In this talk I will speak about main tips for integrating Security into DevOps. I will share my knowledge and experience and help people learn to focus more on DevOps Security. In addition to the so-called best practices, the development of efficient, readable, scalable and secure code, requires the right tools for security development.
These could be the main talking points:
-How to integrate security into iteration and pipeline application development with containers.
-How to secure development environments.
-DevOps security best practices
● Containers Security
● SecDevops tools
● DevOps security best practices
● Increased speed and agility for security
● Increased or better collaboration and
communication across teams.
● Increased opportunities for automated builds
and quality assurance testing.
● Early identification of vulnerabilities in
● 1. Containers are NOT Virtual Machines
● 2. Containers are isolated area in the OS kernel
● 3. Kubernetes is a Container Orchestration Platform.
● 4. Kubernetes abstracts the cloud vendor (AWS,Azure,
GCP) scalability features.
● Build Small Container Images
○ Use Alpine Image as your base Linux OS
○ Using distroless images
○ Smaller image size reduce the Container
● Distroless Images
● Containers inmutability
○ Container images follow a unix philosophy
○ Container images should be immutable
○ RUN rm /usr/bin/apt-* /usr/bin/dpkg*
● Avoid root user
○ Create a User account
○ Add Runtime software’s based on the User Account.
○ Run the App under the user account
○ Add Security module SELinux or AppArmour to
increase the security
● Container Security
○ Secure your HOST OS. Containers runs on Host
○ No Runtime software downloads inside the container.
○ Declare the software requirements at the build time
○ Download Docker base images from Authentic site.
○ Limit the resource utilization using Container
orchestrators like Kubernetes.
○ Don’t run anything on Super privileged mode.
● Docker hub
○ Do you have your own container registry?
○ Do you check your Dockerfiles?
○ Your pipelines has permissions and access to publish
in docker hub?
○ Do you inspect your Dockerfiles?
○ Do you have Docker builds correctly configured?
○ Do you control where layers are built?
● Docker Content Trust
○ export DOCKER_CONTENT_TRUST =1
○ Protection of malicious code in images.
○ Protection against repeated attacks.
○ Protection against key commitments.
● Exploring layers in docker images
● Container introspection tool
● Docker bench security
● Kubernetes Security
○ Preventing image manipulation and unauthorized
○ Deploying Pods without root permissions
○ Pod Security Policies
○ Secrets management
● Pods Security
○ Never access a Pod directly from another Pod.
○ Never use :latest tag in the image in the
○ Group your services/pods traffic rules based on
○ Handle specific Resource Allocations for a
○ If you have more than a dozen Microservices then it’s
time to bring in Namespaces.
● Using official images
○ Use images provided by a vendor
○ Critical vulnerabilities are resolved automatically when
they are updated.
Dangerous pod configurations
CPU and memory limits to prevent DoS
runAsNonRoot flag in pod configuration
Capabilities in pod configuration
Kubebench-CIS Kubernetes Benchmark
● Master Node Security Configuration
○ API Server
○ Controller Manager /Configuration Files
○ General Security Primitives
● Worker Node Security Configuration
○ Configuration Files
Kubebench-CIS Kubernetes Benchmark
Pod Security Policies
Kube PSP advisor
Sysdig falco policies
○ A shell that runs inside a container with root
○ A process that generates another process with
○ Reading a confidential file, for example the
○ A process that is using a file that is not a device type
in the /dev path, indicating a possible rootkit activity.
Security best practices
● Do not run containers and pods as root.
● Disable capabilities and privileges
● One application per container, microservice
● Use small images
● Training and communication is the key to
● DevSecOps is not about only ools but the
correct tools are necessary.
● Follow “Least privilege principle”