Practical steps for securing containers

Transcript

1. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

   @lizrice | @aquasecteam Liz Rice (with credits to Justin Cormack at Docker) Practical steps for securing containers

2. 2 @lizrice | @aquasecteam Bad headlines

3. 3 @lizrice | @aquasecteam

4. 4 @lizrice | @aquasecteam

5. 5 @lizrice | @aquasecteam Observe Code Hosts Test Build Run

   Pipeline

6. 6 @lizrice | @aquasecteam Observe Hosts Build Run Test Code

   Code quality Security testing Security policies Minimal attack surface Least privilege Defence in depth Principles

7. Observe Code Hosts Test Build Run Code quality Security starts

   in development

8. 8 @lizrice | @aquasecteam

9. 9 @lizrice | @aquasecteam

10. 10 @lizrice | @aquasecteam

11. 11 @lizrice | @aquasecteam Static analysis Code review Code quality

12. Observe Code Hosts Test Build Run Security testing Catch problems

    early

13. 13 @lizrice | @aquasecteam “(83) In order to maintain security

    and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, . Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage. ” REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT such as encryption GDPR compliance

14. 14 @lizrice | @aquasecteam

15. 15 @lizrice | @aquasecteam

16. 16 @lizrice | @aquasecteam Automated testing is not just for

    functions Security testing

17. Observe Code Hosts Test Build Run Security policies Always be

    in compliance

18. 18 @lizrice | @aquasecteam 6.1 Ensure that all system components

    and software are protected from known vulnerabilities by having the latest vendor-supplied installed. Deploy critical patches within a month of release. 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Risk rankings should be based on industry best practices and guidelines. Ranking vulnerabilities is a best practice that will become a requirement on July 1, 2012. Payment Card Industry Data Security Standard version 2.0 security patches Ranking vulnerabilities PCI compliance

19. 19 @lizrice | @aquasecteam

20. 20 @lizrice | @aquasecteam FROM wordpress:demo COPY microscanner /microscanner RUN

    chmod +x /microscanner ARG token RUN /microscanner --html ${token} > /ms-out.html docker build -f Dockerfile.wp --build-arg=token=$TOKEN . MicroScanner

21. 21 @lizrice | @aquasecteam MicroScanner

22. 22 @lizrice | @aquasecteam Scanning tools Image admission controls Security

    policies

23. Observe Code Hosts Test Build Run Host configuration Don’t make

    it easy for attackers

24. 24 @lizrice | @aquasecteam Files directly on host machine(s) Files

    in container images Host vulnerabilities

25. 25 @lizrice | @aquasecteam Host vulnerabilities

26. 26 @lizrice | @aquasecteam Host vulnerabilities

27. 27 @lizrice | @aquasecteam CIS Docker Benchmark CIS Kubernetes Benchmark

    Host configuration

28. 28 @lizrice | @aquasecteam

29. 29 @lizrice | @aquasecteam

30. Observe Code Hosts Test Build Run Least privilege Only give

    what you need

31. 31 @lizrice | @aquasecteam

32. 32 @lizrice | @aquasecteam

33. 33 @lizrice | @aquasecteam

34. 34 @lizrice | @aquasecteam Minimize bind mounts Set USER in

    Dockerfile Avoid --privileged Least privilege

35. Observe Code Hosts Test Build Run Runtime protection Spot unexpected

    behaviour

36. 36 @lizrice | @aquasecteam

37. 37 @lizrice | @aquasecteam

38. 38 @lizrice | @aquasecteam

39. 39 @lizrice | @aquasecteam Seccomp / AppArmor Commercial tools New

    runtimes Runtime protection

40. 40 @lizrice | @aquasecteam Runtime protection Static analysis Minimal container

    OS TLS checks Automated scanning Read-only, limit privileges Actions

41. 41 @lizrice | @aquasecteam Runtime protection Minimal container OS Automated

    scanning Read-only, limit privileges TLS checks Static analysis Code quality Security testing Security policies Minimal attack surface Least privilege Defence in depth Principles

42. 42 @lizrice | @aquasecteam

43. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    @lizrice | @aquasecteam github.com/aquasecurity/microscanner github.com/aquasecurity/kube-bench github.com/lizrice/no-meltdown