Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
München Aachen Bamberg Berlin Boswil Đà Nẵng Dresden Grenoble Hamburg Köln Leipzig Nürnberg Prag Stuttgart Washington Zug
...
08.04.2019 2
Graduated from DUT
Web Application Security Engineer at mgm
security partners
5 years IP Networking
3 years I...
08.04.2019 3
Slow deployment times
Huge costs
Wasted resources
Difficult to scale
Difficult to migrate
Dark Ages - One App...
08.04.2019 4
Benefits
One physical machine divided
into multiple virtual machines
Limitations
Resources
An entire Guest ...
08.04.2019 5
Containers vs. Virtualization
lightweight & flexible
A docker container is
minimal
task specific
isolated
rep...
08.04.2019 6
Docker
08.04.2019 7
Docker
08.04.2019 8
Let‘s try something!
Build, Ship, Run
08.04.2019 9
HOST
RESOURCES
CONTAINERS
IMAGES
REGISTRY
08.04.2019 10
Dockerfile
08.04.2019 11
“It doesn‘t matter how many locks are
on your door if your window is open“
08.04.2019 12
Know your threat model and your attack surface!
08.04.2019 13
HOST
RESOURCES
CONTAINERS
IMAGES
REGISTRY
Docker Attack Surfaces
08.04.2019 14
Images are the basis of a docker container,
so we just use them all, don‘t we?
Docker Image Security
IMAGES
08.04.2019 15
Let‘s try something!
Crypto Mining Container
08.04.2019 16
 17 cryptomining containers on Docker Hub
 Active for almost a year
 Made around $90,000 = 2 Billion VND ...
08.04.2019 17
Use official repositories as parent images
Scan images! Micro Badger
Sign images / verify signatures
Do not ...
08.04.2019 18
Private Registry Security
Cheap, under your control
You have to think about everything yourself!
Hosted
AWS ...
08.04.2019 19
Secure defaults
Docker Container Security
Can be more robust
CONTAINERS
08.04.2019 20
Let‘s try something!
Privileged Container
08.04.2019 21
Best Practices
Least Privilege!
Do not use --privileged
Docker runs as root by default! docker run --user 10...
08.04.2019 22
Docker is only as secure as the underlying host!
Best Practices
Make sure your system is patched and monitor...
08.04.2019 23
https://github.com/docker/docker-bench-security
Docker Bench Security
08.04.2019 24
 Know your attack surface!
 Docker: okay by default
 Solution:
Harden your Containers!
Test and audit reg...
08.04.2019 25
Interested in Security?
08.04.2019 26
Thank you! Questions?
08.04.2019 27
Innovation Implemented.
mgm technology partners
Vietnam
07 Phan Chau Trinh, Đà Nẵng
Tel.: +49 (89) 35 86 80-...
Nächste SlideShare
Wird geladen in …5
×

[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam

107 Aufrufe

Veröffentlicht am

Docker containers are a fast-growing technology that has become hugely popular in the software industry nowadays. It offers amazing benefits but also presents the developer with lots of security challenges. This talk will give you an introduction to Docker as well basic security best practices. But don’t worry, we will also do some live hacking :).

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh, Security Engineer at mgm technology partners Vietnam

  1. 1. München Aachen Bamberg Berlin Boswil Đà Nẵng Dresden Grenoble Hamburg Köln Leipzig Nürnberg Prag Stuttgart Washington Zug Docker Security Phạm Hồng Khánh Are your containers safe? Do you dockerize?
  2. 2. 08.04.2019 2 Graduated from DUT Web Application Security Engineer at mgm security partners 5 years IP Networking 3 years Infrastructure Operations whoami Phạm Hồng Khánh khanh.hong.pham@mgm-sp.com
  3. 3. 08.04.2019 3 Slow deployment times Huge costs Wasted resources Difficult to scale Difficult to migrate Dark Ages - One Application - One Server
  4. 4. 08.04.2019 4 Benefits One physical machine divided into multiple virtual machines Limitations Resources An entire Guest OS Hypervisor-based Virtualization
  5. 5. 08.04.2019 5 Containers vs. Virtualization lightweight & flexible A docker container is minimal task specific isolated reproducible Docker Overview
  6. 6. 08.04.2019 6 Docker
  7. 7. 08.04.2019 7 Docker
  8. 8. 08.04.2019 8 Let‘s try something! Build, Ship, Run
  9. 9. 08.04.2019 9 HOST RESOURCES CONTAINERS IMAGES REGISTRY
  10. 10. 08.04.2019 10 Dockerfile
  11. 11. 08.04.2019 11 “It doesn‘t matter how many locks are on your door if your window is open“
  12. 12. 08.04.2019 12 Know your threat model and your attack surface!
  13. 13. 08.04.2019 13 HOST RESOURCES CONTAINERS IMAGES REGISTRY Docker Attack Surfaces
  14. 14. 08.04.2019 14 Images are the basis of a docker container, so we just use them all, don‘t we? Docker Image Security IMAGES
  15. 15. 08.04.2019 15 Let‘s try something! Crypto Mining Container
  16. 16. 08.04.2019 16  17 cryptomining containers on Docker Hub  Active for almost a year  Made around $90,000 = 2 Billion VND in Bitcoins Docker Image Security
  17. 17. 08.04.2019 17 Use official repositories as parent images Scan images! Micro Badger Sign images / verify signatures Do not put secrets in images! What can we do to have a safe image?
  18. 18. 08.04.2019 18 Private Registry Security Cheap, under your control You have to think about everything yourself! Hosted AWS or Google or DockerHub More features Privacy! Costs! A secure Docker Registry REGISTRY
  19. 19. 08.04.2019 19 Secure defaults Docker Container Security Can be more robust CONTAINERS
  20. 20. 08.04.2019 20 Let‘s try something! Privileged Container
  21. 21. 08.04.2019 21 Best Practices Least Privilege! Do not use --privileged Docker runs as root by default! docker run --user 1001 <img> Use security policies! Seccomp (default profile) AppArmour, SELinux Limit resources! What can we do to have a safe container? docker run -it --memory=2G --memory-swap=1G ubuntu bash
  22. 22. 08.04.2019 22 Docker is only as secure as the underlying host! Best Practices Make sure your system is patched and monitored! Use minimal systems designed for this purpose as base system Docker itself should be configured securely Docker Host Security HOST
  23. 23. 08.04.2019 23 https://github.com/docker/docker-bench-security Docker Bench Security
  24. 24. 08.04.2019 24  Know your attack surface!  Docker: okay by default  Solution: Harden your Containers! Test and audit regularly Keep everything up to date Tips: “How to be safe“! HOST CONTAINERS REGISTRY IMAGES
  25. 25. 08.04.2019 25 Interested in Security?
  26. 26. 08.04.2019 26 Thank you! Questions?
  27. 27. 08.04.2019 27 Innovation Implemented. mgm technology partners Vietnam 07 Phan Chau Trinh, Đà Nẵng Tel.: +49 (89) 35 86 80-0 Fax: +49 (89) 35 86 80-288 www.mgm-tp.com PragMünchen Berlin Hamburg Köln NürnbergGrenoble LeipzigDresdenBamberg ZugĐà NẵngAachen WashingtonStuttgart

×