Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Practical steps for securing containers

Liz Rice
August 06, 2018

Practical steps for securing containers

As seen at Docker Dublin and Cloud Native Tel Aviv - this is a "solo" version of the presentation that Justin Cormack and I gave at DockerCon 2018.

Links:
- GitHub repo for demos: github.com/lizrice/no-meltdown
- Microscanner for vulnerability scanning: github.com/aquasecurity/microscanner
- Kube-bench for checking Kubernetes config: github.com/aquasecurity/kube-bench

Liz Rice

August 06, 2018
Tweet

More Decks by Liz Rice

Other Decks in Technology

Transcript

  1. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    @lizrice | @aquasecteam Liz Rice (with credits to Justin Cormack at Docker) Practical steps for securing containers
  2. 6 @lizrice | @aquasecteam Observe Hosts Build Run Test Code

    Code quality Security testing Security policies Minimal attack surface Least privilege Defence in depth Principles
  3. 13 @lizrice | @aquasecteam “(83) In order to maintain security

    and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, . Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage. ” REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT such as encryption GDPR compliance
  4. 18 @lizrice | @aquasecteam 6.1 Ensure that all system components

    and software are protected from known vulnerabilities by having the latest vendor-supplied installed. Deploy critical patches within a month of release. 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Risk rankings should be based on industry best practices and guidelines. Ranking vulnerabilities is a best practice that will become a requirement on July 1, 2012. Payment Card Industry Data Security Standard version 2.0 security patches Ranking vulnerabilities PCI compliance
  5. 20 @lizrice | @aquasecteam FROM wordpress:demo COPY microscanner /microscanner RUN

    chmod +x /microscanner ARG token RUN /microscanner --html ${token} > /ms-out.html docker build -f Dockerfile.wp --build-arg=token=$TOKEN . MicroScanner
  6. 34 @lizrice | @aquasecteam Minimize bind mounts Set USER in

    Dockerfile Avoid --privileged Least privilege
  7. 40 @lizrice | @aquasecteam Runtime protection Static analysis Minimal container

    OS TLS checks Automated scanning Read-only, limit privileges Actions
  8. 41 @lizrice | @aquasecteam Runtime protection Minimal container OS Automated

    scanning Read-only, limit privileges TLS checks Static analysis Code quality Security testing Security policies Minimal attack surface Least privilege Defence in depth Principles
  9. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    @lizrice | @aquasecteam github.com/aquasecurity/microscanner github.com/aquasecurity/kube-bench github.com/lizrice/no-meltdown