Securing Docker Containers

Oct 26, 20163 likes5,956 views

Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.

Securing Docker
Containers
Randy Kilmon
VP Engineering
Black Duck Software

How Pervasive is Open Source?
• > 98% of the applications
tested used open source
• On average, open source
comprised over 30% of the
code base
Open
Source
Custom
Code
Composition of software tested across
1400 Black Duck customers
Reference:Black Duck Softwareaudits

Building Trust & Confidence is Critical to Adoption of Docker
Security is ranked as the #1 adoption challenge for containers
• 60% of customers are concerned about container security and lack of
certification/image provenance
• 40% of available container images in contain High Priority Vulnerabilities
• 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed,
Shellshock, Venom, Ghost
3Black Duck Customer Conference

Docker Infrastructure
Docker Daemon / Docker Socket
• Docker itself must run as root on the host system
• attacks targeting the host system coming in through Docker would
have root privs
• Many Docker containers run with the –privileged flag set which extends
privileges of the container allowing it to access all devices on the host
system (BAD Idea).
5Black Duck Customer Conference

Responses
Linux adaptations to counter the threat
• Red Hat Atomic Host
• SE linux (multi-tenancy)
• “Locked down” system (read-only /usr)
• Intended to change configurations only in /var & /etc
• No yum package manager
• VMware Photon and Lightwave
• Photon is an optimized and secured Linux host designed for running
containers at scale
• Lightwave used for managing authorization and identity management
6Black Duck Customer Conference

Container Contents
Containers can be vulnerable by virtue of the code that runs inside
them
• OSS components running inside containers represent potential attack
vectors in the same way they can in traditional deployment models
• Could cause problems for the application itself
• Could cause more problems if the container is running with the –
privileged flag set
• Different OS flavors and versions, as well as different module versions
• Based on any one of many Linux distributions
• Patches must be managed carefully
• Security, but also compatibility & supportability
7Black Duck Customer Conference

Responses
Manage and monitor container content carefully
• Dockerfile analysis is insufficient
• .tar, .zip files could have anything inside them
• Other layers are just referenced from other registries
• Asking the package manager is insufficient
• Not all modules are under package manager’s purview
• Application layer code (.jar’s, e.g.) is never managed in this way
• File inspection (scanning) is the only way to be sure about what’s there!!
8Black Duck Customer Conference

Microservices
The more containers you spin up, the larger attack surface you expose
• Speed is critical
• Speed to detection of problems
• Speed to remediation
9Black Duck Customer Conference

The Black Duck Solution
Black Duck key differentiators
• Platform-agnostic support in Hub for analyzing all content (whether
inside containers or not)
• Signature-based file identification
• Automated identification
• Able to show in which layer the component was introduced
• Vulnerability reporting over time / alerting
10Black Duck Customer Conference

Key Integration Points
Many options for workflow
• Scan on any Docker host by accessing images through the Docker
daemon
• Scan on RH Atomic Host with file system level integration
• Scan directly against a Docker registry
• CI tools: Jenkins, Bamboo, etc.
• OpenShift (currently in development)*
11Black Duck Customer Conference

Q&A
13Black Duck Customer Conference
Let’s talk about how you are using or plan to use Docker in your
organizations

This document discusses Hub APIs for integrating Black Duck into other environments. It provides an overview of common API scenarios, introduces the Hub APIs, and describes the currently available Hub API categories including general, report, notification, and extension APIs. The document also discusses REST API patterns and provides an example of API structure and interactions. It concludes by previewing future directions for Hub API enhancements.

Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys

According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.

Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys

As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Myths and Misperceptions of Open Source Security Black Duck by Synopsys

This document discusses myths and misperceptions around open source security. It addresses 6 common misperceptions: 1) that security tools can find all open source vulnerabilities, 2) that scanning is best done at the end of development, 3) that the National Vulnerability Database covers all vulnerabilities, 4) that replacing vulnerable components is always the answer, 5) that the "many eyes" theory ensures open source security, and 6) that open source is less secure than commercial software. The document provides details to counter each misperception and emphasizes that all software can have vulnerabilities, and that visibility into what software is used is key to security.

Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys

Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys

Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption. The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present. In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn: • Why container environments present new application security challenges, including those posed by ever-increasing open source use. • How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities. • Best practices and methodologies for deploying secure containers with trust and confidence.

PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys

Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck. Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things. While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers. Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about: • The evolving DevOps and software security assurance lifecycle in the age of open source • The software security considerations CISOs, security, and development teams must address when using open source • An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.

Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys

Making the Transition from Suite to the HubBlack Duck by Synopsys

The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys

The document describes different levels of open source risk management from manual tracking using spreadsheets to fully automated identification and inventory of open source components. It notes that manual tracking impacts developer productivity and accuracy is difficult to maintain. The highest level of automated risk management allows open source to be automatically identified, inventoried, and mapped to vulnerabilities and licenses without disrupting the software development lifecycle. Black Duck Software offers products to help organizations automate open source security and license compliance management.

Practical Steps to Scale Legal Support for Open SourceBlack Duck by Synopsys

Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys

Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.

Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Black Duck by Synopsys

Flight East 2018 Presentation–Continuous Integration––An OverviewSynopsys Software Integrity Group

BlackDuck Suitejeff cheng

The document discusses the challenges of managing open source software at scale and introduces the Black Duck Suite as a solution. It summarizes the evolution of software development, the promises and challenges of open source, and risks of unmanaged code. The Black Duck Suite helps manage risks through an automated workflow that integrates with development tools to enable multi-source development across the application lifecycle. It addresses management, compliance, and security challenges.

Flight East 2018 Presentation–Black Duck at DocusignSynopsys Software Integrity Group

The How and Why of Container Vulnerability ManagementTim Mackey

As presented at OpenShift Commons Sept 8, 2016. Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform. In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.

Hp fortify source code analyzer(sca)Nagaraju Repala

The document provides information on HP Fortify Source Code Analyzer (SCA). It can analyze source code for various languages like Java, .NET, PHP etc. to identify security vulnerabilities. The installation process involves extracting files and providing a license key. System requirements vary based on the size and complexity of the code being analyzed. Reports can be generated in different templates like OWASP Top 10. Filter sets help classify issues by priority. Commands are available to customize and optimize scans.

Thick client application security assessmentSanjay Kumar (Seeking options outside India)

Secure Application Development in the Age of Continuous DeliveryTim Mackey

As delivered at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Open Source KMIP Implementationsedukull

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Synopsys Software Integrity Group

This document discusses continuous security with Kubernetes. It introduces the concept of DevSecOps which integrates security practices into DevOps workflows. It discusses how to secure container images, container builds, container registries, container hosts, and networking. It also covers continuous integration, delivery, monitoring and logging in container environments. The goal is to enable innovation speed while maintaining security and efficiency at scale.

The Future of Security and Productivity in Our Newly Remote WorldDevOps.com

Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated. This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks. See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.

Containers for Lawyers Richard FontanaBlack Duck by Synopsys

Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDevOps.com

Open source code is everywhere, helping developers deliver code quickly and efficiently. But, if those open source components are insecure, the result can be a catastrophic data breach. To prevent this from happening, companies are turning to Software Composition Analysis (SCA) solutions to identify vulnerabilities in the open source libraries they’re using. Join Veracode to learn how your development teams can easily identify open source libraries in use, their vulnerabilities, licenses, and risks to their applications – helping you protect both your applications and customer data. Want to learn more about the latest solutions?

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI

App Security? There’s a metric for that! (Part 1 of 2) Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management. In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs. Be sure to check out Part 2 of this presentation for a more "Hands On" approach. http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2

AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Chicago

Vitaliy Shtym from Trend Micro discusses pragmatic container security. He outlines six key areas to focus on: (1) the container host, (2) the network, (3) the management stack, (4) the build pipeline, (5) the application foundation, and (6) the application. Specific security best practices are provided for securing containers within each of these areas, such as hardening the container host operating system, using intrusion prevention controls, and scanning container images for vulnerabilities before deployment. The goal is to implement defense in depth across the entire container environment.

