Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SecDevOps containers

jmortegac
June 18, 2020
Technology
1
840

SecDevOps containers

In this talk I will speak about main tips for integrating Security into DevOps. I will share my knowledge and experience and help people learn to focus more on DevOps Security. In addition to the so-called best practices, the development of efficient, readable, scalable and secure code, requires the right tools for security development.

These could be the main talking points:
-How to integrate security into iteration and pipeline application development with containers.
-How to secure development environments.
-DevOps security best practices

jmortegac

June 18, 2020
Tweet

More Decks by jmortegac

See All by jmortegac
Asegurando tus APIs: Explorando el OWASP Top 10 de Seguridad en APIs
jmortega
1
18
PyGoat: Analizando la seguridad en aplicaciones Django
jmortega
1
47
Evolution of security strategies in K8s environments- All day devops
jmortega
1
26
Ciberseguridad en Blockchain y Smart Contracts: Explorando los desafíos y soluciones
jmortega
1
52
Evolution of security strategies in K8s environments
jmortega
1
20
Implementing Observability for Kubernetes
jmortega
1
18
Computación distribuida usando Python
jmortega
1
91
Seguridad_en_arquitecturas_serverless_y_entornos_cloud.pdf
jmortega
1
110
Construyendo arquitecturas zero trust sobre entornos cloud
jmortega
1
65

Other Decks in Technology

See All in Technology
Databricks における 『MLOps』
databricksjapan
2
170
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
260
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
1
280
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
1
160
本当のAWS基礎
toru_kubota
0
530
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
アクセス制御にまつわる改善 / Improving access control
itkq
0
550
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
170
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
130
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
100

Featured

See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
Navigating Team Friction
lara
178
13k
Documentation Writing (for coders)
carmenintech
60
3.9k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
What's in a price? How to price your products and services
michaelherold
237
11k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.6k
Statistics for Hackers
jakevdp
789
220k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
A Tale of Four Properties
chriscoyier
151
22k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k

Transcript

  1. SecDevops Containers

  2. SecDevops Containers • @jmortegac • http://jmortega.github.io • https://www.linkedin.com/in/jmortega1/

  3. SecDevops Containers https://bpbonline.com/products/devops-and-containers-security- security-and-monitoring-in-docker-containers

  4. • Introduction • Containers Security • SecDevops tools • DevOps

    security best practices SecDevops Containers

  5. SecDevops Containers

  6. SecDevops Containers

  7. SecDevops Containers • Increased speed and agility for security teams.

    • Increased or better collaboration and communication across teams. • Increased opportunities for automated builds and quality assurance testing. • Early identification of vulnerabilities in application code.

  8. • 1. Containers are NOT Virtual Machines • 2. Containers

    are isolated area in the OS kernel • 3. Kubernetes is a Container Orchestration Platform. • 4. Kubernetes abstracts the cloud vendor (AWS,Azure, GCP) scalability features. SecDevops Containers

  9. • Build Small Container Images ◦ Use Alpine Image as

    your base Linux OS ◦ Using distroless images ◦ Smaller image size reduce the Container vulnerabilities. SecDevops Containers

  10. • Distroless Images ◦ https://github.com/GoogleCloudPlatform/distroless SecDevops Containers

  11. • Containers inmutability ◦ Container images follow a unix philosophy

    ◦ Container images should be immutable ◦ RUN rm /usr/bin/apt-* /usr/bin/dpkg* SecDevops Containers

  12. • Avoid root user ◦ Create a User account ◦

    Add Runtime software’s based on the User Account. ◦ Run the App under the user account ◦ Add Security module SELinux or AppArmour to increase the security SecDevops Containers

  13. • Container Security ◦ Secure your HOST OS. Containers runs

    on Host Kernel. ◦ No Runtime software downloads inside the container. ◦ Declare the software requirements at the build time itself. ◦ Download Docker base images from Authentic site. ◦ Limit the resource utilization using Container orchestrators like Kubernetes. ◦ Don’t run anything on Super privileged mode. SecDevops Containers

  14. • Docker hub ◦ Do you have your own container

    registry? ◦ Do you check your Dockerfiles? ◦ Your pipelines has permissions and access to publish in docker hub? ◦ Do you inspect your Dockerfiles? ◦ Do you have Docker builds correctly configured? ◦ Do you control where layers are built? SecDevops Containers

