SlideShare ist ein Scribd-Unternehmen logo

Webinar–Vulnerabilities in Containerised Production Environments

Synopsys Software Integrity Group
Synopsys Software Integrity Group

This document discusses vulnerabilities in containerized production environments. It begins by outlining how security mindsets must change when adopting container technologies. It then discusses how data centers are targets for attacks, with the average cost of a data breach being over $3 million. The document outlines how certifications and regulations currently guide security processes, but these may not be fully aware of new technologies like containers. It stresses that container technologies are largely open source, so managing risk requires understanding components beyond just proprietary code. The document provides several best practices for securing containers throughout the development and deployment process. It emphasizes the importance of image health and outlines challenges around managing open source vulnerabilities in containers. Finally, it discusses implications of serverless architectures and provides key takeaw

Software
1 von 22
CONFIDENTIAL© 2019 Synopsys, Inc.1 Vulnerabilities in Containerised Production Environments Tim Mackey, Senior Technology Evangelist, Synopsys Changes in Security Mindset When Adopting Container Technologies
CONFIDENTIAL© 2019 Synopsys, Inc.2 Data centers are prime targets for attack Average cost of data breach: $3.62 million Lost business: $4.03 million Average time to identify and contain a breach: 257 days Source: 2017 Cost of Data Breach Study (US Data), Ponemon Institute Average cost of data breach: $3.86 million Lost business: $4.20 million Average time to identify and contain a breach: 266 days Source: 2018 Cost of Data Breach Study (US Data), Ponemon Institute 2017 2018
CONFIDENTIAL© 2019 Synopsys, Inc.3 Certifications and regulations guide current processes On-prem infrastructure policies • DISA STIG, OVAL Definitions, and XCCDF • Managed via Chef, Puppet, Ansible, raw SSH tooling • Private cloud adopts similar policies Public cloud infrastructure policies • Provider responsible for infrastructure security • Tenant remains responsible for VM security Some operational risk transferred to provider Focus for certifications and regulations • PCI, PII, and PHI • Process-centric and often not technology aware • Developers assume compliance and no feedback loop • NIST 800-137 focused on process • Continuous monitoring isn’t prescriptive NIST 800-137
CONFIDENTIAL© 2019 Synopsys, Inc.4 Equifax breach focused attention on open source
CONFIDENTIAL© 2019 Synopsys, Inc.5 Container technologies are largely open source Managing risk when you don’t own the stack
CONFIDENTIAL© 2019 Synopsys, Inc.6 Modern application = Proprietary code + Open source components + API usage + Application behavior and configuration
CONFIDENTIAL© 2019 Synopsys, Inc.8 Risk is a function of the full stack—not just the app “CNCF Interactive Landscape” application Cloud Native Computing Foundation provides a web-based application to browse for partner technology providers. Application details • 40K source lines of code • Node.js application framework • Containerized and deployed on Kubernetes • 0.05% of code in use is custom • 99.5% of code is in the stack • Risks present at all layers of the stack Source: CNCF Presentation: How good is our code?
CONFIDENTIAL© 2019 Synopsys, Inc.10 Cloud-native design rules 1. Containers are immutable Create once, run many instances 2. Containers are ephemeral A container’s life should be only as long as absolutely required 3. Containers can be sacrificed - Orchestration systems may terminate a container if needed - No guarantee of life span - Don’t store data or logs in containers 4. Containers limit resource access - Define groups for CPU/RAM access - Avoid use of ROOT credentials - Layered file system helps manage storage