Securing the Container PipelineSalesforce Engineering

Talk given by Cem Gürkök, Lead InfoSec Engineer at Salesforce, at DockerCon 16 in June 2016 Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment. In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.

5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys

Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17. To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk. Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as: 1. Network security 2. Access control 3. Tamper management and trust 4. Denial of service and SLAs 5. Vulnerabilities Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats. Watch the webinar on BrightTalk: http://bit.ly/2bpdswg

More Related Content

What's hot (20)

Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys

Making the Transition from Suite to the HubBlack Duck by Synopsys

The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys

Practical Steps to Scale Legal Support for Open SourceBlack Duck by Synopsys

Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys

Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Black Duck by Synopsys

Flight East 2018 Presentation–Continuous Integration––An OverviewSynopsys Software Integrity Group

BlackDuck Suitejeff cheng

Flight East 2018 Presentation–Black Duck at DocusignSynopsys Software Integrity Group

The How and Why of Container Vulnerability ManagementTim Mackey

Hp fortify source code analyzer(sca)Nagaraju Repala

Thick client application security assessmentSanjay Kumar (Seeking options outside India)

Secure Application Development in the Age of Continuous DeliveryTim Mackey

Open Source KMIP Implementationsedukull

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Synopsys Software Integrity Group

The Future of Security and Productivity in Our Newly Remote WorldDevOps.com

Containers for Lawyers Richard FontanaBlack Duck by Synopsys

Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDevOps.com

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI

AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Chicago

Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys

Making the Transition from Suite to the HubBlack Duck by Synopsys

The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys

Practical Steps to Scale Legal Support for Open SourceBlack Duck by Synopsys

Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys

Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Black Duck by Synopsys

Flight East 2018 Presentation–Continuous Integration––An OverviewSynopsys Software Integrity Group

BlackDuck Suitejeff cheng

Flight East 2018 Presentation–Black Duck at DocusignSynopsys Software Integrity Group

The How and Why of Container Vulnerability ManagementTim Mackey

Hp fortify source code analyzer(sca)Nagaraju Repala

Thick client application security assessmentSanjay Kumar (Seeking options outside India)

Secure Application Development in the Age of Continuous DeliveryTim Mackey

Open Source KMIP Implementationsedukull

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Synopsys Software Integrity Group

The Future of Security and Productivity in Our Newly Remote WorldDevOps.com

Containers for Lawyers Richard FontanaBlack Duck by Synopsys

Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDevOps.com

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI

AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Chicago

Similar to Securing Docker Containers (20)

Securing the Container PipelineSalesforce Engineering

5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys

Containers and Security for DevOpsSalesforce Engineering

Cem Gurkok presented on containers and security. The presentation covered threats to containers like container exploits and tampering of images. It discussed securing the container pipeline through steps like signing, authentication, and vulnerability scans. It also covered monitoring containers and networks, digital forensics techniques, hardening containers and hosts, and vulnerability management.

Understanding container securityJohn Kinsella

This document discusses container security, providing a brief history of containers, security benefits and challenges of containers, and approaches to container vulnerability management and responding to attacks. It notes that while containers are not new, their adoption has increased rapidly in recent years. The document outlines security advantages like smaller surface areas but also challenges like managing vulnerabilities across many moving parts. It recommends strategies like using official images, hardening hosts, scanning for vulnerabilities, and practicing incident response for containers.

DockerCodeister Technolgoies

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. By doing so, thanks to the container, the developer can rest assured that the application will run on any other Linux machine regardless of any customized settings that machine might have that could differ from the machine used for writing and testing the code. In a way, Docker is a bit like a virtual machine. But unlike a virtual machine, rather than creating a whole virtual operating system, Docker allows applications to use the same Linux kernel as the system that they’re running on and only requires applications be shipped with things not already running on the host computer. This gives a significant performance boost and reduces the size of the application.

