stackconf 2020 | SecDevOps containers by Jose Ortega

SecDevops Containers
● @jmortegac
● http://jmortega.github.io
● https://www.linkedin.com/in/jmortega1/

https://bpbonline.com/products/devops-and-containers-security-
security-and-monitoring-in-docker-containers

● Introduction
● Containers Security
● SecDevops tools
● DevOps security best practices

● Increased speed and agility for security
teams.
● Increased or better collaboration and
communication across teams.
● Increased opportunities for automated builds
and quality assurance testing.
● Early identification of vulnerabilities in
application code.

● 1. Containers are NOT Virtual Machines
● 2. Containers are isolated area in the OS kernel
● 3. Kubernetes is a Container Orchestration Platform.
● 4. Kubernetes abstracts the cloud vendor (AWS,Azure,
GCP) scalability features.

● Build Small Container Images
○ Use Alpine Image as your base Linux OS
○ Using distroless images
○ Smaller image size reduce the Container
vulnerabilities.

● Distroless Images
○ https://github.com/GoogleCloudPlatform/distroless

● Containers inmutability
○ Container images follow a unix philosophy
○ Container images should be immutable
○ RUN rm /usr/bin/apt-* /usr/bin/dpkg*

● Avoid root user
○ Create a User account
○ Add Runtime software’s based on the User Account.
○ Run the App under the user account
○ Add Security module SELinux or AppArmour to
increase the security

● Container Security
○ Secure your HOST OS. Containers runs on Host
Kernel.
○ No Runtime software downloads inside the container.
○ Declare the software requirements at the build time
itself.
○ Download Docker base images from Authentic site.
○ Limit the resource utilization using Container
orchestrators like Kubernetes.
○ Don’t run anything on Super privileged mode.

● Docker hub
○ Do you have your own container registry?
○ Do you check your Dockerfiles?
○ Your pipelines has permissions and access to publish
in docker hub?
○ Do you inspect your Dockerfiles?
○ Do you have Docker builds correctly configured?
○ Do you control where layers are built?

● Docker Content Trust
○ https://docs.docker.com/engine/security/trust/
content_trust/
○ export DOCKER_CONTENT_TRUST =1
○ Protection of malicious code in images.
○ Protection against repeated attacks.
○ Protection against key commitments.

● Exploring layers in docker images
○ https://github.com/wagoodman/dive

● Container introspection tool
○ https://github.com/genuinetools/amicontained

● Docker bench security
○ https://github.com/docker/docker-bench-security

● Kubernetes Security
○ Preventing image manipulation and unauthorized
access
○ Deploying Pods without root permissions
○ Pod Security Policies
○ Secrets management

● Pods Security
○ Never access a Pod directly from another Pod.
○ Never use :latest tag in the image in the
production scenario.

● Namespaces
○ Group your services/pods traffic rules based on
specific namespace.
○ Handle specific Resource Allocations for a
Namespace.
○ If you have more than a dozen Microservices then it’s
time to bring in Namespaces.

● Using official images
○ Use images provided by a vendor
○ Critical vulnerabilities are resolved automatically when
they are updated.

● https://kubesec.io/

Dangerous pod configurations

CPU and memory limits to prevent DoS

runAsNonRoot flag in pod configuration

Capabilities in pod configuration

Kubebench-CIS Kubernetes Benchmark
https://github.com/aquasecurity/kube-bench
● Master Node Security Configuration
○ API Server
○ Scheduler
○ Controller Manager /Configuration Files
○ General Security Primitives
○ PodSecurityPolicices
● Worker Node Security Configuration
○ Kubelet
○ Configuration Files

Kubebench-CIS Kubernetes Benchmark
https://github.com/aquasecurity/kube-bench

Kubehunter

Kubeaudit
https://github.com/Shopify/kubeaudit

Pod Security Policies
https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Kube PSP advisor
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
"hostNetwork": [
{
"metadata": {
"name": "busy-rs",
"kind": "ReplicaSet"
},
"namespace": "psp-test",
"hostPID": true,
"hostNetwork": true,
"hostIPC": true,
"volumeTypes": [
"configMap"
]
},
{
"metadata": {
"name": "busy-pod",
"kind": "Pod"
},
"namespace": "psp-test",
"hostNetwork": true,
"volumeTypes": [
"hostPath",
"secret"
],
"mountedHostPath": [
"/usr/bin"
]

Sysdig falco
https://sysdig.com/opensource/falco/

Sysdig falco policies
○ A shell that runs inside a container with root
privileges.
○ A process that generates another process with
unexpected behavior.
○ Reading a confidential file, for example the
etc/shadow
○ A process that is using a file that is not a device type
in the /dev path, indicating a possible rootkit activity.

Security best practices
● Do not run containers and pods as root.
● Disable capabilities and privileges
● One application per container, microservice
oriented approach.
● Use small images

● Training and communication is the key to
success
● DevSecOps is not about only ools but the
correct tools are necessary.
● Follow “Least privilege principle”

● https://opensource.com/article/18/8/tools-container-s
ecurity
● https://www.devsecops.org/
● https://github.com/devsecops/awesome-devsecops
● https://cloudowski.com/articles/how-to-increase-cont
ainer-security-with-proper-images/
● https://www.twistlock.com/container-security
● https://developer.okta.com/blog/2019/07/18/container
-security-a-developer-guide

stackconf 2020 | SecDevOps containers by Jose Ortega

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie stackconf 2020 | SecDevOps containers by Jose Ortega

Ähnlich wie stackconf 2020 | SecDevOps containers by Jose Ortega (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

stackconf 2020 | SecDevOps containers by Jose Ortega