CONFIDENTIAL© 2019 Synopsys, Inc.11 Designing a container is like developing a new car DevelopmentOperations • Engineers design using internal and external components • Production assembles components into a vehicle • Vehicle safety and assembly tests ensure compliance • Vehicle delivery occurs using trusted carriers to dealerships • Vehicle deployment occurs at time of purchase • Repair occurs using validated components • Regulators define governance and compliance criteria
CONFIDENTIAL© 2019 Synopsys, Inc.12 At each stage of development, question everything 1. Where does your base image actually come from? 2. What is the health of that base image? 3. You’re updating it at build time, but from what cache? 4. You trust your build servers, but who controls them? 5. Is there any way a foreign container can start in your environment? 6. Who has rights to modify container images? 7. What happens if the base image registry goes away? 8. What happens if the base image tag goes away? 9. When a security disclosure happens, what’s the process to determine impact? 10. How are images being updated and deployed in the face of new security disclosures? Container usage can trigger IP governance issues— i.e., `docker push` is potentially a distribution.
CONFIDENTIAL© 2019 Synopsys, Inc.13 Image health is critical to application security Docker Hub Container Scanning Red Hat Container Catalog Health Index
CONFIDENTIAL© 2019 Synopsys, Inc.14 Example: How image layer cache affects security [root@localhost project]# docker history scanner_base:4.2.0 IMAGE CREATED CREATED BY SIZE COMMENT 395dfd09d6d7 16 hours ago /bin/sh -c #(nop) EXPOSE 9036/tcp 0 B 6ccb88892a15 16 hours ago /bin/sh -c #(nop) ENTRYPOINT ["/scanner" 0 B 604fcdb13b57 16 hours ago /bin/sh -c #(nop) LABEL name=Base scanner 0 B 5bf60b767227 2 days ago /bin/sh -c #(nop) COPY file:0319ebe1148b5cefa 682 B fe23aeab7fcc 2 days ago /bin/sh -c #(nop) COPY file:e822182ba43798ba0 11.36 kB 9cdc179735ad 2 days ago /bin/sh -c #(nop) COPY file:e822182ba43798ba0 11.36 kB 57bd5e62be14 2 days ago /bin/sh -c #(nop) COPY dir:d9dc3b531575096c83 241.6 MB a1cb8fd37a68 2 days ago /bin/sh -c #(nop) COPY file:98c69c969ee05b51b 6.14 MB 13855a218a3e 7 days ago /bin/sh -c #(nop) ENV PATH=/scan.cli-4.2.0/b 0 B 885efab8f9b5 7 days ago /bin/sh -c #(nop) ENV APP_HOME=/scan.cli-4.2 0 B 1ed791e999b5 7 days ago /bin/sh -c #(nop) ARG BUILD 0 B 9dcb95a5ceb4 7 days ago /bin/sh -c #(nop) ARG BUILDTIME 0 B 8ada27a4da06 7 days ago /bin/sh -c #(nop) ARG LASTCOMMIT 0 B 7461b836791f 7 days ago /bin/sh -c #(nop) ARG bds_ver 0 B 4020be54fb0f 7 days ago /bin/sh -c yum -y update-minimal --security - 2.632 MB 208a012b6fe4 7 days ago /bin/sh -c #(nop) MAINTAINER Black Duck 0 B 196e0ce0c9fb 6 weeks ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B <missing> 6 weeks ago /bin/sh -c #(nop) LABEL name=CentOS Base Ima 0 B <missing> 6 weeks ago /bin/sh -c #(nop) ADD file:1ed4d1a29d09a636dd 196.6 MB
CONFIDENTIAL© 2019 Synopsys, Inc.15 Example: System behavior with image consistency 1. Push and tag image version “1.0.1” 2. Pull and run “latest” 3. Scale to 2 replicas 4. Pull and run tag “1.0.1” 5. Scale to 2 replicas 6. Pull and run pull spec “sha256:12345” 7. Scale to 2 replicas 8. Delete tag “1.0.1” in registry 9. Scale “1.0.1” to 3 replicas 10. Push and tag image version “1.0.2” 11. Add node 2 12. Down node 1 Cluster Node 1 Cluster Node 2 “latest” “latest” 1.0.1 1.0.1 Sha256:12345 Sha256:12345 1.0.1 “latest” “latest” Sha256:12345 Sha256:12345
CONFIDENTIAL© 2019 Synopsys, Inc.16 Open source vulnerability management is a challenge 64 vulnerabilities per codebase—a 134% increase over last year Source: Synopsys Open Source Security and Risk Report 2018
CONFIDENTIAL© 2019 Synopsys, Inc.17 • Primary objective: Facilitate application deployment –Abstracts replication controllers and pods from users • DeploymentConfig –Defines the conditions for a new deployment – Configuration and image changes supported –Defines deployment strategy – Rolling, recreate, blue/green, A/B, custom – Requires “readiness” probes for pods –Rollback via DeploymentConfigRollback Planning your container patch strategy kind: "DeploymentConfig" apiVersion: "v1" metadata: name: "frontend" spec: template: metadata: labels: name: "frontend" spec: containers: - name: "helloworld" image: "openshift/helloworld" triggers: - type: "ConfigChange" - type: "ImageChange" imageChangeParams: automatic: true containerNames: - "helloworld" from: kind: "ImageStreamTag" name: “helloworld:latest" strategy: type: "Rolling" Patch version worse Patch version worse Patch version worse
