SlideShare a Scribd company logo

Finding Your Way in Container Security

K
Ksenia Peguero

This document provides an overview of container security best practices. It discusses challenges in securing components of the container infrastructure like images, registries, runtimes and orchestrators. It outlines common container threats like privilege escalation attacks and misconfigured containers. The document recommends mitigations like using vetted base images, access controls, network segmentation and updating components. It also references resources like the OWASP Docker Top 10, NIST container security guide and CIS Docker benchmark that provide guidelines for container hardening. In summary, the key is to monitor components, limit access, use segmentation and follow security standards to protect the container environment.

1 of 28
Downloaded 15 times
Ksenia Peguero September 19, 2023 Finding You Way in Container Security
© 2023 Synopsys, Inc. 2 Synopsys Confidential Information whoami • Current: Sr. Manager of Softwre Engineering at Synopsys Software Integrity Group • Prior: Principal Consultant at Cigital/Synopsys • PhD in Computer Science • Mother • Ballroom dancing & diving • @KseniaDmitrieva
© 2023 Synopsys, Inc. 3 Synopsys Confidential Information Agenda • Introduction to container technologies • Challenges for DevSecOps engineers • Common container threats and real-world attacks • How to secure components of container infrastructure • Standards and resources for container security • Best practices to secure containers
© 2023 Synopsys, Inc. 4 Synopsys Confidential Information What is a container? • Containerization is not new. The first ones appeared in 1999 as FreeBSD Jails • Modern containers took off in 2013 (Docker) Containers are executable units of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud. (IBM) • Containers use operating system virtualization – Using namespaces and cgroups to isolate processes, CPU, memory, disk
© 2023 Synopsys, Inc. 5 Synopsys Confidential Information Containers vs Virtual Machines Hypervisor Hardware • Isolation of machines • Hardware virtualization Host OS Kernel Hardware • Process isolation • Operating system virtualization > Application virtualization C 1 C 2 C 3 C 4 Containers Virtual Machines VM1 OS VM2 OS VM3 OS VM4 OS
© 2023 Synopsys, Inc. 6 Synopsys Confidential Information Components of container infrastructure Container image image creation Image registry image storage and retrieval Orchestrator automating deployment, management, scaling, security management Container runtime >_ loading container images, spinning up containers, managing network, local resources Host OS running the container runtime
© 2023 Synopsys, Inc. 7 © 2019 Synopsys, Inc. 7 Synopsys Confidential Information Main benefits: • Lightweight • Portable and platform independent • Support modern development and architecture • Improve utilization of CPU and memory According to the IBM report, “containers are delivering real-world business benefits”: • Improved application quality • Faster time to market • Improved employee productivity • Higher customer satisfaction • Reduced application downtime https://www.ibm.com/downloads/cas/VG8KRPRM Benefits of using containers This Photo by Unknown Author is licensed under CC BY
© 2023 Synopsys, Inc. 8 Synopsys Confidential Information https://www.ibm.com/downloads/cas/VG8KRPRM Challenges of using containers (in 2020) Talent and knowledge Insufficient internal expertise Complexity of learning containerization strategies and technologies Challenges in redesigning existing on-premises enterprise application for containers Costs Uncertainty regarding the time and costs involved in container projects No clear way to assess ROI or track benefits concretely Difficulty predicting container performance, undermining confidence in meeting SLAs Management Difficulty cataloging, curating and managing containers as they proliferate across our environment Difficulty managing, sharing and securing data across containers Tooling Immaturity of internal, homegrown tools for container development and management Lack of enterprise-grade security capabilities
© 2023 Synopsys, Inc. 9 Synopsys Confidential Information Examples of Container Vulnerabilities • CVE-2014-9357 • CVE-2019-5021 • CVE-2019-15752 • CVE-2019-11246 Container image Image registry Orchestrator Container runtime >_ Host OS
© 2023 Synopsys, Inc. 10 Synopsys Confidential Information • Docker 1.3.2 – Used chroot sandboxing to extract archives – Victim calls docker pull to automatically unpack a malicious image or build • Attacker includes malicious xz binaries in the image or build • Victim creates a container using the malicious image or build • Privilege escalation => Attacker runs as root on the host OS • CVE severity – Critical • Vulnerability was fixed in Docker 1.3.3 CVE-2014-9357 Arbitrary code execution with root privileges
