SecDevOps containers

SecDevops Containers

View Slide

● @jmortegac
● http://jmortega.github.io
● https://www.linkedin.com/in/jmortega1/

View Slide

https://bpbonline.com/products/devops-and-containers-security-
security-and-monitoring-in-docker-containers

View Slide

● Introduction
● Containers Security
● SecDevops tools
● DevOps security best practices

View Slide


View Slide

● Increased speed and agility for security
teams.
● Increased or better collaboration and
communication across teams.
● Increased opportunities for automated builds
and quality assurance testing.
● Early identification of vulnerabilities in
application code.

View Slide

● 1. Containers are NOT Virtual Machines
● 2. Containers are isolated area in the OS kernel
● 3. Kubernetes is a Container Orchestration Platform.
● 4. Kubernetes abstracts the cloud vendor (AWS,Azure,
GCP) scalability features.

View Slide

● Build Small Container Images
○ Use Alpine Image as your base Linux OS
○ Using distroless images
○ Smaller image size reduce the Container
vulnerabilities.

View Slide

● Distroless Images
○ https://github.com/GoogleCloudPlatform/distroless

View Slide

● Containers inmutability
○ Container images follow a unix philosophy
○ Container images should be immutable
○ RUN rm /usr/bin/apt-* /usr/bin/dpkg*

View Slide

● Avoid root user
○ Create a User account
○ Add Runtime software’s based on the User Account.
○ Run the App under the user account
○ Add Security module SELinux or AppArmour to
increase the security

View Slide

● Container Security
○ Secure your HOST OS. Containers runs on Host
Kernel.
○ No Runtime software downloads inside the container.
○ Declare the software requirements at the build time
itself.
○ Download Docker base images from Authentic site.
○ Limit the resource utilization using Container
orchestrators like Kubernetes.
○ Don’t run anything on Super privileged mode.

View Slide

● Docker hub
○ Do you have your own container registry?
○ Do you check your Dockerfiles?
○ Your pipelines has permissions and access to publish
in docker hub?
○ Do you inspect your Dockerfiles?
○ Do you have Docker builds correctly configured?
○ Do you control where layers are built?

View Slide

● Docker Content Trust
○ https://docs.docker.com/engine/security/trust/
content_trust/
○ export DOCKER_CONTENT_TRUST =1
○ Protection of malicious code in images.
○ Protection against repeated attacks.
○ Protection against key commitments.

View Slide

● Exploring layers in docker images
○ https://github.com/wagoodman/dive

View Slide

● Container introspection tool
○ https://github.com/genuinetools/amicontained

View Slide

● Docker bench security
○ https://github.com/docker/docker-bench-security

View Slide


View Slide

● Kubernetes Security
○ Preventing image manipulation and unauthorized
access
○ Deploying Pods without root permissions
○ Pod Security Policies
○ Secrets management

View Slide

● Pods Security
○ Never access a Pod directly from another Pod.
○ Never use :latest tag in the image in the
production scenario.

View Slide

● Namespaces
○ Group your services/pods traffic rules based on
specific namespace.
○ Handle specific Resource Allocations for a
Namespace.
○ If you have more than a dozen Microservices then it’s
time to bring in Namespaces.

View Slide

● Using official images
○ Use images provided by a vendor
○ Critical vulnerabilities are resolved automatically when
they are updated.

View Slide

● https://kubesec.io/

View Slide


View Slide

Dangerous pod configurations

View Slide

CPU and memory limits to prevent DoS

View Slide

runAsNonRoot flag in pod configuration

View Slide

Capabilities in pod configuration

View Slide

Kubebench-CIS Kubernetes Benchmark
https://github.com/aquasecurity/kube-bench
● Master Node Security Configuration
○ API Server
○ Scheduler
○ Controller Manager /Configuration Files
○ General Security Primitives
○ PodSecurityPolicices
● Worker Node Security Configuration
○ Kubelet
○ Configuration Files

View Slide

Kubebench-CIS Kubernetes Benchmark
https://github.com/aquasecurity/kube-bench

View Slide

Kubehunter

View Slide

Kubeaudit
https://github.com/Shopify/kubeaudit

View Slide

Pod Security Policies
https://kubernetes.io/docs/concepts/policy/pod-security-policy/

View Slide

Kube PSP advisor
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
"hostNetwork": [
{
"metadata": {
"name": "busy-rs",
"kind": "ReplicaSet"
},
"namespace": "psp-test",
"hostPID": true,
"hostNetwork": true,
"hostIPC": true,
"volumeTypes": [
"configMap"
]
},
{
"metadata": {
"name": "busy-pod",
"kind": "Pod"
},
"namespace": "psp-test",
"hostNetwork": true,
"volumeTypes": [
"hostPath",
"secret"
],
"mountedHostPath": [
"/usr/bin"
]

View Slide

Sysdig falco
https://sysdig.com/opensource/falco/

View Slide

Sysdig falco policies
○ A shell that runs inside a container with root
privileges.
○ A process that generates another process with
unexpected behavior.
○ Reading a confidential file, for example the
etc/shadow
○ A process that is using a file that is not a device type
in the /dev path, indicating a possible rootkit activity.

View Slide

Security best practices
● Do not run containers and pods as root.
● Disable capabilities and privileges
● One application per container, microservice
oriented approach.
● Use small images

View Slide

● Training and communication is the key to
success
● DevSecOps is not about only ools but the
correct tools are necessary.
● Follow “Least privilege principle”

View Slide

● https://opensource.com/article/18/8/tools-container-s
ecurity
● https://www.devsecops.org/
● https://github.com/devsecops/awesome-devsecops
● https://cloudowski.com/articles/how-to-increase-cont
ainer-security-with-proper-images/
● https://www.twistlock.com/container-security
● https://developer.okta.com/blog/2019/07/18/container
-security-a-developer-guide

View Slide

SecDevOps containers

SecDevOps containers

jmortegac

More Decks by jmortegac

Other Decks in Technology

Featured

Transcript