CONFIDENTIAL© 2019 Synopsys, Inc.18 Container security paradigm shift Container security antipatterns • Allowing interactive login or SSH access • Requiring elevated privileges • Installing software or patching existing software • Attaching to a running container instance • Executing multiple processes • Writing any log data to local disk Container security patterns • Limit execution life span • Use exception-based network access with default blocked • Limit resource consumption • Limit image dependencies to required components • Restrict privileges on running containers • Allow for multiple replicas and concurrent container operations • Define a base image approval and update process • Use a secrets vault for all sensitive configuration information
CONFIDENTIAL© 2019 Synopsys, Inc.19 Example: Security information flow aids compliance Suggestion: usage of red and green for the outline confuses the message, i.e. start/stop
CONFIDENTIAL© 2019 Synopsys, Inc.20 Augmenting perimeter scan solutions Threat agents • Scan networks for weaknesses using toolkits • Success is a numbers game—zero knowledge of target • Perimeter defenses can be false positives • Use multifactors for attack reconnaissance Infiltration • Occurs through at least one vector • Creates beachheads supporting infection, C&C, and lateral movement • Exploits latent vulnerabilities and misconfigurations Mitigation powered by information flow • Can’t exploit what doesn’t exist • Focus attention on unpatched services • Open source originates from multiple channels; patches must match • Recognizes that attack landscape evolves Global IP space Managed systems Accessible systems Vulnerability present
CONFIDENTIAL© 2019 Synopsys, Inc.21 Example: The tale of CVE-2017-5638 and Equifax 1,649 days Code bug introduced August 2012 Struts 2.3 released November 2012 Struts 2.5 released May 2016 Patches available March 6 2017 7 days March 7 2017 Disclosure published NVD details March 14 2017 78 days Hacks successful May 13 2017 Hacks discovered July 29 2017
CONFIDENTIAL© 2019 Synopsys, Inc.22 Does the “serverless” model change things? Definition: A model under which an application is decomposed into stateless activities or functions run on cloud infrastructure Or: RPC.Next Process • Cloud provider defines a runtime • Runtime is implemented in a container • Developer creates an app-function targeting runtime • Developer defines an API endpoint for the app-function • Cloud provider supplies API gateway Security implications • Authorization and authentication required for protected data accesses • All data passes on “the wire,” which affects certifications • API contracts are critical, as are data reviews • Security response process must include security awareness from cloud provider Web App Authorizer Data StoreUser Service External APIContent Service 10100 001100 API Gateway
CONFIDENTIAL© 2019 Synopsys, Inc.23 Key takeaways Reassess processes when technology stacks change • Identify opportunities to reduce business risk with new technologies • Cloud-native paradigms are perfect to derisk in the face of adversity • Containers aren’t VMs and offer opportunities to improve risk posture Reduce risks of noncompliance • Implement continuous monitoring of all deployed apps, complete with dependency inventory • Leverage immutability properties of containers to simplify security • Validate running containers against orchestration to eliminate rogue activities Define clear technology risk acceptance criteria • Ensure criteria are understood in Ops, Development, and Procurement • Train all development and operations teams to identify changes in risk • Document decisions affecting risk acceptance at all points in the SDLC
Thank You

