduction to Typescript - GDG On Campus EUE
Introduction to Typescript - GDG On Campus EUE
Google Developer Group On Campus European Universities in Egypt
 
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdfTop 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
Top 25 AI Coding Agents for Vibe Coders to Use in 2025.pdf
SOFTTECHHUB
 
Create Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent BuilderCreate Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent Builder
DianaGray10
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdfHow Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
Rejig Digital
 
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto CertificateCybersecurity Fundamentals: Apprentice - Palo Alto Certificate
Cybersecurity Fundamentals: Apprentice - Palo Alto Certificate
VICTOR MAESTRE RAMIREZ
 
Ad

DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Container security oct2018

  • 1. ©2017 Lacework, Inc. Confidential and Proprietary. 1 Securing your Containerized workload from Development to Runtime! Meetup: DevSecOps - Secure your Containers Oct 18th 2018
  • 2. ©2018 Lacework, Inc. Confidential and Proprietary. Agenda: Secure your Containers 2 ✓ Intro./Activity ✓ Container vs. VM Instance ✓ Anatomy of a Container ✓ Container Attack Surfaces ✓ Container Best Practices ✓ Top Ten Questions ✓ Q & A
  • 3. ©2018 Lacework, Inc. Confidential and Proprietary. Feeling Secure 3
  • 4. ©2018 Lacework, Inc. Confidential and Proprietary. Trivia 4
  • 5. ©2018 Lacework, Inc. Confidential and Proprietary. 5
  • 6. ©2018 Lacework, Inc. Confidential and Proprietary. Container: Why is it Important 6
  • 7. ©2018 Lacework, Inc. Confidential and Proprietary. Container: World Wide View 7
  • 8. ©2018 Lacework, Inc. Confidential and Proprietary. Container: Lightweight VM? ✓ Container Runtime replaces Hypervisor ✓ Not in Kernel ✓ No Boot capability ✓ Control Groups & Resource Isolation ✓ Always in a Container albeit root’s ✓ Management APIs
  • 9. ©2018 Lacework, Inc. Confidential and Proprietary. Container: Runtime Engine ✓ LXC ✓ systemd-nspawn (chroot++) ✓ Docker Engine ✓ rkt, runC ✓ OpenVZ ✓ Jails/Zones ✓ They all use the same kernel
  • 10. ©2018 Lacework, Inc. Confidential and Proprietary. 10
  • 11. ©2018 Lacework, Inc. Confidential and Proprietary. Security: Container Images ✓ Vulnerable Software: Image contains everything but the Linux Kernel — base, runtime and application. Shared responsibility between dev and ops. Responsibility is critical to success bridging the gap between application dependencies and security vulnerabilities. ✓ Image authenticity: Container images are designed to be unchangeable. The best practice for updating an image is to create a new one with the desired changes
  • 12. ©2018 Lacework, Inc. Confidential and Proprietary. Security: Runtime Measures ✓ Kernel security: Common Vulnerability Databases (CVDs). Kernel-based vulnerabilities typically are difficult to deal with because of the inherent dependencies on vendor update release cycle and the associated application downtime. ✓ Container runtime compromise: Container runtime is yet another application sanctioned to run in an environment and is subject to similar types of threats and vulnerabilities. ✓ Container escape: Single kernel shared among all the isolated processes, the gatekeeper for all kernel-level system calls. Namespaces simplifies this
  • 13. ©2018 Lacework, Inc. Confidential and Proprietary. Security: Runtime Measures ✓ Data exfiltration: Traditionally security posture focuses on the physical perimeter of the network. Weakened with the adoption of microservices and the dynamicity using container orchestration ✓ Resource abuse: Container runtimes have built-in safeguards for the required resources such as CPU, memory and block IO. While deploying containers, one must consider using these guardrails in all instances ✓ Administration of shared secrets: Requirements are to consolidate secret operations— creation, reading, revocation, rotation and auditing under a common head as part of the continuous security model.
  • 14. ©2018 Lacework, Inc. Confidential and Proprietary. Container: House of Cards 14 Container Benefits Virtual Machine Benefits Consistent Runtime Environment Application Isolation Run Anywhere Small Size on Disk Low Overhead Dependency
