Matthew Barker - What Goes In Must Come Out, Hidden Defects in Your Docker Containers

Matthew Barker - What Goes In Must Come Out, Hidden Defects in Your Docker Containers

Containers package applications, OS, utilities, and config into one deployable unit. That adds up to a lot of hidden complexity. How can developers ensure the container performs well, are of high quality, and not a security risk? Let’s explore automated methods and tools to achieve those goals.

1ce032fa7ff3f5a5a79bf21ca7a9653c?s=128

DevOpsDays KC 2017

September 22, 2017
Tweet

Transcript

  1. WHAT GOES IN MUST COME OUT Hidden Defects in Your

    Docker Containers Matthew Barker Solution Architect, Twistlock matthewabq
  2. Security Advantages of Docker Containers Minimal © 2017 Reproducible Task

    specific Isolated Short lived Immutable
  3. 7 thousand docker pulls per minute 2 billion+ total pulls

    What could go wrong
  4. OUR INVENTORY: IMAGES

  5. OUR INVENTORY: COMPONENTS

  6. APPLICATION 1 OS Java Utilities Binary/OSS Components Plugins Docker Engine

    Host Operating System APPLICATION 2 OS Ruby on Rails Utilities Binary/OSS Components Plugins
  7. A SIMPLE CONTAINER BASED WEBAPP # Dockerfile for Simple Web

    Application FROM tomcat:8.0 MAINTAINER Matthew Barker # update and install openssh-server RUN apt-get update && apt-get install -y apt-transport-https && \\ apt-get install -y openssh-server # Build and statically deploy the application war file ADD target/web-app.war /usr/local/tomcat/webapps What can go wrong?
  8. FROM: tomcat:8.0 27 HIGH LEVEL VULNERABILITIES

  9. RUN apt-get install -y openssh-server 4 HIGH LEVEL VULNERABILITIES

  10. ADD target/web-app.war /usr/local/tomcat/webapps 6 HIGH LEVEL COMPONENT (JAR) VULNERABILITIES

  11. Other Considerations 4 HIGH/MEDIUM LEVEL COMPLIANCE ISSUES Docker Standards Compliance

  12. Securing Your Containers
 © 2017 Use a small footprint Shift

    Left - compliance - security Automate, Automate, Automate Step 1: Utilize and build secure and compliant images
  13. Securing Your Containers
 Step 2: Maintain a clean inventory of

    images © 2017 Update frequently Continuously verify - automated scans with alerts
  14. Securing Your Containers
 Step 3: Be vigilant and lock down

    deployments © 2017 Automate everything! Include Runtime Protection - host and containers Deploy Frequently Continuously monitor deployed container images
  15. SECURE VERSION OF DOCKERFILE # Dockerfile for Secure Web Application

    # Use base image free of vulnerabilities FROM tomcat:9-alpine MAINTAINER Matthew Barker # Remediate vulnerable source code and components # then Deploy App ADD package/target/WebApp-5.5.war /usr/local/tomcat/webapps
  16. REMEDIATE COMPLIANCE ISSUES # Dockerfile for Secure and Compliant Web

    Application # Put private RSA keys in a secrets vault and inject into container # remove these secrets from the image RUN rm /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key # setup and run as admin user, NEVER RUN AS ROOT COPY tomcat-users.xml /usr/local/tomcat/conf/RUN adduser -D -u 1000 admin \ && chown -R admin /usr/local/tomcatUSER admin
  17. SECURING THE APP LAYER

  18. SECURING THE APP LAYER

  19. SECURING THE APP LAYER

  20. Want more information? Email me at matthew@twistlock.com for a copy

    of the slide presentation © 2017 20