© 2023 Synopsys, Inc. 11 Synopsys Confidential Information Blank root password • Affects containers built with the Alpine Linux Docker image versions 3, 4, 5. • System credentials are typically stored in etc/shadow • Authentication mechanisms can be customized with different packages – Alpine Linux + shadow/PAM packages • Empty password for root user • Attacker hacks into container => easily switches to root • CVE Severity - Critical CVE-2019-5021 Root users on Alpine Linux containers have blank passwords.
© 2023 Synopsys, Inc. 12 Synopsys Confidential Information Trojan horse • Not the virus trojan horse • Docker Desktop Community Edition versions prior to 2.1.0.1 • Docker startup or authenticate invokes docker-credential-wincred.exe • Access controls of containing folder %PROGRAMDATA%DockerDesktopversi on-bin • Exploit: Replace the executable, keep the name • When Docker starts, the executable runs with user’s privilege (what if it was admin?) • CVE Severity - High CVE-2019-15752 Docker folder uses the default windows access control.
© 2023 Synopsys, Inc. 13 Synopsys Confidential Information • Affects Kubernetes versions older than 1.12.9, 1.13.6, and 1.14.2 • Command kubectl cp – copy files between host and containers – Packs into archive using tar – Transfers over network – Unpacks on the host • Compromised tar binary on the container => access to the host file system: – Adding malicious files – Overwriting existing files • CVE Severity - High CVE-2019-11246 Kubernetes File Manipulation
© 2023 Synopsys, Inc. 14 Synopsys Confidential Information Securing Containers: Risks and Mitigations • Container image • Image registry • Container runtime • Host OS • Orchestrator Container image Image registry Orchestrator Container runtime >_ Host OS
© 2023 Synopsys, Inc. 15 Synopsys Confidential Information Securing container images Mitigations • Use a minimalistic base OS, like Alpine Linux and Windows Nano Server • Keep the software in container images up-to-date • Periodically scan the containers for: – Known vulnerabilities / CVEs in the container layers – Misconfigurations of containers (Containerfiles/Dockerfiles) with a scanner (port misconfigurations, protocols, certificates, running as non- privileged users, etc.) – Malware – Hard-coded secrets • An organization should have a set of vetted images that are used across all teams • Maintain application security requirements for the code deployed on the container: – Maintain the frameworks/libraries/components up-to-date – Scan the internally-developed applications • Base OS functionality and components • Components missing critical security updates (component become outdated over time) • Configuration defects • Embedded malware • Leaking clear text secrets Risks
© 2023 Synopsys, Inc. 16 Synopsys Confidential Information Securing image registries Mitigations • Use private registry • Use secure connections to the registry • Harden the registry host • Use authentication and access control – E.g. developers can only write to the specific repository • Regularly monitor • Prune stale images • Only publish trusted images (that passed security requirements) • Ensure that only containers from your private registry can be used within the organization • Insecure connection • Leaking IP from the registry • Stale images Risks
© 2023 Synopsys, Inc. 17 Synopsys Confidential Information Securing container runtime Mitigations • Monitor container runtime for vulnerabilities (CVEs) and update it often • Control egress network traffic sent by containers – Traffic in the virtual network is encrypted. Therefore, traditional network controls (firewalls) may not work. – Dynamic IP assigned automatically. Therefore, IP- based controls won’t work. – Use app-aware tools • Use mandatory access control (MAC) technologies (file system, processes, network sockets, etc.) • CIS Benchmark for Docker • Use OS kernel level controls • Network risks between containers in the same runtime • Runtime misconfigurations: • Containers running in privileged mode • Containers mounting volumes in sensitive directories on the host OS Risks
© 2023 Synopsys, Inc. 18 Synopsys Confidential Information Securing host OS Mitigations • Use slim OS with kernel protections (e.g. SELinux) • Keep the OS up-to-date, monitor for vulnerabilities • Limit logins to the host OS, audit authentication • Monitoring for any unexpected behavior on the host (network, file system, processes, etc.) • Running “busted” containers • Malicious containers • Rogue containers • Containers with vulnerable layers • Containers with application security defects • Large attack surface • Shared kernel • Host OS components • Shared file system (mounting volumes) • Additional users of the OS Risks