Finding Your Way in Container SecurityKsenia Peguero

This document provides an overview of container security best practices. It discusses challenges in securing components of the container infrastructure like images, registries, runtimes and orchestrators. It outlines common container threats like privilege escalation attacks and misconfigured containers. The document recommends mitigations like using vetted base images, access controls, network segmentation and updating components. It also references resources like the OWASP Docker Top 10, NIST container security guide and CIS Docker benchmark that provide guidelines for container hardening. In summary, the key is to monitor components, limit access, use segmentation and follow security standards to protect the container environment.

Docker Security and Content Trustehazlett

Docker Containers SecurityStephane Woillez

This document discusses security considerations for Docker containers. It covers three main aspects: securing the platform/infrastructure by hardening the Docker engine and hosts; securing container content through image management, content trust, and secrets management; and securing access and operations through authentication, authorization, access control, auditing, and multi-tenancy. While containers provide isolation and security benefits, the document emphasizes that containers must still follow security best practices to prevent compromise, especially as container usage evolves from individual services to larger applications.

Finding Your Way in Container SecurityKsenia Peguero

In the last few years, the popularity of DevSecOps and rich cloud services have been driving the adoption of containers in the software industry. Container architectures become increasingly complex, and organizations cannot escape using them. At the same time, attackers are finding new ways of exploiting containers and container architectures. Are you still new to containerization and infrastructure as code? Do you feel that your knowledge of application security suddenly doesn’t apply to the way applications are built and deployed using containers? Do you get lost in the IaC and container terminology soup? If so, this talk will help clear things up and answer your questions. We start with an introduction into container technologies, briefly go through the key terminology, explain the value that containers bring today, and why they are so popular. Then we will talk about the challenges that DevSecOps engineers have when using contains and the security aspects that they face. This presentation includes descriptions of common container threats and real-world examples of recent attacks. These threats will guide our discussion of the typical vulnerabilities and attack vectors. We will touch on well-known standards and resources for container security, such as OWASP Docker Top 10 project, Container Security Verification Standard, NIST Application Container Security Guide, and CIS Benchmarks. And we conclude with guidelines on how to secure containers and listing best practices that most organizations follow today.

Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.

Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment. In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.

Containers 101Black Duck by Synopsys

Dockerized containers are the current wave that promising to revolutionize IT. Everybody is talking about containers, but a lot of people remain confused on how they work and why they are different or better than virtual machines. In this session, Black Duck container and virtualization expert Tim Mackey will demystify containers, explain their core concepts, and compare and contrast them with the virtual machine architectures that have been the staple of IT for the last decade.

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS

They provide the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of containers.by using kata containers, instead of namespace, small virtual machines are created on the kernel and be strongly isolated. The technology of Kata Containers is based on KVM hypervisor. That’s why the level of isolation is equivalent to typical hypervisors. This session will focus on a live production phase when choosing kata instead of docker, and why they are preferable Although containers provides software-level isolation of resources, the kernel needs to be shared. That’s why the isolation level in terms of security is not so high when compared with hypervisors.This learns to shift from Docker as the de facto standard to Kata containers and learn how to obtain higherl level of security

Container SecuritySalman Baset

Container security involves securing the host, container content, orchestration, and applications. The document discusses how container isolation evolved over time through namespaces, cgroups, capabilities, and other Linux kernel features. It also covers securing container images, orchestrators, and applications themselves. Emerging technologies like LinuxKit, Katacontainers, and MirageOS aim to provide more lightweight and secure container environments.

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group

The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors. This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.

Linuxcon secureefficientcontainerimagemanagementharborLinuxCon ContainerCon CloudOpen China

This document discusses container image management in enterprises and introduces Project Harbor, an open source container registry. It covers key topics like container image basics, Project Harbor features, maintaining consistency of images between environments, security and access control of images, image distribution strategies, and high availability of container registries. Project Harbor provides an enterprise-grade private registry with features for user management, image replication, security, and integration with systems like LDAP. It aims to help organizations securely manage the distribution and storage of container images.

DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.

