SlideShare ist ein Scribd-Unternehmen logo
SecDevops Containers
SecDevops Containers
● @jmortegac
● http://jmortega.github.io
● https://www.linkedin.com/in/jmortega1/
SecDevops Containers
https://bpbonline.com/products/devops-and-containers-security-
security-and-monitoring-in-docker-containers
● Introduction
● Containers Security
● SecDevops tools
● DevOps security best practices
SecDevops Containers
SecDevops Containers
SecDevops Containers
SecDevops Containers
● Increased speed and agility for security
teams.
● Increased or better collaboration and
communication across teams.
● Increased opportunities for automated builds
and quality assurance testing.
● Early identification of vulnerabilities in
application code.
● 1. Containers are NOT Virtual Machines
● 2. Containers are isolated area in the OS kernel
● 3. Kubernetes is a Container Orchestration Platform.
● 4. Kubernetes abstracts the cloud vendor (AWS,Azure,
GCP) scalability features.
SecDevops Containers
● Build Small Container Images
○ Use Alpine Image as your base Linux OS
○ Using distroless images
○ Smaller image size reduce the Container
vulnerabilities.
SecDevops Containers
● Distroless Images
○ https://github.com/GoogleCloudPlatform/distroless
SecDevops Containers
● Containers inmutability
○ Container images follow a unix philosophy
○ Container images should be immutable
○ RUN rm /usr/bin/apt-* /usr/bin/dpkg*
SecDevops Containers
● Avoid root user
○ Create a User account
○ Add Runtime software’s based on the User Account.
○ Run the App under the user account
○ Add Security module SELinux or AppArmour to
increase the security
SecDevops Containers
● Container Security
○ Secure your HOST OS. Containers runs on Host
Kernel.
○ No Runtime software downloads inside the container.
○ Declare the software requirements at the build time
itself.
○ Download Docker base images from Authentic site.
○ Limit the resource utilization using Container
orchestrators like Kubernetes.
○ Don’t run anything on Super privileged mode.
SecDevops Containers
● Docker hub
○ Do you have your own container registry?
○ Do you check your Dockerfiles?
○ Your pipelines has permissions and access to publish
in docker hub?
○ Do you inspect your Dockerfiles?
○ Do you have Docker builds correctly configured?
○ Do you control where layers are built?
SecDevops Containers
● Docker Content Trust
○ https://docs.docker.com/engine/security/trust/
content_trust/
○ export DOCKER_CONTENT_TRUST =1
○ Protection of malicious code in images.
○ Protection against repeated attacks.
○ Protection against key commitments.
SecDevops Containers
● Exploring layers in docker images
○ https://github.com/wagoodman/dive
SecDevops Containers
● Container introspection tool
○ https://github.com/genuinetools/amicontained
SecDevops Containers
● Docker bench security
○ https://github.com/docker/docker-bench-security
SecDevops Containers
SecDevops Containers
SecDevops Containers
SecDevops Containers
SecDevops Containers
● Kubernetes Security
○ Preventing image manipulation and unauthorized
access
○ Deploying Pods without root permissions
○ Pod Security Policies
○ Secrets management
SecDevops Containers
● Pods Security
○ Never access a Pod directly from another Pod.
○ Never use :latest tag in the image in the
production scenario.
SecDevops Containers
● Namespaces
○ Group your services/pods traffic rules based on
specific namespace.
○ Handle specific Resource Allocations for a
Namespace.
○ If you have more than a dozen Microservices then it’s
time to bring in Namespaces.
SecDevops Containers
● Using official images
○ Use images provided by a vendor
○ Critical vulnerabilities are resolved automatically when
they are updated.
SecDevops Containers
● https://kubesec.io/
SecDevops Containers
SecDevops Containers
SecDevops Containers
Dangerous pod configurations
SecDevops Containers
CPU and memory limits to prevent DoS
SecDevops Containers
runAsNonRoot flag in pod configuration
SecDevops Containers
Capabilities in pod configuration
SecDevops Containers
Kubebench-CIS Kubernetes Benchmark
https://github.com/aquasecurity/kube-bench
● Master Node Security Configuration
○ API Server
○ Scheduler
○ Controller Manager /Configuration Files
○ General Security Primitives
○ PodSecurityPolicices
● Worker Node Security Configuration
○ Kubelet
○ Configuration Files
SecDevops Containers
Kubebench-CIS Kubernetes Benchmark
https://github.com/aquasecurity/kube-bench
SecDevops Containers
Kubehunter
SecDevops Containers
Kubeaudit
https://github.com/Shopify/kubeaudit
SecDevops Containers
Pod Security Policies
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
SecDevops Containers
Kube PSP advisor
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
"hostNetwork": [
{
"metadata": {
"name": "busy-rs",
"kind": "ReplicaSet"
},
"namespace": "psp-test",
"hostPID": true,
"hostNetwork": true,
"hostIPC": true,
"volumeTypes": [
"configMap"
]
},
{
"metadata": {
"name": "busy-pod",
"kind": "Pod"
},
"namespace": "psp-test",
"hostNetwork": true,
"volumeTypes": [
"hostPath",
"secret"
],
"mountedHostPath": [
"/usr/bin"
]
SecDevops Containers
Sysdig falco
https://sysdig.com/opensource/falco/
SecDevops Containers
Sysdig falco policies
○ A shell that runs inside a container with root
privileges.
○ A process that generates another process with
unexpected behavior.
○ Reading a confidential file, for example the
etc/shadow
○ A process that is using a file that is not a device type
in the /dev path, indicating a possible rootkit activity.
SecDevops Containers
Security best practices
● Do not run containers and pods as root.
● Disable capabilities and privileges
● One application per container, microservice
oriented approach.
● Use small images
● Training and communication is the key to
success
● DevSecOps is not about only ools but the
correct tools are necessary.
● Follow “Least privilege principle”
SecDevops Containers
● https://opensource.com/article/18/8/tools-container-s
ecurity
● https://www.devsecops.org/
● https://github.com/devsecops/awesome-devsecops
● https://cloudowski.com/articles/how-to-increase-cont
ainer-security-with-proper-images/
● https://www.twistlock.com/container-security
● https://developer.okta.com/blog/2019/07/18/container
-security-a-developer-guide
SecDevops Containers