© 2023 Synopsys, Inc. 19 Synopsys Confidential Information Host OS Can we forget about application security? Scenario: vulnerable application in a container Secure/vetted Container Container Marketing web app Public Internet DB Engine SQL injection Payload: SQLi to RCE Container Container Container Mitigations: • Limit egress: to an internal subnet or (better) application protocols • No internet access • Only needed internal network access • Restrict DB user: deny running OS commands Service managing bounties for Bug Bounty program RCE: network scan
© 2023 Synopsys, Inc. 20 Synopsys Confidential Information Securing orchestration platforms Risks • Unnecessary administrative access • Unauthorized access (to containers and data storage volumes) • Compliance risk – encrypting data at rest • Network risks – traffic from different applications sharing the same virtual network • Orchestrator node trust Mitigations • Limit the number of privileged users • Access control linked to the company user directory • Encrypting data storage volumes • Segmentation, segmentation, segmentation: – Virtual networks by sensitivity level (if by app is not possible) – Host “pinning” by sensitivity levels (individually managed clusters) Aerial view of the Forbidden City, Beijing (© Google Earth 2021) Defense in depth
© 2023 Synopsys, Inc. 21 Synopsys Confidential Information Container Security Resources
© 2023 Synopsys, Inc. 22 Synopsys Confidential Information OWASP Docker Top 10 Draft in progress. Not a list of top 10 vulnerabilities or risks, but a list of top 10 controls. Document: https://github.com/OWASP/Docker- Security/blob/main/dist/owasp-docker- security.pdf • Use it as guidance during the design phase, for auditing an existing environment, or procuring a new one • Focuses on Docker, but could be applied to containers in general • Orchestrator security risks are out of scope for this list, but container networking is in scope D01 - Secure User Mapping D02 - Patch Management Strategy D03 - Network Segmentation and Firewalling D04 - Secure Defaults and Hardening D05 - Maintain Security Contexts D06 - Protect Secrets D07 - Resource Protection D08 - Container Image Integrity and Origin D09 - Follow Immutable Paradigm D10 - Logging https://owasp.org/www-project-docker-top-10/
© 2023 Synopsys, Inc. 23 Synopsys Confidential Information OWASP Container Security Verification Standard (CSVS) • The structure is based on the OWASP Application Security Verification Standard (ASVS) • Has overlap with Docker Top 10, but covers broader categories: – V1: Organizational (processes & people) – V2: Infrastructure – V3: Containers (Docker Top 10) – V4: Orchestration Management – V5: Image Distribution – V6: Secrets and Keys – V7: Network – V8: Storage – V9: Logging & Monitoring – V10: Integration – V11: Disaster Recovery – V12: Testing • This is a shorter standard, compared to CIS Benchmarks and NIST Application Container Security Guide https://owasp.org/www-project-container-security-verification-standard/migrated_content • Provides 3 security verification levels 1. For all containers 2. Containers with sensitive data or business logic 3. Critical containers (high value transactions, PII, medical data)
© 2023 Synopsys, Inc. 24 Synopsys Confidential Information NIST Special Publication 800-190 Application Container Security Guide https://doi.org/10.6028/NIST.SP.800-190 • Overview of Container Technology • Explains basic concepts of container and orchestrations • Discusses risks to the core components of container technologies • Contains a section on countermeasures for the listed risks • Provides threat scenario examples and considerations for the container technology life cycle NIST Application Container Security Guide Container Technology Architecture and Lifecycle Phases NIST SP 800-190
© 2023 Synopsys, Inc. 25 Synopsys Confidential Information Center for Internet Security (CIS) developed "more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats." • CIS Benchmarks include hardening guidelines for manual and automated steps CIS Docker Benchmark provides detailed guidelines in the following categories: • Host • Docker daemon and its config files • Container images and build files • Container runtime • Docker security operations • Docker Swarm CIS Docker Benchmark https://www.cisecurity.org/benchmark/docker
© 2023 Synopsys, Inc. 26 Synopsys Confidential Information • Harden all the systems • Use segmentation at all levels (clusters, hosts, networks) • Monitor all the components • Use vetted base images • Generate a Software Bill of Materials (SBOM) for every container image – Gotchas – only if the installer is used and not a custom script • Use an ASOC tool (Application Security Orchestration and Correlation) – Collects data from various AppSec sources – Consolidates and correlates the findings, prioritizing remediation efforts Best Practices of Securing Containers
© 2023 Synopsys, Inc. 27 Synopsys Confidential Information Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software
Thank You
Ad

