Security Opensource Tools in Cloud Native

Transcript

1. Seguridad en Aplicaciones Cloud Native

2. @krol_valencia Carol Valencia Solution Architect in Aqua Security Twitter: @krol_valencia

   2

3. Agenda Cloud Native Applications Best practices to Build Containers Securing

   workloads with Open Source Tools 3

4. 1. Cloud Native Application

5. “ @krol_valencia Open Source Cloud Computing for Applications We curate

   & promote a trusted tool kit for modern architectures. Non-profit, part of the Linux Foundation 5

6. @krol_valencia 6 Source: https://landscape.cncf.io/images/landscape.png

7. @krol_valencia 7 Source https://tanzu.vmware.com/cloud-native

8. @krol_valencia Vulnerabilities and Exposures 8

9. 2. Container Security

10. Evolution difference Container 10 Developer Culture is Bypassing Security -

    Steve Giguere

11. @krol_valencia Best Practice Design Container Build Small container images: Alpine,

    Bazel, Distroless, DockerSlim, UPX, NixOS distribution à Less vulnerabilities Build one process one service Container immutability 11

12. @krol_valencia Immutability 12 Source: The Container Security Checklist - Liz

    Rice

13. @krol_valencia Hardening Containers Public images ? Run as root ?

    Private, Base image Create users limited 13

14. @krol_valencia Hardening Containers Privileged capabilities ? Grant the specific capabilities

    that it needs Drop kernel modules, system time, trace processes (CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE ). 14 Source: The Container Security Checklist - Liz Rice

15. @krol_valencia Hardening Containers Security Profile • SELinux • AppArmor •

    Seccomp-bpf 15

16. 3. Securing workloads with Open Source Tools

17. Hardening Host Unsecured, unhardened host OS Best practices Center for

    Internet Security (CIS) Benchmark for Distribution 17

18. Container Runtimes Mount docker.sock or sensitive host directories Docker bench

    security Center for Internet Security (CIS) Benchmark for Docker 18

19. Secrets Secrets encrypted at rest and in transit Dynamic secrets

    19 Source: https://www.hashicorp.com/blog/why-we-need-dynamic-secrets/ Secrets in the Source code Secrets Kubernetes: base64 Etcd not encrypted

20. @krol_valencia Cloud Native Software Supply Chain 20 KubeSec Enterprise Online:

    Beyond Vulnerability Scanning - Amir Jerbi

21. @krol_valencia Vulnerability Scanner 21 KubeSec Enterprise Online: Beyond Vulnerability Scanning

    - Amir Jerbi

22. Vulnerability Scanner 22

23. Hardening Orchestrator 23

24. Hardening Orchestrator 24

25. @krol_valencia CSPM – Cloud Secure Posture Management 25 https://github.com/aquasecurity/cloudsploit

26. 26

27. @krol_valencia 27 Carol Valencia linkedin.com/in/carolgv github: krol3 [email protected] Gracias!