https://2022.pythonwebconf.com/presentations/why-should-developers-care-about-container-security
Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don't have an appsec background to fully understand why they are important.
In this session, we will:
go over several of the most common practices to best containerize Python applications
show examples of how your application can be exploited in a container
and most importantly, how to easily spot issues and fix your Dockerfiles and deployment manifests before you commit your code
5. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Get public & private artifacts
SDLC Pipeline
7. Container Challenges
Historically, developers have owned
the security posture of their own
code and the libraries used.
Containers add security concerns
at the operating-system level such
as base-image selection, package
installation, user and file
permissions, and more.
Increased Scope of
Responsibility
These additional technologies used
to be owned by other teams such
as system engineers or middleware
teams. Many developers have
never had to deal with securing
these layers of the stack.
Lack of Expertise
While shifting security left adds
responsibilities to developer teams,
the business owners have
expectations that pipeline velocity
will not be negatively impacted.
Maintaining Velocity
8. Ownership of
developers
What does my service contain?
● Source code of my app
● 3rd party dependencies
● Dockerfile
● IaC files (eg. Terraform)
● K8s files
9. The financial giant said the
intruder exploited a
configuration vulnerability
“
“
-- https://www.theregister.com/2019/07/30/capital_one_hacked/
Configuration is a security risk
14. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Get public & private artifacts
SDLC Pipeline
17. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Minimize Footprint
Don’t give hackers more tools to expand their exploits
Layer Housekeeping
Understand how layers work at build and run-time
Build strategies
Multi-Stage, repeatable builds, standardized labeling,
alternative tools
Secure Supply Chain
Know where images come from.
Only CI should push to registries.
18. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Don’t run as root
You probably don’t need it.
Privileged Containers
You almost definitely don’t need it.
Drop capabilities
Most apps don’t need even Linux capabilities;
dropping all and allow only what’s needed.
Read Only Root Filesystem
Immutability makes exploiting your container harder.
Deploy from known sources
Pull from known registries only.
19. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Secrets
Use them but make sure they’re encrypted and have
RBAC applied
RBAC
Hopefully everybody is using this.
SecurityContext
Much of the Runtime practices mentioned can be
enforced via SC
Network Policy
Start with zero-trust and add allow rules only as
necessary.
Enforcement
Use OPA (Gatekeeper), Kyverno, etc
20. Key Takeaways
Just like unit tests, fast, actionable
security feedback is critical.
Working security into a developer’s
workflow without slowing them
down drives adoption.
Feedback Loop
Giving developers tools that
provide actionable information can
allow them to deal with security
issues as they are introduced.
Empower developers
to be proactive
Implementing known secure
practices for building and running
your container images and IaC
configurations can mitigate
vulnerabilities that slip into
deployments as well as zero-day
vulnerabilities that may exist.
Defence in depth