Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SecDevOps containers

SecDevOps containers

In this talk I will speak about main tips for integrating Security into DevOps. I will share my knowledge and experience and help people learn to focus more on DevOps Security. In addition to the so-called best practices, the development of efficient, readable, scalable and secure code, requires the right tools for security development.

These could be the main talking points:
-How to integrate security into iteration and pipeline application development with containers.
-How to secure development environments.
-DevOps security best practices

jmortegac

June 18, 2020
Tweet

More Decks by jmortegac

Other Decks in Technology

Transcript

  1. SecDevops Containers

    View Slide

  2. SecDevops Containers
    ● @jmortegac
    ● http://jmortega.github.io
    ● https://www.linkedin.com/in/jmortega1/

    View Slide

  3. SecDevops Containers
    https://bpbonline.com/products/devops-and-containers-security-
    security-and-monitoring-in-docker-containers

    View Slide

  4. ● Introduction
    ● Containers Security
    ● SecDevops tools
    ● DevOps security best practices
    SecDevops Containers

    View Slide

  5. SecDevops Containers

    View Slide

  6. SecDevops Containers

    View Slide

  7. SecDevops Containers
    ● Increased speed and agility for security
    teams.
    ● Increased or better collaboration and
    communication across teams.
    ● Increased opportunities for automated builds
    and quality assurance testing.
    ● Early identification of vulnerabilities in
    application code.

    View Slide

  8. ● 1. Containers are NOT Virtual Machines
    ● 2. Containers are isolated area in the OS kernel
    ● 3. Kubernetes is a Container Orchestration Platform.
    ● 4. Kubernetes abstracts the cloud vendor (AWS,Azure,
    GCP) scalability features.
    SecDevops Containers

    View Slide

  9. ● Build Small Container Images
    ○ Use Alpine Image as your base Linux OS
    ○ Using distroless images
    ○ Smaller image size reduce the Container
    vulnerabilities.
    SecDevops Containers

    View Slide

  10. ● Distroless Images
    ○ https://github.com/GoogleCloudPlatform/distroless
    SecDevops Containers

    View Slide

  11. ● Containers inmutability
    ○ Container images follow a unix philosophy
    ○ Container images should be immutable
    ○ RUN rm /usr/bin/apt-* /usr/bin/dpkg*
    SecDevops Containers

    View Slide

  12. ● Avoid root user
    ○ Create a User account
    ○ Add Runtime software’s based on the User Account.
    ○ Run the App under the user account
    ○ Add Security module SELinux or AppArmour to
    increase the security
    SecDevops Containers

    View Slide

  13. ● Container Security
    ○ Secure your HOST OS. Containers runs on Host
    Kernel.
    ○ No Runtime software downloads inside the container.
    ○ Declare the software requirements at the build time
    itself.
    ○ Download Docker base images from Authentic site.
    ○ Limit the resource utilization using Container
    orchestrators like Kubernetes.
    ○ Don’t run anything on Super privileged mode.
    SecDevops Containers

    View Slide

  14. ● Docker hub
    ○ Do you have your own container registry?
    ○ Do you check your Dockerfiles?
    ○ Your pipelines has permissions and access to publish
    in docker hub?
    ○ Do you inspect your Dockerfiles?
    ○ Do you have Docker builds correctly configured?
    ○ Do you control where layers are built?
    SecDevops Containers

    View Slide

  15. ● Docker Content Trust
    ○ https://docs.docker.com/engine/security/trust/
    content_trust/
    ○ export DOCKER_CONTENT_TRUST =1
    ○ Protection of malicious code in images.
    ○ Protection against repeated attacks.
    ○ Protection against key commitments.
    SecDevops Containers

    View Slide

  16. ● Exploring layers in docker images
    ○ https://github.com/wagoodman/dive
    SecDevops Containers

    View Slide

  17. ● Container introspection tool
    ○ https://github.com/genuinetools/amicontained
    SecDevops Containers

    View Slide

  18. ● Docker bench security
    ○ https://github.com/docker/docker-bench-security
    SecDevops Containers

    View Slide

  19. SecDevops Containers

    View Slide

  20. SecDevops Containers

    View Slide

  21. SecDevops Containers

    View Slide

  22. SecDevops Containers

    View Slide

  23. ● Kubernetes Security
    ○ Preventing image manipulation and unauthorized
    access
    ○ Deploying Pods without root permissions
    ○ Pod Security Policies
    ○ Secrets management
    SecDevops Containers