Michael Wardrop, Netflix Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads. As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.

OpenStack SummitDocker, Inc.

The document outlines the agenda for the OpenStack Summit in November 2013, including presentations on Docker and its ecosystem, how Docker can be used with OpenStack and Rackspace, and a demonstration of cross-cloud application deployment using Docker. Docker is presented as a solution to the "matrix from hell" of running applications across different environments by providing lightweight, portable containers that can run anywhere regardless of the operating system. The summit aims to educate attendees on Docker and showcase its integration with OpenStack for simplified and efficient application deployment and management across multiple clouds.

Docker Securityantitree

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network

This document discusses ongoing security for embedded Linux devices. It describes Timesys' security notification service which monitors Common Vulnerabilities and Exposures (CVEs) and notifies customers of relevant issues. The service filters CVE data, disambiguates package names, and flags false positives. Notifications are sent via a RESTful API or through a LinuxLink user account. The meta-timesys layer integrates these security features into builds using OpenEmbedded RPB BSP. Ongoing security helps minimize known vulnerabilities over the product lifecycle.

The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys

The document discusses container vulnerability management. It describes the attacker model and how attackers exploit vulnerabilities. It emphasizes that open source code has less security support than closed source commercial code. The document outlines how to secure container contents and environment through techniques like enabling Linux security modules, using a minimal OS, and limiting privileges. It recommends verifying the trustworthiness of container sources and checking for vulnerable open source components. Black Duck software is introduced as a tool to analyze open source usage and risks.

Securing the Container PipelineSalesforce Engineering

5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys

Containers and Security for DevOpsSalesforce Engineering

Understanding container securityJohn Kinsella

DockerCodeister Technolgoies

Finding Your Way in Container SecurityKsenia Peguero

Docker Security and Content Trustehazlett

Docker Containers SecurityStephane Woillez

Finding Your Way in Container SecurityKsenia Peguero

Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.

Containers 101Black Duck by Synopsys

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS

Container SecuritySalman Baset

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group

Linuxcon secureefficientcontainerimagemanagementharborLinuxCon ContainerCon CloudOpen China

DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.

OpenStack SummitDocker, Inc.

Docker Securityantitree

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network

The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys

More from Black Duck by Synopsys (20)

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys

Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included: A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises. For more information, please visit us at www.blackducksoftware.com

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys

Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys

This document provides an overview of open source license management best practices that have evolved over 16 years, from 2002 to 2018. It discusses how the risks have changed from lawsuits prompting code inspections to security vulnerabilities coming to the forefront. It also outlines the key functionality of Black Duck Hub for managing open source licenses, including predefined license groups, component usage settings, license risk modeling, policy management, license review workflows, and integrations. Finally, it proposes a suggested license management workflow involving license planning, policy creation, component reviews, attribution statements, and more.

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...Black Duck by Synopsys

Managing open source security risks is important because most modern applications contain a significant amount of open source code that may contain vulnerabilities. It is difficult to manage these risks because vulnerabilities are often discovered after code is released. Tools can help with open source selection, governance, detection of used components, prioritizing and remediating vulnerabilities, and monitoring applications post-release. Managing open source security risks requires identifying components, setting policies, understanding usage, prioritizing issues, and monitoring ongoing.

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys

Open-Source- Sicherheits- und Risikoanalyse 2018Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys

Open source software, patents, and trade secrets each offer different ways to protect information relating to software. Open source licenses make source code available and allow free distribution but also allow others to modify the code. Patents protect specific inventions for a limited time but require describing the invention publicly. Trade secrets have indefinite protection as long as information is kept secret, but lose protection if the secret becomes public. Combining these approaches poses challenges, as open source and trade secrets in particular seem contradictory. Companies must carefully manage what software is shared openly versus kept proprietary through internal policies and legal agreements.