Empfohlen

DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackImperva
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
SolarWinds Federal Webinar: Technical Update & Demo of New Features
SolarWinds Federal Webinar: Technical Update & Demo of New FeaturesSolarWinds Federal Webinar: Technical Update & Demo of New Features
SolarWinds Federal Webinar: Technical Update & Demo of New FeaturesSolarWinds
 
Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
 

Empfohlen

DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Preparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackPreparing for the Imminent Terabit DDoS Attack
Preparing for the Imminent Terabit DDoS AttackImperva
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
SolarWinds Federal Webinar: Technical Update & Demo of New Features
SolarWinds Federal Webinar: Technical Update & Demo of New FeaturesSolarWinds Federal Webinar: Technical Update & Demo of New Features
SolarWinds Federal Webinar: Technical Update & Demo of New FeaturesSolarWinds
 
Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
 
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco Canada
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015Ken Baugh
 
Drive By Healing
Drive By HealingDrive By Healing
Drive By HealingAndy Cronin
 
Design, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux PlatformDesign, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux PlatformSZ Lin
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systemsSZ Lin
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation toolsBangladesh Network Operators Group
 
Manage kernel vulnerabilities in the software development lifecycle
Manage kernel vulnerabilities in the software development lifecycleManage kernel vulnerabilities in the software development lifecycle
Manage kernel vulnerabilities in the software development lifecycleSZ Lin
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusChristian Folini
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceYury Chemerkin
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Rhipe @Netpluz CS Event Nov 2017
Rhipe @Netpluz CS Event Nov 2017Rhipe @Netpluz CS Event Nov 2017
Rhipe @Netpluz CS Event Nov 2017Netpluz Asia Pte Ltd
 
Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Codefresh
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco Canada
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015Ken Baugh
 
Drive By Healing
Drive By HealingDrive By Healing
Drive By HealingAndy Cronin
 
Design, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux PlatformDesign, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux PlatformSZ Lin
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systemsSZ Lin
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Manage kernel vulnerabilities in the software development lifecycle
Manage kernel vulnerabilities in the software development lifecycleManage kernel vulnerabilities in the software development lifecycle
Manage kernel vulnerabilities in the software development lifecycleSZ Lin
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusChristian Folini
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceYury Chemerkin
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Codefresh
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 

Was ist angesagt? (20)

Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on LabCisco ONE Enterprise Cloud (UCSD) Hands-on Lab
Cisco ONE Enterprise Cloud (UCSD) Hands-on Lab
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
KennethBaughResume_2015
KennethBaughResume_2015KennethBaughResume_2015
KennethBaughResume_2015
 
Drive By Healing
Drive By HealingDrive By Healing
Drive By Healing
 
Design, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux PlatformDesign, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux Platform
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systems
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Manage kernel vulnerabilities in the software development lifecycle
Manage kernel vulnerabilities in the software development lifecycleManage kernel vulnerabilities in the software development lifecycle
Manage kernel vulnerabilities in the software development lifecycle
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the Compliance
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Rhipe @Netpluz CS Event Nov 2017
Rhipe @Netpluz CS Event Nov 2017Rhipe @Netpluz CS Event Nov 2017
Rhipe @Netpluz CS Event Nov 2017
 
Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 

Ähnlich wie Webinar–Vulnerabilities in Containerised Production Environments

RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
How to Secure Containerized Applications
How to Secure Containerized ApplicationsHow to Secure Containerized Applications
How to Secure Containerized ApplicationsDevOps.com
 
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewEnabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewCisco DevNet
 
Best Practices to Secure Containerized Apps with Next-Gen WAF
Best Practices to Secure Containerized Apps with Next-Gen WAFBest Practices to Secure Containerized Apps with Next-Gen WAF
Best Practices to Secure Containerized Apps with Next-Gen WAFDevOps.com
 
Image Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and KubernetesImage Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and KubernetesDevOps.com
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security EssentialsDNIF
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE
 

Ähnlich wie Webinar–Vulnerabilities in Containerised Production Environments (20)

RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
How to Secure Containerized Applications
How to Secure Containerized ApplicationsHow to Secure Containerized Applications
How to Secure Containerized Applications
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewEnabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
 
