SlideShare ist ein Scribd-Unternehmen logo

Can Containers be secured in a PaaS?

Als PPTX, PDF herunterladen
Tom Kranz
Tom Kranz

Tom Kranz, a security engineer at Pivotal, discusses whether containers can be secured in a Platform as a Service (PaaS). He emphasizes that security depends on context and implementation rather than features alone. Kranz outlines evaluating risk based on potential attackers, attack vectors, and data at risk to design a secure Pivotal Cloud Foundry implementation. Container isolation through technologies like Warden and Garden can help mitigate attacks by restricting access and network traffic, though apps themselves must also be developed securely. Overall, containers add security benefits to a PaaS but do not eliminate all risk.

Technologie
1 von 25
© Copyright 2015 Pivotal. All rights reserved. Can containers be secured in a PaaS? Tom Kranz tkranz@pivotal.io 1
© Copyright 2015 Pivotal. All rights reserved. Introductions: who am I? UNIX sysadmin Technical architect Principal Field Engineer Account Manager Security person Get in touch on LinkedIn or Twitter 2
© Copyright 2015 Pivotal. All rights reserved. Can containers be secured in a PaaS? Maybe …. Not about features Context is important And implementation is key! And always remember: You will get hacked. Eventually. 3
© Copyright 2015 Pivotal. All rights reserved. So what’s the context? Who are our attackers? Where are they attacking from? What are they attacking? What data is at risk? This gives us a risk profile we can use to evaluate the security of an *implementation* Evaluating the security of a product in isolation - without context - is bad, and leads to bad risk profiles and poor decisions 4
© Copyright 2015 Pivotal. All rights reserved. Who are our attackers? Opportunists? Someone with a grudge? Professionals? Nation states? 5
© Copyright 2015 Pivotal. All rights reserved. August 2015 cyber attack stats 6 Stats from http://www.hackmageddon.com/
© Copyright 2015 Pivotal. All rights reserved. Where are they attacking from? Internal or external? What are they attacking? Infrastructure? Applications? Physical location? All of the above? 7 SPARTA!
© Copyright 2015 Pivotal. All rights reserved. What data is at risk? Can use answers to the above to work out what data is at risk and where it is This can form your risk profile This is what you can use to evaluate the security of an implemented solution Evaluate the implementation against the profile - not the product against a checklist! 8
© Copyright 2015 Pivotal. All rights reserved. Pivotal Cloud Foundry Architecture recap Ops Manager UI Ops Manager Director Operations Manager Service Service Broker Service Nodes Service Broker Service Nodes Service App Log Aggregator Login Server Dynamic Router Cloud Controller UAA Health Manager DEA Pool Messaging (NATS) Apps Metrics Collection Apps HA Proxy LB Elastic Runtime Containers!
© Copyright 2015 Pivotal. All rights reserved. Example: secure PCF implementation 10
© Copyright 2015 Pivotal. All rights reserved. Why? Leverage existing, tried and tested security solutions where appropriate (isolation, firewalls) Rely on platform security where appropriate (containers, immutable infrastructure) Change in application delivery also drives a change in security mindset (application centric not server centric) 11
© Copyright 2015 Pivotal. All rights reserved. Attack vectors - it’s the apps! 12 Stats from http://www.hackmageddon.com/
© Copyright 2015 Pivotal. All rights reserved. Impact of attacks Attacker compromises app, gets access to core data Nothing to do with the platform, nothing we can do to stop this Mitigation: WAF, code audit to help write secure code Attacker compromises app, gets local container access If they break anything, BOSH destroys and re-deploys the container Can’t break out the container to root VM (the DEA) Can’t sniff network traffic Can’t pivot east/west to attack other internal PCF components 13
© Copyright 2015 Pivotal. All rights reserved. Gentlemen, we can rebuild him. We have the technology. OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_To p_Ten_Project Make Jenkins do the work: https://wiki.jenkins- ci.org/display/JENKINS/OWASP+Dependency- Check+Plugin Also look at Web Application Attack and Audit Framework: http://w3af.org/ 14
© Copyright 2015 Pivotal. All rights reserved. Containerception 15
© Copyright 2015 Pivotal. All rights reserved. Current tech: Warden 16
© Copyright 2015 Pivotal. All rights reserved. Future tech: Garden 17 More info at http://blog.pivotal.io/pivotal-cloud-foundry/features/cloud-foundry-container-technology-a-garden-overview
© Copyright 2015 Pivotal. All rights reserved. Container security in PCF: the nitty gritty Containers provide isolation of resources – CPU, memory, file system, process space, network Containers have their own private network, not accessible from outside the DEA DEA App App App App DEA App App App App
© Copyright 2015 Pivotal. All rights reserved. Container Isolation Routers forward requests from outside using the app’s route to the assigned port on the DEA, which does network translation to the container’s internal IP and port Apps are prevented from communicating directly with each other by container firewall rules; they must communicate through published routes DEA App App App App DEA App App App App Dynamic Router HA Proxy LB
© Copyright 2015 Pivotal. All rights reserved. Warden/Garden networking in detail 20
© Copyright 2015 Pivotal. All rights reserved. Container filesystems 21 Garden container with Buildpacks Garden container with Docker image
© Copyright 2015 Pivotal. All rights reserved. Why a different container tech? ie. Why not Docker? Again, context is important: PCF treats containers as disposable ie We don’t care about them, and neither should you Therefore we don’t allow access to them Fundamental difference in design principles - we can lock them down much more tightly To see the implications: http://reventlov.com/advisories/using-the-docker- command-to-root-the-host 22
© Copyright 2015 Pivotal. All rights reserved. To summarise - Key points Yes containers can be secured in a PaaS This can mitigate some attacks, doesn’t help with others Doesn’t mean your apps are secure Don’t rely on technology to solve security issues Build security into your apps from the start Profile the risk and mitigate what you can Remember not all risk can be mitigated Context is important! You will get hacked, response is key - whole other topic! 23
© Copyright 2015 Pivotal. All rights reserved. THANK YOU! tkranz@pivotal.io https://www.linkedin.com/in/tomkranz @whoopsie 24
© Copyright 2015 Pivotal. All rights reserved. 25