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys

The document discusses data breaches and relevant laws. It notes an increasing number of data breaches and introduces key laws around data security - the GDPR and NISD. The GDPR requires organizations to implement appropriate security measures to protect personal data and report breaches. It applies broadly to any group processing EU citizens' data or offering goods/services to them. The NISD focuses on essential services and digital service providers, requiring security and reporting of significant incidents. Non-compliance can result in large fines and litigation. Proper precautions such as response planning and legal advice are recommended.

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys

Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys

FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys

Open Source Rookies and CommunityBlack Duck by Synopsys

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year. Open Source Insight is your weekly news resource for open source security and cybersecurity news!

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys

This document provides a summary of cybersecurity and open source news stories from March 2nd. It discusses the need to incorporate application security practices into the DevOps process. It also looks at deciding between open source and proprietary software based on factors like code transparency and vendor support. Additionally, it reports that one in eight open source components contain security flaws and explains why enterprises need a comprehensive software security program rather than isolated security activities. Finally, it provides answers to frequently asked questions about the GDPR regulation and notes unexpected places where GDPR-related data can be found.

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys

This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions. Read on for all the open source security and cybersecurity news you need to know this week.

Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk. Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.

Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys

This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys

Open-Source- Sicherheits- und Risikoanalyse 2018Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys

FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys

Open Source Rookies and CommunityBlack Duck by Synopsys

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys

Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys

Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys

Recently uploaded (20)

Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveScyllaDB

Want to learn practical tips for designing systems that can scale efficiently without compromising speed? Join us for a workshop where we’ll address these challenges head-on and explore how to architect low-latency systems using Rust. During this free interactive workshop oriented for developers, engineers, and architects, we’ll cover how Rust’s unique language features and the Tokio async runtime enable high-performance application development. As you explore key principles of designing low-latency systems with Rust, you will learn how to: - Create and compile a real-world app with Rust - Connect the application to ScyllaDB (NoSQL data store) - Negotiate tradeoffs related to data modeling and querying - Manage and monitor the database for consistently low latencies

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...SOFTTECHHUB

I started my online journey with several hosting services before stumbling upon Ai EngineHost. At first, the idea of paying one fee and getting lifetime access seemed too good to pass up. The platform is built on reliable US-based servers, ensuring your projects run at high speeds and remain safe. Let me take you step by step through its benefits and features as I explain why this hosting solution is a perfect fit for digital entrepreneurs.

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix

Talk at the final event of Data Fusion Dynamics: A Collaborative UK-Saudi Initiative in Cybersecurity and Artificial Intelligence funded by the British Council UK-Saudi Challenge Fund 2024, Cardiff Metropolitan University, 29th April 2025 https://alandix.com/academic/talks/CMet2025-AI-Changes-Everything/ Is AI just another technology, or does it fundamentally change the way we live and think? Every technology has a direct impact with micro-ethical consequences, some good, some bad. However more profound are the ways in which some technologies reshape the very fabric of society with macro-ethical impacts. The invention of the stirrup revolutionised mounted combat, but as a side effect gave rise to the feudal system, which still shapes politics today. The internal combustion engine offers personal freedom and creates pollution, but has also transformed the nature of urban planning and international trade. When we look at AI the micro-ethical issues, such as bias, are most obvious, but the macro-ethical challenges may be greater. At a micro-ethical level AI has the potential to deepen social, ethnic and gender bias, issues I have warned about since the early 1990s! It is also being used increasingly on the battlefield. However, it also offers amazing opportunities in health and educations, as the recent Nobel prizes for the developers of AlphaFold illustrate. More radically, the need to encode ethics acts as a mirror to surface essential ethical problems and conflicts. At the macro-ethical level, by the early 2000s digital technology had already begun to undermine sovereignty (e.g. gambling), market economics (through network effects and emergent monopolies), and the very meaning of money. Modern AI is the child of big data, big computation and ultimately big business, intensifying the inherent tendency of digital technology to concentrate power. AI is already unravelling the fundamentals of the social, political and economic world around us, but this is a world that needs radical reimagining to overcome the global environmental and human challenges that confront us. Our challenge is whether to let the threads fall as they may, or to use them to weave a better future.