Weitere ähnliche Inhalte

Was ist angesagt?

Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Michael O'Sullivan
 
Docker and OpenStack Boston Meetup
Docker and OpenStack Boston MeetupDocker and OpenStack Boston Meetup
Docker and OpenStack Boston Meetup
Kamesh Pemmaraju
 

Was ist angesagt? (20)

Kubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersKubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containers
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scale
 
Using Containers for Continuous Integration and Continuous Delivery
Using Containers for Continuous Integration and Continuous DeliveryUsing Containers for Continuous Integration and Continuous Delivery
Using Containers for Continuous Integration and Continuous Delivery
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Introduction to docker and oci
Introduction to docker and ociIntroduction to docker and oci
Introduction to docker and oci
 
Introduction to Containers - SQL Server and Docker
Introduction to Containers - SQL Server and DockerIntroduction to Containers - SQL Server and Docker
Introduction to Containers - SQL Server and Docker
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Docker Presentation
Docker PresentationDocker Presentation
Docker Presentation
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
Docker, Kubernetes, and Google Cloud
Docker, Kubernetes, and Google CloudDocker, Kubernetes, and Google Cloud
Docker, Kubernetes, and Google Cloud
 
Wordcamp Bratislava 2017 - Docker! Why?
Wordcamp Bratislava 2017 - Docker! Why?Wordcamp Bratislava 2017 - Docker! Why?
Wordcamp Bratislava 2017 - Docker! Why?
 
Docker and OpenStack Boston Meetup
Docker and OpenStack Boston MeetupDocker and OpenStack Boston Meetup
Docker and OpenStack Boston Meetup
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 

Ähnlich wie stackconf 2020 | SecDevOps containers by Jose Ortega

Ähnlich wie stackconf 2020 | SecDevOps containers by Jose Ortega (20)

StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK
StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UKStorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK
StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK
 
Docker handons-workshop-for-charity
Docker handons-workshop-for-charityDocker handons-workshop-for-charity
Docker handons-workshop-for-charity
 
Docker for developers
Docker for developersDocker for developers
Docker for developers
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Journey to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshiftJourney to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshift
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Red Hat Container Development Kit
Red Hat Container Development KitRed Hat Container Development Kit
Red Hat Container Development Kit
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Docker + jenkins in the enterprise (3)
Docker + jenkins in the enterprise (3)Docker + jenkins in the enterprise (3)
Docker + jenkins in the enterprise (3)
 
Docker - A curtain raiser to the Container world
Docker - A curtain raiser to the Container worldDocker - A curtain raiser to the Container world
Docker - A curtain raiser to the Container world
 
Docker quick start
Docker quick startDocker quick start
Docker quick start
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange County
 
JOSA TechTalks - Docker in Production
JOSA TechTalks - Docker in ProductionJOSA TechTalks - Docker in Production
JOSA TechTalks - Docker in Production
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Selenoid
SelenoidSelenoid
Selenoid
 
Docker for dev
Docker for devDocker for dev
Docker for dev
 
Docker meetup-20-apr-17-openshit
Docker meetup-20-apr-17-openshitDocker meetup-20-apr-17-openshit
Docker meetup-20-apr-17-openshit
 
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on AzureDocker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxData
 
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
 

Kürzlich hochgeladen

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 

Kürzlich hochgeladen (20)

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 

stackconf 2020 | SecDevOps containers by Jose Ortega