Recommended

DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
audit planning and risk assessment new slides.ppt
audit planning and risk assessment new slides.pptaudit planning and risk assessment new slides.ppt
audit planning and risk assessment new slides.ppt
AdeelAhmad724104
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Implementing Effective Data Governance
Implementing Effective Data GovernanceImplementing Effective Data Governance
Implementing Effective Data Governance
Christopher Bradley
 
IoT Security
IoT SecurityIoT Security
IoT Security
Narudom Roongsiriwong, CISSP
 
Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour... Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour...
Mart Rovers
 
IoT presentation
IoT presentationIoT presentation
IoT presentation
Rohit Mahali
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCDKubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Sunnyvale
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
sparkfabrik
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Amazon EKS Deep Dive
Amazon EKS Deep DiveAmazon EKS Deep Dive
Amazon EKS Deep Dive
Andrzej Komarnicki
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
Knoldus Inc.
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Api observability
Api observability Api observability
Api observability
Red Hat
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Winton Winton
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan Budris
Weaveworks
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
Omar Fathy
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container orchestration overview
Container orchestration overviewContainer orchestration overview
Container orchestration overview
Wyn B. Van Devanter
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdf
amanmakwana3
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Ad

More Related Content

What's hot (20)

Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCDKubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Sunnyvale
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
sparkfabrik
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Amazon EKS Deep Dive
Amazon EKS Deep DiveAmazon EKS Deep Dive
Amazon EKS Deep Dive
Andrzej Komarnicki
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
Knoldus Inc.
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Api observability
Api observability Api observability
Api observability
Red Hat
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Winton Winton
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan Budris
Weaveworks
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
Omar Fathy
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container orchestration overview
Container orchestration overviewContainer orchestration overview
Container orchestration overview
Wyn B. Van Devanter
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdf
amanmakwana3
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCDKubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Sunnyvale
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
sparkfabrik
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Amazon EKS Deep Dive
Amazon EKS Deep DiveAmazon EKS Deep Dive
Amazon EKS Deep Dive
Andrzej Komarnicki
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
Knoldus Inc.
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Api observability
Api observability Api observability
Api observability
Red Hat
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Winton Winton
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan Budris
Weaveworks
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
Omar Fathy
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container orchestration overview
Container orchestration overviewContainer orchestration overview
Container orchestration overview
Wyn B. Van Devanter
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdf
amanmakwana3
 

Similar to Finding Your Way in Container Security (20)

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
Abdul Khan
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
Containerization
ContainerizationContainerization
Containerization
Gowtham Ventrapati
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
Dr Ganesh Iyer
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
Massimiliano Mattetti
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
Salesforce Engineering
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
LinuxCon ContainerCon CloudOpen China
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Juan Vicente Herrera Ruiz de Alejo
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
DNIF
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com
 
containerization with example module and
containerization with example module andcontainerization with example module and
containerization with example module and
Radhika R
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
Abdul Khan
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
Containerization
ContainerizationContainerization
Containerization
Gowtham Ventrapati
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
Dr Ganesh Iyer
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
Massimiliano Mattetti
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
Salesforce Engineering
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
LinuxCon ContainerCon CloudOpen China
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Juan Vicente Herrera Ruiz de Alejo
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
DNIF
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com
 
containerization with example module and
containerization with example module andcontainerization with example module and
containerization with example module and
Radhika R
 
Ad

Recently uploaded (20)

QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)
rccbatchplant
 
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
charlesdick1345
 
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
inmishra17121973
 
fluke dealers in bangalore..............
fluke dealers in bangalore..............fluke dealers in bangalore..............
fluke dealers in bangalore..............
Haresh Vaswani
 
BTech_CSE_LPU_Presentation.pptx.........
BTech_CSE_LPU_Presentation.pptx.........BTech_CSE_LPU_Presentation.pptx.........
BTech_CSE_LPU_Presentation.pptx.........
jinny kaur
 
Smart Storage Solutions.pptx for production engineering
Smart Storage Solutions.pptx for production engineeringSmart Storage Solutions.pptx for production engineering
Smart Storage Solutions.pptx for production engineering
rushikeshnavghare94
 
How to Make Material Space Qu___ (1).pptx
How to Make Material Space Qu___ (1).pptxHow to Make Material Space Qu___ (1).pptx
How to Make Material Space Qu___ (1).pptx
engaash9
 
Engineering Chemistry First Year Fullerenes
Engineering Chemistry First Year FullerenesEngineering Chemistry First Year Fullerenes
Engineering Chemistry First Year Fullerenes
5g2jpd9sp4
 
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdffive-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
AdityaSharma944496
 
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design ThinkingDT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DhruvChotaliya2
 