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In Francechb3

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

Mobile App Development Company in Saudi ArabiaSteve Jonas

EmizenTech is a globally recognized software development company, proudly serving businesses since 2013. With over 11+ years of industry experience and a team of 200+ skilled professionals, we have successfully delivered 1200+ projects across various sectors. As a leading Mobile App Development Company In Saudi Arabia we offer end-to-end solutions for iOS, Android, and cross-platform applications. Our apps are known for their user-friendly interfaces, scalability, high performance, and strong security features. We tailor each mobile application to meet the unique needs of different industries, ensuring a seamless user experience. EmizenTech is committed to turning your vision into a powerful digital product that drives growth, innovation, and long-term success in the competitive mobile landscape of Saudi Arabia.

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Impelsys Inc.

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

This session is designed to equip developers with the skills needed to build mission-critical, end-to-end processes that seamlessly orchestrate agents, people, and robots. 📕 Here's what you can expect: - Modeling: Build end-to-end processes using BPMN. - Implementing: Integrate agentic tasks, RPA, APIs, and advanced decisioning into processes. - Operating: Control process instances with rewind, replay, pause, and stop functions. - Monitoring: Use dashboards and embedded analytics for real-time insights into process instances. This webinar is a must-attend for developers looking to enhance their agentic automation skills and orchestrate robust, mission-critical processes. 👨‍🏫 Speaker: Andrei Vintila, Principal Product Manager @UiPath This session streamed live on April 29, 2025, 16:00 CET. Check out all our upcoming Dev Dives sessions at https://community.uipath.com/dev-dives-automation-developer-2025/.

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

The MCP (Model Context Protocol) is a framework designed to manage context and interaction within complex systems. This SlideShare presentation will provide a detailed overview of the MCP Model, its applications, and how it plays a crucial role in improving communication and decision-making in distributed systems. We will explore the key concepts behind the protocol, including the importance of context, data management, and how this model enhances system adaptability and responsiveness. Ideal for software developers, system architects, and IT professionals, this presentation will offer valuable insights into how the MCP Model can streamline workflows, improve efficiency, and create more intuitive systems for a wide range of use cases.

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

TrsLabs - Fintech Product & Business ConsultingTrs Labs

Hybrid Growth Mandate Model with TrsLabs Strategic Investments, Inorganic Growth, Business Model Pivoting are critical activities that business don't do/change everyday. In cases like this, it may benefit your business to choose a temporary external consultant. An unbiased plan driven by clearcut deliverables, market dynamics and without the influence of your internal office equations empower business leaders to make right choices. Getting things done within a budget within a timeframe is key to Growing Business - No matter whether you are a start-up or a big company Talk to us & Unlock the competitive advantage

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

At InData Labs, we have been keeping an ear to the ground, looking out for AI-enabled digital transformation trends coming our way in 2025. Our report will provide a look into the technology landscape of the future, including: -Artificial Intelligence Market Overview -Strategies for AI Adoption in 2025 -Anticipated drivers of AI adoption and transformative technologies -Benefits of AI and Big data for your business -Tips on how to prepare your business for innovation -AI and data privacy: Strategies for securing data privacy in AI models, etc. Download your free copy nowand implement the key findings to improve your business.

How Can I use the AI Hype in my Business Context?Daniel Lehner

𝙄𝙨 𝘼𝙄 𝙟𝙪𝙨𝙩 𝙝𝙮𝙥𝙚? 𝙊𝙧 𝙞𝙨 𝙞𝙩 𝙩𝙝𝙚 𝙜𝙖𝙢𝙚 𝙘𝙝𝙖𝙣𝙜𝙚𝙧 𝙮𝙤𝙪𝙧 𝙗𝙪𝙨𝙞𝙣𝙚𝙨𝙨 𝙣𝙚𝙚𝙙𝙨? Everyone’s talking about AI but is anyone really using it to create real value? Most companies want to leverage AI. Few know 𝗵𝗼𝘄. ✅ What exactly should you ask to find real AI opportunities? ✅ Which AI techniques actually fit your business? ✅ Is your data even ready for AI? If you’re not sure, you’re not alone. This is a condensed version of the slides I presented at a Linkedin webinar for Tecnovy on 28.04.2025.

Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveScyllaDB

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...SOFTTECHHUB

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In Francechb3

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

Mobile App Development Company in Saudi ArabiaSteve Jonas

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Impelsys Inc.

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

TrsLabs - Fintech Product & Business ConsultingTrs Labs

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

How Can I use the AI Hype in my Business Context?Daniel Lehner

Securing Docker Containers

1. Securing Docker Containers Randy Kilmon VP Engineering Black Duck Software

2. How Pervasive is Open Source? • > 98% of the applications tested used open source • On average, open source comprised over 30% of the code base Open Source Custom Code Composition of software tested across 1400 Black Duck customers Reference:Black Duck Softwareaudits

3. Building Trust & Confidence is Critical to Adoption of Docker Security is ranked as the #1 adoption challenge for containers • 60% of customers are concerned about container security and lack of certification/image provenance • 40% of available container images in contain High Priority Vulnerabilities • 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed, Shellshock, Venom, Ghost 3Black Duck Customer Conference

4. Areas of Concern Docker security issues fall into three main categories • Docker itself and the infrastructure it uses • The authenticity and provenance of the images themselves • The security profile of the content within the containers Docker runs 4Black Duck Customer Conference

5. Docker Infrastructure Docker Daemon / Docker Socket • Docker itself must run as root on the host system • attacks targeting the host system coming in through Docker would have root privs • Many Docker containers run with the –privileged flag set which extends privileges of the container allowing it to access all devices on the host system (BAD Idea). 5Black Duck Customer Conference

6. Responses Linux adaptations to counter the threat • Red Hat Atomic Host • SE linux (multi-tenancy) • “Locked down” system (read-only /usr) • Intended to change configurations only in /var & /etc • No yum package manager • VMware Photon and Lightwave • Photon is an optimized and secured Linux host designed for running containers at scale • Lightwave used for managing authorization and identity management 6Black Duck Customer Conference

7. Container Contents Containers can be vulnerable by virtue of the code that runs inside them • OSS components running inside containers represent potential attack vectors in the same way they can in traditional deployment models • Could cause problems for the application itself • Could cause more problems if the container is running with the – privileged flag set • Different OS flavors and versions, as well as different module versions • Based on any one of many Linux distributions • Patches must be managed carefully • Security, but also compatibility & supportability 7Black Duck Customer Conference

8. Responses Manage and monitor container content carefully • Dockerfile analysis is insufficient • .tar, .zip files could have anything inside them • Other layers are just referenced from other registries • Asking the package manager is insufficient • Not all modules are under package manager’s purview • Application layer code (.jar’s, e.g.) is never managed in this way • File inspection (scanning) is the only way to be sure about what’s there!! 8Black Duck Customer Conference

9. Microservices The more containers you spin up, the larger attack surface you expose • Speed is critical • Speed to detection of problems • Speed to remediation 9Black Duck Customer Conference

10. The Black Duck Solution Black Duck key differentiators • Platform-agnostic support in Hub for analyzing all content (whether inside containers or not) • Signature-based file identification • Automated identification • Able to show in which layer the component was introduced • Vulnerability reporting over time / alerting 10Black Duck Customer Conference

11. Key Integration Points Many options for workflow • Scan on any Docker host by accessing images through the Docker daemon • Scan on RH Atomic Host with file system level integration • Scan directly against a Docker registry • CI tools: Jenkins, Bamboo, etc. • OpenShift (currently in development)* 11Black Duck Customer Conference

12. Demo 12Black Duck Customer Conference

13. Q&A 13Black Duck Customer Conference Let’s talk about how you are using or plan to use Docker in your organizations

Securing Docker Containers

Recommended

More Related Content

What's hot (20)

Similar to Securing Docker Containers (20)

More from Black Duck by Synopsys (20)

Recently uploaded (20)

Securing Docker Containers