Best Practices to Secure Containerized Apps with Next-Gen WAF
Best Practices to Secure Containerized Apps with Next-Gen WAFBest Practices to Secure Containerized Apps with Next-Gen WAF
Best Practices to Secure Containerized Apps with Next-Gen WAF
 
Image Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and KubernetesImage Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and Kubernetes
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
 

Mehr von Synopsys Software Integrity Group

Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileSynopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsSynopsys Software Integrity Group
 

Mehr von Synopsys Software Integrity Group (20)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 

Kürzlich hochgeladen

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxalwaysnagaraju26
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 

Kürzlich hochgeladen (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

Webinar–Vulnerabilities in Containerised Production Environments

  • 1. CONFIDENTIAL© 2019 Synopsys, Inc.1 Vulnerabilities in Containerised Production Environments Tim Mackey, Senior Technology Evangelist, Synopsys Changes in Security Mindset When Adopting Container Technologies
  • 2. CONFIDENTIAL© 2019 Synopsys, Inc.2 Data centers are prime targets for attack Average cost of data breach: $3.62 million Lost business: $4.03 million Average time to identify and contain a breach: 257 days Source: 2017 Cost of Data Breach Study (US Data), Ponemon Institute Average cost of data breach: $3.86 million Lost business: $4.20 million Average time to identify and contain a breach: 266 days Source: 2018 Cost of Data Breach Study (US Data), Ponemon Institute 2017 2018
  • 3. CONFIDENTIAL© 2019 Synopsys, Inc.3 Certifications and regulations guide current processes On-prem infrastructure policies • DISA STIG, OVAL Definitions, and XCCDF • Managed via Chef, Puppet, Ansible, raw SSH tooling • Private cloud adopts similar policies Public cloud infrastructure policies • Provider responsible for infrastructure security • Tenant remains responsible for VM security Some operational risk transferred to provider Focus for certifications and regulations • PCI, PII, and PHI • Process-centric and often not technology aware • Developers assume compliance and no feedback loop • NIST 800-137 focused on process • Continuous monitoring isn’t prescriptive NIST 800-137
  • 4. CONFIDENTIAL© 2019 Synopsys, Inc.4 Equifax breach focused attention on open source
  • 5. CONFIDENTIAL© 2019 Synopsys, Inc.5 Container technologies are largely open source Managing risk when you don’t own the stack
  • 6. CONFIDENTIAL© 2019 Synopsys, Inc.6 Modern application = Proprietary code + Open source components + API usage + Application behavior and configuration
  • 7. CONFIDENTIAL© 2019 Synopsys, Inc.8 Risk is a function of the full stack—not just the app “CNCF Interactive Landscape” application Cloud Native Computing Foundation provides a web-based application to browse for partner technology providers. Application details • 40K source lines of code • Node.js application framework • Containerized and deployed on Kubernetes • 0.05% of code in use is custom • 99.5% of code is in the stack • Risks present at all layers of the stack Source: CNCF Presentation: How good is our code?
  • 8. CONFIDENTIAL© 2019 Synopsys, Inc.10 Cloud-native design rules 1. Containers are immutable Create once, run many instances 2. Containers are ephemeral A container’s life should be only as long as absolutely required 3. Containers can be sacrificed - Orchestration systems may terminate a container if needed - No guarantee of life span - Don’t store data or logs in containers 4. Containers limit resource access - Define groups for CPU/RAM access - Avoid use of ROOT credentials - Layered file system helps manage storage