Dust Suppressants: A Sustainable Approach to Dust Pollution Control
Dust Suppressants: A Sustainable Approach to Dust Pollution ControlDust Suppressants: A Sustainable Approach to Dust Pollution Control
Dust Suppressants: A Sustainable Approach to Dust Pollution Control
Janapriya Roy
 
vlsi digital circuits full power point presentation
vlsi digital circuits full power point presentationvlsi digital circuits full power point presentation
vlsi digital circuits full power point presentation
DrSunitaPatilUgaleKK
 
railway wheels, descaling after reheating and before forging
railway wheels, descaling after reheating and before forgingrailway wheels, descaling after reheating and before forging
railway wheels, descaling after reheating and before forging
Javad Kadkhodapour
 
comparison of motors.pptx 1. Motor Terminology.ppt
comparison of motors.pptx 1. Motor Terminology.pptcomparison of motors.pptx 1. Motor Terminology.ppt
comparison of motors.pptx 1. Motor Terminology.ppt
yadavmrr7
 
Elevate Your Workflow
Elevate Your WorkflowElevate Your Workflow
Elevate Your Workflow
NickHuld
 
Reagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptxReagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptx
AlejandroOdio
 
Machine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptxMachine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptx
rajeswari89780
 
Unit III.pptx IT3401 web essentials presentatio
Unit III.pptx IT3401 web essentials presentatioUnit III.pptx IT3401 web essentials presentatio
Unit III.pptx IT3401 web essentials presentatio
lakshitakumar291
 
introduction to machine learining for beginers
introduction to machine learining for beginersintroduction to machine learining for beginers
introduction to machine learining for beginers
JoydebSheet
 
Fort night presentation new0903 pdf.pdf.
Fort night presentation new0903 pdf.pdf.Fort night presentation new0903 pdf.pdf.
Fort night presentation new0903 pdf.pdf.
anuragmk56
 
QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)
rccbatchplant
 
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
DATA-DRIVEN SHOULDER INVERSE KINEMATICS YoungBeom Kim1 , Byung-Ha Park1 , Kwa...
charlesdick1345
 
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
inmishra17121973
 
fluke dealers in bangalore..............
fluke dealers in bangalore..............fluke dealers in bangalore..............
fluke dealers in bangalore..............
Haresh Vaswani
 
BTech_CSE_LPU_Presentation.pptx.........
BTech_CSE_LPU_Presentation.pptx.........BTech_CSE_LPU_Presentation.pptx.........
BTech_CSE_LPU_Presentation.pptx.........
jinny kaur
 
Smart Storage Solutions.pptx for production engineering
Smart Storage Solutions.pptx for production engineeringSmart Storage Solutions.pptx for production engineering
Smart Storage Solutions.pptx for production engineering
rushikeshnavghare94
 
How to Make Material Space Qu___ (1).pptx
How to Make Material Space Qu___ (1).pptxHow to Make Material Space Qu___ (1).pptx
How to Make Material Space Qu___ (1).pptx
engaash9
 
Engineering Chemistry First Year Fullerenes
Engineering Chemistry First Year FullerenesEngineering Chemistry First Year Fullerenes
Engineering Chemistry First Year Fullerenes
5g2jpd9sp4
 
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdffive-year-soluhhhhhhhhhhhhhhhhhtions.pdf
five-year-soluhhhhhhhhhhhhhhhhhtions.pdf
AdityaSharma944496
 
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design ThinkingDT REPORT by Tech titan GROUP to introduce the subject design Thinking
DT REPORT by Tech titan GROUP to introduce the subject design Thinking
DhruvChotaliya2
 
Dust Suppressants: A Sustainable Approach to Dust Pollution Control
Dust Suppressants: A Sustainable Approach to Dust Pollution ControlDust Suppressants: A Sustainable Approach to Dust Pollution Control
Dust Suppressants: A Sustainable Approach to Dust Pollution Control
Janapriya Roy
 
vlsi digital circuits full power point presentation
vlsi digital circuits full power point presentationvlsi digital circuits full power point presentation
vlsi digital circuits full power point presentation
DrSunitaPatilUgaleKK
 
railway wheels, descaling after reheating and before forging
railway wheels, descaling after reheating and before forgingrailway wheels, descaling after reheating and before forging
railway wheels, descaling after reheating and before forging
Javad Kadkhodapour
 
comparison of motors.pptx 1. Motor Terminology.ppt
comparison of motors.pptx 1. Motor Terminology.pptcomparison of motors.pptx 1. Motor Terminology.ppt
comparison of motors.pptx 1. Motor Terminology.ppt
yadavmrr7
 
Elevate Your Workflow
Elevate Your WorkflowElevate Your Workflow
Elevate Your Workflow
NickHuld
 
Reagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptxReagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptx
AlejandroOdio
 
Machine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptxMachine learning project on employee attrition detection using (2).pptx
Machine learning project on employee attrition detection using (2).pptx
rajeswari89780
 