  15. • Docker Content Trust ◦ https://docs.docker.com/engine/security/trust/ content_trust/ ◦ export DOCKER_CONTENT_TRUST

    =1 ◦ Protection of malicious code in images. ◦ Protection against repeated attacks. ◦ Protection against key commitments. SecDevops Containers

  16. • Exploring layers in docker images ◦ https://github.com/wagoodman/dive SecDevops Containers

  17. • Container introspection tool ◦ https://github.com/genuinetools/amicontained SecDevops Containers

  18. • Docker bench security ◦ https://github.com/docker/docker-bench-security SecDevops Containers

  19. SecDevops Containers

  20. SecDevops Containers

  21. SecDevops Containers

  22. SecDevops Containers

  23. • Kubernetes Security ◦ Preventing image manipulation and unauthorized access

    ◦ Deploying Pods without root permissions ◦ Pod Security Policies ◦ Secrets management SecDevops Containers

  24. • Pods Security ◦ Never access a Pod directly from

    another Pod. ◦ Never use :latest tag in the image in the production scenario. SecDevops Containers

  25. • Namespaces ◦ Group your services/pods traffic rules based on

    specific namespace. ◦ Handle specific Resource Allocations for a Namespace. ◦ If you have more than a dozen Microservices then it’s time to bring in Namespaces. SecDevops Containers

  26. • Using official images ◦ Use images provided by a

    vendor ◦ Critical vulnerabilities are resolved automatically when they are updated. SecDevops Containers

  27. • https://kubesec.io/ SecDevops Containers

  28. SecDevops Containers

  29. SecDevops Containers Dangerous pod configurations

  30. SecDevops Containers CPU and memory limits to prevent DoS

  31. SecDevops Containers runAsNonRoot flag in pod configuration

  32. SecDevops Containers Capabilities in pod configuration

  33. SecDevops Containers Kubebench-CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench • Master Node Security

    Configuration ◦ API Server ◦ Scheduler ◦ Controller Manager /Configuration Files ◦ General Security Primitives ◦ PodSecurityPolicices • Worker Node Security Configuration ◦ Kubelet ◦ Configuration Files

  34. SecDevops Containers Kubebench-CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench

  35. SecDevops Containers Kubehunter

  36. SecDevops Containers Kubeaudit https://github.com/Shopify/kubeaudit

  37. SecDevops Containers Pod Security Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/

  38. SecDevops Containers Kube PSP advisor https://kubernetes.io/docs/concepts/policy/pod-security-policy/ "hostNetwork": [ { "metadata":

    { "name": "busy-rs", "kind": "ReplicaSet" }, "namespace": "psp-test", "hostPID": true, "hostNetwork": true, "hostIPC": true, "volumeTypes": [ "configMap" ] }, { "metadata": { "name": "busy-pod", "kind": "Pod" }, "namespace": "psp-test", "hostNetwork": true, "volumeTypes": [ "hostPath", "secret" ], "mountedHostPath": [ "/usr/bin" ]

  39. SecDevops Containers Sysdig falco https://sysdig.com/opensource/falco/

  40. SecDevops Containers Sysdig falco policies ◦ A shell that runs

    inside a container with root privileges. ◦ A process that generates another process with unexpected behavior. ◦ Reading a confidential file, for example the etc/shadow ◦ A process that is using a file that is not a device type in the /dev path, indicating a possible rootkit activity.

  41. SecDevops Containers Security best practices • Do not run containers

    and pods as root. • Disable capabilities and privileges • One application per container, microservice oriented approach. • Use small images

  42. • Training and communication is the key to success •

    DevSecOps is not about only ools but the correct tools are necessary. • Follow “Least privilege principle” SecDevops Containers

  43. • https://opensource.com/article/18/8/tools-container-s ecurity • https://www.devsecops.org/ • https://github.com/devsecops/awesome-devsecops • https://cloudowski.com/articles/how-to-increase-cont ainer-security-with-proper-images/

    • https://www.twistlock.com/container-security • https://developer.okta.com/blog/2019/07/18/container -security-a-developer-guide SecDevops Containers