Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SecDevOps containers

SecDevOps containers

In this talk I will speak about main tips for integrating Security into DevOps. I will share my knowledge and experience and help people learn to focus more on DevOps Security. In addition to the so-called best practices, the development of efficient, readable, scalable and secure code, requires the right tools for security development.

These could be the main talking points:
-How to integrate security into iteration and pipeline application development with containers.
-How to secure development environments.
-DevOps security best practices


June 18, 2020

More Decks by jmortegac

Other Decks in Technology


  1. SecDevops Containers • Increased speed and agility for security teams.

    • Increased or better collaboration and communication across teams. • Increased opportunities for automated builds and quality assurance testing. • Early identification of vulnerabilities in application code.
  2. • 1. Containers are NOT Virtual Machines • 2. Containers

    are isolated area in the OS kernel • 3. Kubernetes is a Container Orchestration Platform. • 4. Kubernetes abstracts the cloud vendor (AWS,Azure, GCP) scalability features. SecDevops Containers
  3. • Build Small Container Images ◦ Use Alpine Image as

    your base Linux OS ◦ Using distroless images ◦ Smaller image size reduce the Container vulnerabilities. SecDevops Containers
  4. • Containers inmutability ◦ Container images follow a unix philosophy

    ◦ Container images should be immutable ◦ RUN rm /usr/bin/apt-* /usr/bin/dpkg* SecDevops Containers
  5. • Avoid root user ◦ Create a User account ◦

    Add Runtime software’s based on the User Account. ◦ Run the App under the user account ◦ Add Security module SELinux or AppArmour to increase the security SecDevops Containers
  6. • Container Security ◦ Secure your HOST OS. Containers runs

    on Host Kernel. ◦ No Runtime software downloads inside the container. ◦ Declare the software requirements at the build time itself. ◦ Download Docker base images from Authentic site. ◦ Limit the resource utilization using Container orchestrators like Kubernetes. ◦ Don’t run anything on Super privileged mode. SecDevops Containers
  7. • Docker hub ◦ Do you have your own container

    registry? ◦ Do you check your Dockerfiles? ◦ Your pipelines has permissions and access to publish in docker hub? ◦ Do you inspect your Dockerfiles? ◦ Do you have Docker builds correctly configured? ◦ Do you control where layers are built? SecDevops Containers
  8. • Docker Content Trust ◦ https://docs.docker.com/engine/security/trust/ content_trust/ ◦ export DOCKER_CONTENT_TRUST

    =1 ◦ Protection of malicious code in images. ◦ Protection against repeated attacks. ◦ Protection against key commitments. SecDevops Containers
  9. • Kubernetes Security ◦ Preventing image manipulation and unauthorized access

    ◦ Deploying Pods without root permissions ◦ Pod Security Policies ◦ Secrets management SecDevops Containers
  10. • Pods Security ◦ Never access a Pod directly from

    another Pod. ◦ Never use :latest tag in the image in the production scenario. SecDevops Containers
  11. • Namespaces ◦ Group your services/pods traffic rules based on

    specific namespace. ◦ Handle specific Resource Allocations for a Namespace. ◦ If you have more than a dozen Microservices then it’s time to bring in Namespaces. SecDevops Containers
  12. • Using official images ◦ Use images provided by a

    vendor ◦ Critical vulnerabilities are resolved automatically when they are updated. SecDevops Containers
  13. SecDevops Containers Kubebench-CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench • Master Node Security

    Configuration ◦ API Server ◦ Scheduler ◦ Controller Manager /Configuration Files ◦ General Security Primitives ◦ PodSecurityPolicices • Worker Node Security Configuration ◦ Kubelet ◦ Configuration Files
  14. SecDevops Containers Kube PSP advisor https://kubernetes.io/docs/concepts/policy/pod-security-policy/ "hostNetwork": [ { "metadata":

    { "name": "busy-rs", "kind": "ReplicaSet" }, "namespace": "psp-test", "hostPID": true, "hostNetwork": true, "hostIPC": true, "volumeTypes": [ "configMap" ] }, { "metadata": { "name": "busy-pod", "kind": "Pod" }, "namespace": "psp-test", "hostNetwork": true, "volumeTypes": [ "hostPath", "secret" ], "mountedHostPath": [ "/usr/bin" ]
  15. SecDevops Containers Sysdig falco policies ◦ A shell that runs

    inside a container with root privileges. ◦ A process that generates another process with unexpected behavior. ◦ Reading a confidential file, for example the etc/shadow ◦ A process that is using a file that is not a device type in the /dev path, indicating a possible rootkit activity.
  16. SecDevops Containers Security best practices • Do not run containers

    and pods as root. • Disable capabilities and privileges • One application per container, microservice oriented approach. • Use small images
  17. • Training and communication is the key to success •

    DevSecOps is not about only ools but the correct tools are necessary. • Follow “Least privilege principle” SecDevops Containers