Unit III.pptx IT3401 web essentials presentatio
Unit III.pptx IT3401 web essentials presentatioUnit III.pptx IT3401 web essentials presentatio
Unit III.pptx IT3401 web essentials presentatio
lakshitakumar291
 
introduction to machine learining for beginers
introduction to machine learining for beginersintroduction to machine learining for beginers
introduction to machine learining for beginers
JoydebSheet
 
Fort night presentation new0903 pdf.pdf.
Fort night presentation new0903 pdf.pdf.Fort night presentation new0903 pdf.pdf.
Fort night presentation new0903 pdf.pdf.
anuragmk56
 
Ad

Finding Your Way in Container Security

  • 1. Ksenia Peguero September 19, 2023 Finding You Way in Container Security
  • 2. © 2023 Synopsys, Inc. 2 Synopsys Confidential Information whoami • Current: Sr. Manager of Softwre Engineering at Synopsys Software Integrity Group • Prior: Principal Consultant at Cigital/Synopsys • PhD in Computer Science • Mother • Ballroom dancing & diving • @KseniaDmitrieva
  • 3. © 2023 Synopsys, Inc. 3 Synopsys Confidential Information Agenda • Introduction to container technologies • Challenges for DevSecOps engineers • Common container threats and real-world attacks • How to secure components of container infrastructure • Standards and resources for container security • Best practices to secure containers
  • 4. © 2023 Synopsys, Inc. 4 Synopsys Confidential Information What is a container? • Containerization is not new. The first ones appeared in 1999 as FreeBSD Jails • Modern containers took off in 2013 (Docker) Containers are executable units of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud. (IBM) • Containers use operating system virtualization – Using namespaces and cgroups to isolate processes, CPU, memory, disk
  • 5. © 2023 Synopsys, Inc. 5 Synopsys Confidential Information Containers vs Virtual Machines Hypervisor Hardware • Isolation of machines • Hardware virtualization Host OS Kernel Hardware • Process isolation • Operating system virtualization > Application virtualization C 1 C 2 C 3 C 4 Containers Virtual Machines VM1 OS VM2 OS VM3 OS VM4 OS
  • 6. © 2023 Synopsys, Inc. 6 Synopsys Confidential Information Components of container infrastructure Container image image creation Image registry image storage and retrieval Orchestrator automating deployment, management, scaling, security management Container runtime >_ loading container images, spinning up containers, managing network, local resources Host OS running the container runtime
  • 7. © 2023 Synopsys, Inc. 7 © 2019 Synopsys, Inc. 7 Synopsys Confidential Information Main benefits: • Lightweight • Portable and platform independent • Support modern development and architecture • Improve utilization of CPU and memory According to the IBM report, “containers are delivering real-world business benefits”: • Improved application quality • Faster time to market • Improved employee productivity • Higher customer satisfaction • Reduced application downtime https://www.ibm.com/downloads/cas/VG8KRPRM Benefits of using containers This Photo by Unknown Author is licensed under CC BY
  • 8. © 2023 Synopsys, Inc. 8 Synopsys Confidential Information https://www.ibm.com/downloads/cas/VG8KRPRM Challenges of using containers (in 2020) Talent and knowledge Insufficient internal expertise Complexity of learning containerization strategies and technologies Challenges in redesigning existing on-premises enterprise application for containers Costs Uncertainty regarding the time and costs involved in container projects No clear way to assess ROI or track benefits concretely Difficulty predicting container performance, undermining confidence in meeting SLAs Management Difficulty cataloging, curating and managing containers as they proliferate across our environment Difficulty managing, sharing and securing data across containers Tooling Immaturity of internal, homegrown tools for container development and management Lack of enterprise-grade security capabilities
  • 9. © 2023 Synopsys, Inc. 9 Synopsys Confidential Information Examples of Container Vulnerabilities • CVE-2014-9357 • CVE-2019-5021 • CVE-2019-15752 • CVE-2019-11246 Container image Image registry Orchestrator Container runtime >_ Host OS
  • 10. © 2023 Synopsys, Inc. 10 Synopsys Confidential Information • Docker 1.3.2 – Used chroot sandboxing to extract archives – Victim calls docker pull to automatically unpack a malicious image or build • Attacker includes malicious xz binaries in the image or build • Victim creates a container using the malicious image or build • Privilege escalation => Attacker runs as root on the host OS • CVE severity – Critical • Vulnerability was fixed in Docker 1.3.3 CVE-2014-9357 Arbitrary code execution with root privileges