  • 9. CONFIDENTIAL© 2019 Synopsys, Inc.11 Designing a container is like developing a new car DevelopmentOperations • Engineers design using internal and external components • Production assembles components into a vehicle • Vehicle safety and assembly tests ensure compliance • Vehicle delivery occurs using trusted carriers to dealerships • Vehicle deployment occurs at time of purchase • Repair occurs using validated components • Regulators define governance and compliance criteria
  • 10. CONFIDENTIAL© 2019 Synopsys, Inc.12 At each stage of development, question everything 1. Where does your base image actually come from? 2. What is the health of that base image? 3. You’re updating it at build time, but from what cache? 4. You trust your build servers, but who controls them? 5. Is there any way a foreign container can start in your environment? 6. Who has rights to modify container images? 7. What happens if the base image registry goes away? 8. What happens if the base image tag goes away? 9. When a security disclosure happens, what’s the process to determine impact? 10. How are images being updated and deployed in the face of new security disclosures? Container usage can trigger IP governance issues— i.e., `docker push` is potentially a distribution.
  • 11. CONFIDENTIAL© 2019 Synopsys, Inc.13 Image health is critical to application security Docker Hub Container Scanning Red Hat Container Catalog Health Index
  • 12. CONFIDENTIAL© 2019 Synopsys, Inc.14 Example: How image layer cache affects security [root@localhost project]# docker history scanner_base:4.2.0 IMAGE CREATED CREATED BY SIZE COMMENT 395dfd09d6d7 16 hours ago /bin/sh -c #(nop) EXPOSE 9036/tcp 0 B 6ccb88892a15 16 hours ago /bin/sh -c #(nop) ENTRYPOINT ["/scanner" 0 B 604fcdb13b57 16 hours ago /bin/sh -c #(nop) LABEL name=Base scanner 0 B 5bf60b767227 2 days ago /bin/sh -c #(nop) COPY file:0319ebe1148b5cefa 682 B fe23aeab7fcc 2 days ago /bin/sh -c #(nop) COPY file:e822182ba43798ba0 11.36 kB 9cdc179735ad 2 days ago /bin/sh -c #(nop) COPY file:e822182ba43798ba0 11.36 kB 57bd5e62be14 2 days ago /bin/sh -c #(nop) COPY dir:d9dc3b531575096c83 241.6 MB a1cb8fd37a68 2 days ago /bin/sh -c #(nop) COPY file:98c69c969ee05b51b 6.14 MB 13855a218a3e 7 days ago /bin/sh -c #(nop) ENV PATH=/scan.cli-4.2.0/b 0 B 885efab8f9b5 7 days ago /bin/sh -c #(nop) ENV APP_HOME=/scan.cli-4.2 0 B 1ed791e999b5 7 days ago /bin/sh -c #(nop) ARG BUILD 0 B 9dcb95a5ceb4 7 days ago /bin/sh -c #(nop) ARG BUILDTIME 0 B 8ada27a4da06 7 days ago /bin/sh -c #(nop) ARG LASTCOMMIT 0 B 7461b836791f 7 days ago /bin/sh -c #(nop) ARG bds_ver 0 B 4020be54fb0f 7 days ago /bin/sh -c yum -y update-minimal --security - 2.632 MB 208a012b6fe4 7 days ago /bin/sh -c #(nop) MAINTAINER Black Duck 0 B 196e0ce0c9fb 6 weeks ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B <missing> 6 weeks ago /bin/sh -c #(nop) LABEL name=CentOS Base Ima 0 B <missing> 6 weeks ago /bin/sh -c #(nop) ADD file:1ed4d1a29d09a636dd 196.6 MB
  • 13. CONFIDENTIAL© 2019 Synopsys, Inc.15 Example: System behavior with image consistency 1. Push and tag image version “1.0.1” 2. Pull and run “latest” 3. Scale to 2 replicas 4. Pull and run tag “1.0.1” 5. Scale to 2 replicas 6. Pull and run pull spec “sha256:12345” 7. Scale to 2 replicas 8. Delete tag “1.0.1” in registry 9. Scale “1.0.1” to 3 replicas 10. Push and tag image version “1.0.2” 11. Add node 2 12. Down node 1 Cluster Node 1 Cluster Node 2 “latest” “latest” 1.0.1 1.0.1 Sha256:12345 Sha256:12345 1.0.1 “latest” “latest” Sha256:12345 Sha256:12345
  • 14. CONFIDENTIAL© 2019 Synopsys, Inc.16 Open source vulnerability management is a challenge 64 vulnerabilities per codebase—a 134% increase over last year Source: Synopsys Open Source Security and Risk Report 2018
  • 15. CONFIDENTIAL© 2019 Synopsys, Inc.17 • Primary objective: Facilitate application deployment –Abstracts replication controllers and pods from users • DeploymentConfig –Defines the conditions for a new deployment – Configuration and image changes supported –Defines deployment strategy – Rolling, recreate, blue/green, A/B, custom – Requires “readiness” probes for pods –Rollback via DeploymentConfigRollback Planning your container patch strategy kind: "DeploymentConfig" apiVersion: "v1" metadata: name: "frontend" spec: template: metadata: labels: name: "frontend" spec: containers: - name: "helloworld" image: "openshift/helloworld" triggers: - type: "ConfigChange" - type: "ImageChange" imageChangeParams: automatic: true containerNames: - "helloworld" from: kind: "ImageStreamTag" name: “helloworld:latest" strategy: type: "Rolling" Patch version worse Patch version worse Patch version worse