Empfohlen

Can containers be secured in paas?
Can containers be secured in paas?Can containers be secured in paas?
Can containers be secured in paas?Sufyaan Kazi
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Software Integrity Group
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightningKevin Gilpin
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 

Empfohlen

Can containers be secured in paas?
Can containers be secured in paas?Can containers be secured in paas?
Can containers be secured in paas?Sufyaan Kazi
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Software Integrity Group
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightningKevin Gilpin
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyKevin Gilpin
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaRobert Grupe, CSSLP CISSP PE PMP
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systemscentralohioissa
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignSynopsys Software Integrity Group
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - PivotalOpenStack Korea Community
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Apigee | Google Cloud
 

Weitere ähnliche Inhalte

Was ist angesagt?

Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyKevin Gilpin
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systemscentralohioissa
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 

Was ist angesagt? (20)

Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and Transparency
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 

Ähnlich wie Can Containers be secured in a PaaS?

[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - PivotalOpenStack Korea Community
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Apigee | Google Cloud
 
Accelerating the Software Delivery Pipelinewith Mirantis OpenStack
Accelerating the Software Delivery Pipelinewith Mirantis OpenStackAccelerating the Software Delivery Pipelinewith Mirantis OpenStack
Accelerating the Software Delivery Pipelinewith Mirantis OpenStackBob Sokol
 
Securing serverless system
Securing serverless systemSecuring serverless system
Securing serverless systemNUS-ISS
 
Securing Serverless Systems
Securing Serverless SystemsSecuring Serverless Systems
Securing Serverless SystemsVincent Lau
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
The New Possible: How Platform-as-a-Service Changes the Game
The New Possible: How Platform-as-a-Service Changes the Game The New Possible: How Platform-as-a-Service Changes the Game
The New Possible: How Platform-as-a-Service Changes the GameInside Analysis
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart BeatBalwinder Kaur
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Pivotal cf for_devops_mkim_20141209
Pivotal cf for_devops_mkim_20141209Pivotal cf for_devops_mkim_20141209
Pivotal cf for_devops_mkim_20141209minseok kim
 