  • 11. © 2023 Synopsys, Inc. 11 Synopsys Confidential Information Blank root password • Affects containers built with the Alpine Linux Docker image versions 3, 4, 5. • System credentials are typically stored in etc/shadow • Authentication mechanisms can be customized with different packages – Alpine Linux + shadow/PAM packages • Empty password for root user • Attacker hacks into container => easily switches to root • CVE Severity - Critical CVE-2019-5021 Root users on Alpine Linux containers have blank passwords.
  • 12. © 2023 Synopsys, Inc. 12 Synopsys Confidential Information Trojan horse • Not the virus trojan horse • Docker Desktop Community Edition versions prior to 2.1.0.1 • Docker startup or authenticate invokes docker-credential-wincred.exe • Access controls of containing folder %PROGRAMDATA%DockerDesktopversi on-bin • Exploit: Replace the executable, keep the name • When Docker starts, the executable runs with user’s privilege (what if it was admin?) • CVE Severity - High CVE-2019-15752 Docker folder uses the default windows access control.
  • 13. © 2023 Synopsys, Inc. 13 Synopsys Confidential Information • Affects Kubernetes versions older than 1.12.9, 1.13.6, and 1.14.2 • Command kubectl cp – copy files between host and containers – Packs into archive using tar – Transfers over network – Unpacks on the host • Compromised tar binary on the container => access to the host file system: – Adding malicious files – Overwriting existing files • CVE Severity - High CVE-2019-11246 Kubernetes File Manipulation
  • 14. © 2023 Synopsys, Inc. 14 Synopsys Confidential Information Securing Containers: Risks and Mitigations • Container image • Image registry • Container runtime • Host OS • Orchestrator Container image Image registry Orchestrator Container runtime >_ Host OS
  • 15. © 2023 Synopsys, Inc. 15 Synopsys Confidential Information Securing container images Mitigations • Use a minimalistic base OS, like Alpine Linux and Windows Nano Server • Keep the software in container images up-to-date • Periodically scan the containers for: – Known vulnerabilities / CVEs in the container layers – Misconfigurations of containers (Containerfiles/Dockerfiles) with a scanner (port misconfigurations, protocols, certificates, running as non- privileged users, etc.) – Malware – Hard-coded secrets • An organization should have a set of vetted images that are used across all teams • Maintain application security requirements for the code deployed on the container: – Maintain the frameworks/libraries/components up-to-date – Scan the internally-developed applications • Base OS functionality and components • Components missing critical security updates (component become outdated over time) • Configuration defects • Embedded malware • Leaking clear text secrets Risks
  • 16. © 2023 Synopsys, Inc. 16 Synopsys Confidential Information Securing image registries Mitigations • Use private registry • Use secure connections to the registry • Harden the registry host • Use authentication and access control – E.g. developers can only write to the specific repository • Regularly monitor • Prune stale images • Only publish trusted images (that passed security requirements) • Ensure that only containers from your private registry can be used within the organization • Insecure connection • Leaking IP from the registry • Stale images Risks
  • 17. © 2023 Synopsys, Inc. 17 Synopsys Confidential Information Securing container runtime Mitigations • Monitor container runtime for vulnerabilities (CVEs) and update it often • Control egress network traffic sent by containers – Traffic in the virtual network is encrypted. Therefore, traditional network controls (firewalls) may not work. – Dynamic IP assigned automatically. Therefore, IP- based controls won’t work. – Use app-aware tools • Use mandatory access control (MAC) technologies (file system, processes, network sockets, etc.) • CIS Benchmark for Docker • Use OS kernel level controls • Network risks between containers in the same runtime • Runtime misconfigurations: • Containers running in privileged mode • Containers mounting volumes in sensitive directories on the host OS Risks
  • 18. © 2023 Synopsys, Inc. 18 Synopsys Confidential Information Securing host OS Mitigations • Use slim OS with kernel protections (e.g. SELinux) • Keep the OS up-to-date, monitor for vulnerabilities • Limit logins to the host OS, audit authentication • Monitoring for any unexpected behavior on the host (network, file system, processes, etc.) • Running “busted” containers • Malicious containers • Rogue containers • Containers with vulnerable layers • Containers with application security defects • Large attack surface • Shared kernel • Host OS components • Shared file system (mounting volumes) • Additional users of the OS Risks