  • 16. CONFIDENTIAL© 2019 Synopsys, Inc.18 Container security paradigm shift Container security antipatterns • Allowing interactive login or SSH access • Requiring elevated privileges • Installing software or patching existing software • Attaching to a running container instance • Executing multiple processes • Writing any log data to local disk Container security patterns • Limit execution life span • Use exception-based network access with default blocked • Limit resource consumption • Limit image dependencies to required components • Restrict privileges on running containers • Allow for multiple replicas and concurrent container operations • Define a base image approval and update process • Use a secrets vault for all sensitive configuration information
  • 17. CONFIDENTIAL© 2019 Synopsys, Inc.19 Example: Security information flow aids compliance Suggestion: usage of red and green for the outline confuses the message, i.e. start/stop
  • 18. CONFIDENTIAL© 2019 Synopsys, Inc.20 Augmenting perimeter scan solutions Threat agents • Scan networks for weaknesses using toolkits • Success is a numbers game—zero knowledge of target • Perimeter defenses can be false positives • Use multifactors for attack reconnaissance Infiltration • Occurs through at least one vector • Creates beachheads supporting infection, C&C, and lateral movement • Exploits latent vulnerabilities and misconfigurations Mitigation powered by information flow • Can’t exploit what doesn’t exist • Focus attention on unpatched services • Open source originates from multiple channels; patches must match • Recognizes that attack landscape evolves Global IP space Managed systems Accessible systems Vulnerability present
  • 19. CONFIDENTIAL© 2019 Synopsys, Inc.21 Example: The tale of CVE-2017-5638 and Equifax 1,649 days Code bug introduced August 2012 Struts 2.3 released November 2012 Struts 2.5 released May 2016 Patches available March 6 2017 7 days March 7 2017 Disclosure published NVD details March 14 2017 78 days Hacks successful May 13 2017 Hacks discovered July 29 2017
  • 20. CONFIDENTIAL© 2019 Synopsys, Inc.22 Does the “serverless” model change things? Definition: A model under which an application is decomposed into stateless activities or functions run on cloud infrastructure Or: RPC.Next Process • Cloud provider defines a runtime • Runtime is implemented in a container • Developer creates an app-function targeting runtime • Developer defines an API endpoint for the app-function • Cloud provider supplies API gateway Security implications • Authorization and authentication required for protected data accesses • All data passes on “the wire,” which affects certifications • API contracts are critical, as are data reviews • Security response process must include security awareness from cloud provider Web App Authorizer Data StoreUser Service External APIContent Service 10100 001100 API Gateway
  • 21. CONFIDENTIAL© 2019 Synopsys, Inc.23 Key takeaways Reassess processes when technology stacks change • Identify opportunities to reduce business risk with new technologies • Cloud-native paradigms are perfect to derisk in the face of adversity • Containers aren’t VMs and offer opportunities to improve risk posture Reduce risks of noncompliance • Implement continuous monitoring of all deployed apps, complete with dependency inventory • Leverage immutability properties of containers to simplify security • Validate running containers against orchestration to eliminate rogue activities Define clear technology risk acceptance criteria • Ensure criteria are understood in Ops, Development, and Procurement • Train all development and operations teams to identify changes in risk • Document decisions affecting risk acceptance at all points in the SDLC