Cloud Native Application Framework
Cloud Native Application FrameworkCloud Native Application Framework
Cloud Native Application FrameworkVMware Tanzu
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Pivotal Cloud Platform Roadshow Keynote
Pivotal Cloud Platform Roadshow KeynotePivotal Cloud Platform Roadshow Keynote
Pivotal Cloud Platform Roadshow Keynotecornelia davis
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...CA Technologies
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security
 

Ähnlich wie Can Containers be secured in a PaaS? (20)

[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture
 
Accelerating the Software Delivery Pipelinewith Mirantis OpenStack
Accelerating the Software Delivery Pipelinewith Mirantis OpenStackAccelerating the Software Delivery Pipelinewith Mirantis OpenStack
Accelerating the Software Delivery Pipelinewith Mirantis OpenStack
 
Securing serverless system
Securing serverless systemSecuring serverless system
Securing serverless system
 
Securing Serverless Systems
Securing Serverless SystemsSecuring Serverless Systems
Securing Serverless Systems
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
The New Possible: How Platform-as-a-Service Changes the Game
The New Possible: How Platform-as-a-Service Changes the Game The New Possible: How Platform-as-a-Service Changes the Game
The New Possible: How Platform-as-a-Service Changes the Game
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Pivotal cf for_devops_mkim_20141209
Pivotal cf for_devops_mkim_20141209Pivotal cf for_devops_mkim_20141209
Pivotal cf for_devops_mkim_20141209
 
Cloud Native Application Framework
Cloud Native Application FrameworkCloud Native Application Framework
Cloud Native Application Framework
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Application Management in Openstack
Application Management in Openstack Application Management in Openstack
Application Management in Openstack
 
Pivotal Cloud Platform Roadshow Keynote
Pivotal Cloud Platform Roadshow KeynotePivotal Cloud Platform Roadshow Keynote
Pivotal Cloud Platform Roadshow Keynote
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Kürzlich hochgeladen (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Can Containers be secured in a PaaS?