    View Slide

  24. ● Pods Security
    ○ Never access a Pod directly from another Pod.
    ○ Never use :latest tag in the image in the
    production scenario.
    SecDevops Containers

    View Slide

  25. ● Namespaces
    ○ Group your services/pods traffic rules based on
    specific namespace.
    ○ Handle specific Resource Allocations for a
    Namespace.
    ○ If you have more than a dozen Microservices then it’s
    time to bring in Namespaces.
    SecDevops Containers

    View Slide

  26. ● Using official images
    ○ Use images provided by a vendor
    ○ Critical vulnerabilities are resolved automatically when
    they are updated.
    SecDevops Containers

    View Slide

  27. ● https://kubesec.io/
    SecDevops Containers

    View Slide

  28. SecDevops Containers

    View Slide

  29. SecDevops Containers
    Dangerous pod configurations

    View Slide

  30. SecDevops Containers
    CPU and memory limits to prevent DoS

    View Slide

  31. SecDevops Containers
    runAsNonRoot flag in pod configuration

    View Slide

  32. SecDevops Containers
    Capabilities in pod configuration

    View Slide

  33. SecDevops Containers
    Kubebench-CIS Kubernetes Benchmark
    https://github.com/aquasecurity/kube-bench
    ● Master Node Security Configuration
    ○ API Server
    ○ Scheduler
    ○ Controller Manager /Configuration Files
    ○ General Security Primitives
    ○ PodSecurityPolicices
    ● Worker Node Security Configuration
    ○ Kubelet
    ○ Configuration Files

    View Slide

  34. SecDevops Containers
    Kubebench-CIS Kubernetes Benchmark
    https://github.com/aquasecurity/kube-bench

    View Slide

  35. SecDevops Containers
    Kubehunter

    View Slide

  36. SecDevops Containers
    Kubeaudit
    https://github.com/Shopify/kubeaudit

    View Slide

  37. SecDevops Containers
    Pod Security Policies
    https://kubernetes.io/docs/concepts/policy/pod-security-policy/

    View Slide

  38. SecDevops Containers
    Kube PSP advisor
    https://kubernetes.io/docs/concepts/policy/pod-security-policy/
    "hostNetwork": [
    {
    "metadata": {
    "name": "busy-rs",
    "kind": "ReplicaSet"
    },
    "namespace": "psp-test",
    "hostPID": true,
    "hostNetwork": true,
    "hostIPC": true,
    "volumeTypes": [
    "configMap"
    ]
    },
    {
    "metadata": {
    "name": "busy-pod",
    "kind": "Pod"
    },
    "namespace": "psp-test",
    "hostNetwork": true,
    "volumeTypes": [
    "hostPath",
    "secret"
    ],
    "mountedHostPath": [
    "/usr/bin"
    ]

    View Slide

  39. SecDevops Containers
    Sysdig falco
    https://sysdig.com/opensource/falco/

    View Slide

  40. SecDevops Containers
    Sysdig falco policies
    ○ A shell that runs inside a container with root
    privileges.
    ○ A process that generates another process with
    unexpected behavior.
    ○ Reading a confidential file, for example the
    etc/shadow
    ○ A process that is using a file that is not a device type
    in the /dev path, indicating a possible rootkit activity.

    View Slide

  41. SecDevops Containers
    Security best practices
    ● Do not run containers and pods as root.
    ● Disable capabilities and privileges
    ● One application per container, microservice
    oriented approach.
    ● Use small images

    View Slide

  42. ● Training and communication is the key to
    success
    ● DevSecOps is not about only ools but the
    correct tools are necessary.
    ● Follow “Least privilege principle”
    SecDevops Containers

    View Slide

  43. ● https://opensource.com/article/18/8/tools-container-s
    ecurity
    ● https://www.devsecops.org/
    ● https://github.com/devsecops/awesome-devsecops
    ● https://cloudowski.com/articles/how-to-increase-cont
    ainer-security-with-proper-images/
    ● https://www.twistlock.com/container-security
    ● https://developer.okta.com/blog/2019/07/18/container
    -security-a-developer-guide
    SecDevops Containers

    View Slide