  • 19. © 2023 Synopsys, Inc. 19 Synopsys Confidential Information Host OS Can we forget about application security? Scenario: vulnerable application in a container Secure/vetted Container Container Marketing web app Public Internet DB Engine SQL injection Payload: SQLi to RCE Container Container Container Mitigations: • Limit egress: to an internal subnet or (better) application protocols • No internet access • Only needed internal network access • Restrict DB user: deny running OS commands Service managing bounties for Bug Bounty program RCE: network scan
  • 20. © 2023 Synopsys, Inc. 20 Synopsys Confidential Information Securing orchestration platforms Risks • Unnecessary administrative access • Unauthorized access (to containers and data storage volumes) • Compliance risk – encrypting data at rest • Network risks – traffic from different applications sharing the same virtual network • Orchestrator node trust Mitigations • Limit the number of privileged users • Access control linked to the company user directory • Encrypting data storage volumes • Segmentation, segmentation, segmentation: – Virtual networks by sensitivity level (if by app is not possible) – Host “pinning” by sensitivity levels (individually managed clusters) Aerial view of the Forbidden City, Beijing (© Google Earth 2021) Defense in depth
  • 21. © 2023 Synopsys, Inc. 21 Synopsys Confidential Information Container Security Resources
  • 22. © 2023 Synopsys, Inc. 22 Synopsys Confidential Information OWASP Docker Top 10 Draft in progress. Not a list of top 10 vulnerabilities or risks, but a list of top 10 controls. Document: https://github.com/OWASP/Docker- Security/blob/main/dist/owasp-docker- security.pdf • Use it as guidance during the design phase, for auditing an existing environment, or procuring a new one • Focuses on Docker, but could be applied to containers in general • Orchestrator security risks are out of scope for this list, but container networking is in scope D01 - Secure User Mapping D02 - Patch Management Strategy D03 - Network Segmentation and Firewalling D04 - Secure Defaults and Hardening D05 - Maintain Security Contexts D06 - Protect Secrets D07 - Resource Protection D08 - Container Image Integrity and Origin D09 - Follow Immutable Paradigm D10 - Logging https://owasp.org/www-project-docker-top-10/
  • 23. © 2023 Synopsys, Inc. 23 Synopsys Confidential Information OWASP Container Security Verification Standard (CSVS) • The structure is based on the OWASP Application Security Verification Standard (ASVS) • Has overlap with Docker Top 10, but covers broader categories: – V1: Organizational (processes & people) – V2: Infrastructure – V3: Containers (Docker Top 10) – V4: Orchestration Management – V5: Image Distribution – V6: Secrets and Keys – V7: Network – V8: Storage – V9: Logging & Monitoring – V10: Integration – V11: Disaster Recovery – V12: Testing • This is a shorter standard, compared to CIS Benchmarks and NIST Application Container Security Guide https://owasp.org/www-project-container-security-verification-standard/migrated_content • Provides 3 security verification levels 1. For all containers 2. Containers with sensitive data or business logic 3. Critical containers (high value transactions, PII, medical data)
  • 24. © 2023 Synopsys, Inc. 24 Synopsys Confidential Information NIST Special Publication 800-190 Application Container Security Guide https://doi.org/10.6028/NIST.SP.800-190 • Overview of Container Technology • Explains basic concepts of container and orchestrations • Discusses risks to the core components of container technologies • Contains a section on countermeasures for the listed risks • Provides threat scenario examples and considerations for the container technology life cycle NIST Application Container Security Guide Container Technology Architecture and Lifecycle Phases NIST SP 800-190
  • 25. © 2023 Synopsys, Inc. 25 Synopsys Confidential Information Center for Internet Security (CIS) developed "more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats." • CIS Benchmarks include hardening guidelines for manual and automated steps CIS Docker Benchmark provides detailed guidelines in the following categories: • Host • Docker daemon and its config files • Container images and build files • Container runtime • Docker security operations • Docker Swarm CIS Docker Benchmark https://www.cisecurity.org/benchmark/docker
  • 26. © 2023 Synopsys, Inc. 26 Synopsys Confidential Information • Harden all the systems • Use segmentation at all levels (clusters, hosts, networks) • Monitor all the components • Use vetted base images • Generate a Software Bill of Materials (SBOM) for every container image – Gotchas – only if the installer is used and not a custom script • Use an ASOC tool (Application Security Orchestration and Correlation) – Collects data from various AppSec sources – Consolidates and correlates the findings, prioritizing remediation efforts Best Practices of Securing Containers
  • 27. © 2023 Synopsys, Inc. 27 Synopsys Confidential Information Ksenia Peguero [email protected] Twitter: @KseniaDmitrieva https://www.synopsys.com/software