  • 1. © Copyright 2015 Pivotal. All rights reserved. Can containers be secured in a PaaS? Tom Kranz tkranz@pivotal.io 1
  • 2. © Copyright 2015 Pivotal. All rights reserved. Introductions: who am I? UNIX sysadmin Technical architect Principal Field Engineer Account Manager Security person Get in touch on LinkedIn or Twitter 2
  • 3. © Copyright 2015 Pivotal. All rights reserved. Can containers be secured in a PaaS? Maybe …. Not about features Context is important And implementation is key! And always remember: You will get hacked. Eventually. 3
  • 4. © Copyright 2015 Pivotal. All rights reserved. So what’s the context? Who are our attackers? Where are they attacking from? What are they attacking? What data is at risk? This gives us a risk profile we can use to evaluate the security of an *implementation* Evaluating the security of a product in isolation - without context - is bad, and leads to bad risk profiles and poor decisions 4
  • 5. © Copyright 2015 Pivotal. All rights reserved. Who are our attackers? Opportunists? Someone with a grudge? Professionals? Nation states? 5
  • 6. © Copyright 2015 Pivotal. All rights reserved. August 2015 cyber attack stats 6 Stats from http://www.hackmageddon.com/
  • 7. © Copyright 2015 Pivotal. All rights reserved. Where are they attacking from? Internal or external? What are they attacking? Infrastructure? Applications? Physical location? All of the above? 7 SPARTA!
  • 8. © Copyright 2015 Pivotal. All rights reserved. What data is at risk? Can use answers to the above to work out what data is at risk and where it is This can form your risk profile This is what you can use to evaluate the security of an implemented solution Evaluate the implementation against the profile - not the product against a checklist! 8
  • 9. © Copyright 2015 Pivotal. All rights reserved. Pivotal Cloud Foundry Architecture recap Ops Manager UI Ops Manager Director Operations Manager Service Service Broker Service Nodes Service Broker Service Nodes Service App Log Aggregator Login Server Dynamic Router Cloud Controller UAA Health Manager DEA Pool Messaging (NATS) Apps Metrics Collection Apps HA Proxy LB Elastic Runtime Containers!
  • 10. © Copyright 2015 Pivotal. All rights reserved. Example: secure PCF implementation 10
  • 11. © Copyright 2015 Pivotal. All rights reserved. Why? Leverage existing, tried and tested security solutions where appropriate (isolation, firewalls) Rely on platform security where appropriate (containers, immutable infrastructure) Change in application delivery also drives a change in security mindset (application centric not server centric) 11
  • 12. © Copyright 2015 Pivotal. All rights reserved. Attack vectors - it’s the apps! 12 Stats from http://www.hackmageddon.com/
  • 13. © Copyright 2015 Pivotal. All rights reserved. Impact of attacks Attacker compromises app, gets access to core data Nothing to do with the platform, nothing we can do to stop this Mitigation: WAF, code audit to help write secure code Attacker compromises app, gets local container access If they break anything, BOSH destroys and re-deploys the container Can’t break out the container to root VM (the DEA) Can’t sniff network traffic Can’t pivot east/west to attack other internal PCF components 13
  • 14. © Copyright 2015 Pivotal. All rights reserved. Gentlemen, we can rebuild him. We have the technology. OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_To p_Ten_Project Make Jenkins do the work: https://wiki.jenkins- ci.org/display/JENKINS/OWASP+Dependency- Check+Plugin Also look at Web Application Attack and Audit Framework: http://w3af.org/ 14
  • 15. © Copyright 2015 Pivotal. All rights reserved. Containerception 15
  • 16. © Copyright 2015 Pivotal. All rights reserved. Current tech: Warden 16
  • 17. © Copyright 2015 Pivotal. All rights reserved. Future tech: Garden 17 More info at http://blog.pivotal.io/pivotal-cloud-foundry/features/cloud-foundry-container-technology-a-garden-overview
  • 18. © Copyright 2015 Pivotal. All rights reserved. Container security in PCF: the nitty gritty Containers provide isolation of resources – CPU, memory, file system, process space, network Containers have their own private network, not accessible from outside the DEA DEA App App App App DEA App App App App
  • 19. © Copyright 2015 Pivotal. All rights reserved. Container Isolation Routers forward requests from outside using the app’s route to the assigned port on the DEA, which does network translation to the container’s internal IP and port Apps are prevented from communicating directly with each other by container firewall rules; they must communicate through published routes DEA App App App App DEA App App App App Dynamic Router HA Proxy LB
  • 20. © Copyright 2015 Pivotal. All rights reserved. Warden/Garden networking in detail 20
  • 21. © Copyright 2015 Pivotal. All rights reserved. Container filesystems 21 Garden container with Buildpacks Garden container with Docker image
  • 22. © Copyright 2015 Pivotal. All rights reserved. Why a different container tech? ie. Why not Docker? Again, context is important: PCF treats containers as disposable ie We don’t care about them, and neither should you Therefore we don’t allow access to them Fundamental difference in design principles - we can lock them down much more tightly To see the implications: http://reventlov.com/advisories/using-the-docker- command-to-root-the-host 22
  • 23. © Copyright 2015 Pivotal. All rights reserved. To summarise - Key points Yes containers can be secured in a PaaS This can mitigate some attacks, doesn’t help with others Doesn’t mean your apps are secure Don’t rely on technology to solve security issues Build security into your apps from the start Profile the risk and mitigate what you can Remember not all risk can be mitigated Context is important! You will get hacked, response is key - whole other topic! 23
  • 24. © Copyright 2015 Pivotal. All rights reserved. THANK YOU! tkranz@pivotal.io https://www.linkedin.com/in/tomkranz @whoopsie 24
  • 25. © Copyright 2015 Pivotal. All rights reserved. 25