  • 15. ©2018 Lacework, Inc. Confidential and Proprietary. • OS • Applications, containers • Kubernetes API • User access & files • Application API • Encryption • Keys and Secrets Workloads & Hosts Container Attack Surface 15 • Static container scanning (services like hub, quay.io) • Image authenticity • Image content with vulnerabilities (CVEs) • Container startup capability • Container misconfiguration • Host based tools are limited • Traditional monitoring tools like osquery, ossec etc don’t work • Linux Kernel is Container blind • Tools like auditd, app armor, SE linux don’t have the context • Container Resource Abuse • Putting hard limits of CPU and Memory are inviting trouble because app profiles are not understood • Container Escape • collision in UID inadvertently grants the process inside container to inherit permissions of the user outside container • Keys and Secrets • Data Exfiltration
  • 16. ©2018 Lacework, Inc. Confidential and Proprietary. Container Security DEPLOYMENT MODEL Containers & Properties Network Communication Launch Patterns SOLUTION Files Discover Process in a ContainerContainer in Host
  • 17. ©2018 Lacework, Inc. Confidential and Proprietary. What does this mean ✓ Host Security – This is still a shared component ✓ Container Runtime Security – Elasticity makes rules-based approach not feasible. ✓ File Integrity and Vulnerability Analysis – Tampering of configuration and log files is a critical indicator of compromise along with known issues. ✓ Investigations – Containers are short-lived, and any investigation becomes very difficult if data is not collected and correlated in real time.
  • 18. ©2018 Lacework, Inc. Confidential and Proprietary. Managing Risk: Know your Enemy First Principles of Container Security ✓ Know contents of your container ✓ Dependencies - Application, Libraries, Configuration ✓ Principle of Least Access – Container-Container, Container-Host ✓ Principle of Isolation – Data Sharing, Client/Server ✓ Protection is key but detection is a must
  • 19. ©2018 Lacework, Inc. Confidential and Proprietary. Complete Container Security Solution
  • 20. ©2018 Lacework, Inc. Confidential and Proprietary. Security: House of Cards 20 Datacenter Trends Security Challenges Containers, Encryption, Elastic workloads, transient IPs Network is Blind Logs stale, expensive and sampled Low precision alerts and long MTTD No visibility for east-west and application level north-south Insider Threats Dev/Ops responsible for security Lack of Security Skills Scale and velocity Difficult Investigations
  • 21. ©2018 Lacework, Inc. Confidential and Proprietary. Lacework Container End-End Security 21
  • 22. ©2018 Lacework, Inc. Confidential and Proprietary. Lacework Container End-End Security 22 Container Security ✓ Automated 24x7 monitoring ✓ Host IDS for security & compliance ✓ Behavior - Process, User, Network ✓ File Integrity Monitoring (FIM) ✓ Visibility & Investigations ✓ End-to-end visibility at all layer ✓ Orchestrator APIs
  • 23. ©2018 Lacework, Inc. Confidential and Proprietary. Top 10 Questions 23 ✓ How do I assess container risk? ✓ Application hardened by static analysis for years, Do I need to address anything? ✓ Development team is all about speed with release to production each week. How does security fit in the frame? ✓ Provider offers Containers-aaS(PaaS). Do I need additional container security tools? ✓ Containers have more than just code - keys, certificates, passwords and other sensitive information. Is there a way to protect them? ✓ Orchestrators like Kubernetes has a lot of security built in Network isolation, IAM, Secrets Management, proxy services and so on. Why focus on the containers?
  • 24. ©2018 Lacework, Inc. Confidential and Proprietary. What does it mean? What Infrastructure Provider does for you What you have to do yourself Application to Secure
  • 25. ©2018 Lacework, Inc. Confidential and Proprietary. About: Rakesh Sachdeva 25 ✓ Lacework Founded in 2014 ✓ Founding Engineer at Lacework ✓ Passionate about Security ✓ Thought Leader in Infrastructure development ✓ @raksac ✓ rakesh-sachdeva-raksac
  • 26. ©2018 Lacework, Inc. Confidential and Proprietary. Questions and Answers?