Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Opensource Tools in Cloud Native

Carol
September 25, 2020

Security Opensource Tools in Cloud Native

Overview of cloud native applications and containers features. Understand potential exposures and vulnerabilities in containers, also introduce best practices to build containers. Finally, show open source tools that will help us with the security approach (DevSecops) and detect misconfiguration according CIS Benchmark.

Carol

September 25, 2020
Tweet

More Decks by Carol

Other Decks in Technology

Transcript

  1. “ @krol_valencia Open Source Cloud Computing for Applications We curate

    & promote a trusted tool kit for modern architectures. Non-profit, part of the Linux Foundation 5
  2. @krol_valencia Best Practice Design Container Build Small container images: Alpine,

    Bazel, Distroless, DockerSlim, UPX, NixOS distribution à Less vulnerabilities Build one process one service Container immutability 11
  3. @krol_valencia Hardening Containers Public images ? Run as root ?

    Private, Base image Create users limited 13
  4. @krol_valencia Hardening Containers Privileged capabilities ? Grant the specific capabilities

    that it needs Drop kernel modules, system time, trace processes (CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE ). 14 Source: The Container Security Checklist - Liz Rice
  5. Hardening Host Unsecured, unhardened host OS Best practices Center for

    Internet Security (CIS) Benchmark for Distribution 17
  6. Container Runtimes Mount docker.sock or sensitive host directories Docker bench

    security Center for Internet Security (CIS) Benchmark for Docker 18
  7. Secrets Secrets encrypted at rest and in transit Dynamic secrets

    19 Source: https://www.hashicorp.com/blog/why-we-need-dynamic-secrets/ Secrets in the Source code Secrets Kubernetes: base64 Etcd not encrypted
  8. 26