Securing your code when you don't even know where it's running

Transcript

1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

   Securing your code when you don’t even know where it is Liz Rice @LizRice | @AquaSecTeam

2. 2 @LizRice | @AquaSecTeam

3. 3 @LizRice | @AquaSecTeam

4. 4 @LizRice | @AquaSecTeam Traditional process Create software Deploy Patch

   Provision servers There’s a vulnerability!

5. 5 @LizRice | @AquaSecTeam Server drift time state

6. 6 @LizRice | @AquaSecTeam DevOps happened! ▪ Infrastructure as code

   ▪ Containers ▪ CI / CD ▪ GitOps

7. 7 @LizRice | @AquaSecTeam What is Cloud Native? Containers ◼

   Orchestration ◼ Microservices

8. 8 @lizrice Cattle not pets

9. 9 @LizRice | @AquaSecTeam Pipeline process builds “cattle” Create software

   Build images Deploy

10. 10 @LizRice | @AquaSecTeam Security is a concern when deploying

    containers 88% agree Sonatype 2017 DevSecOps Survey

11. 11 @LizRice | @AquaSecTeam Hundreds of microservices Thousands of containers

    Average container life ~ 2.5 days

12. 12 @LizRice | @AquaSecTeam /bin /lib /usr /opt /var /bin

    /lib /usr /var /bin /opt /usr /var Dependencies in every container

13. 13 @LizRice | @AquaSecTeam Applying patches to containers?

14. 14 @LizRice | @AquaSecTeam

15. 15 @LizRice | @AquaSecTeam Pipeline process Create software Build images

    Deploy Immutable Never modify Always move in this direction

16. 16 @LizRice | @AquaSecTeam Scan for vulnerabilities Create software Build

    images Deploy

17. 17 @LizRice | @AquaSecTeam Image policies Create software Build images

    Deploy ✓ ✓

18. 18 @LizRice | @AquaSecTeam Hundreds of microservices Thousands of containers

    All containers running from approved images

19. 19 @LizRice | @AquaSecTeam What about the hosts?

20. 20 @LizRice | @AquaSecTeam Hosts Host OS Automated testing Recycling

    Intrusion detection

21. 21 @LizRice | @AquaSecTeam Wait, there’s more!

22. Reducing images

23. 23 @LizRice | @AquaSecTeam Reducing image size ▪ Few tools

    needed in containers ▪ Smaller attack surface FROM scratch EXPOSE 8080 COPY hello / COPY templates templates CMD ["/hello"]

24. 24 @LizRice | @AquaSecTeam Microservice network segmentation ▪ Restrict communication

    between microservices ▪ Encrypted connections

25. 25 @LizRice | @AquaSecTeam Runtime protection ▪ Restrict container activity

    ▪ Prevent anomalous / suspicious behaviour

26. Shellshock demo

27. Cloud Native Security Advantages

28. 28 @LizRice | @AquaSecTeam Container security advantages ▪ Decomposition of

    the problem ▪ Additional layers of defence ▪ Continuous deployment ▪ Shorter attack window ▪ Community best practices ▪ Dedicated container security tools

29. 29 @LizRice | @AquaSecTeam Room for improvement in container security

    80% agree Aqua Security 2017 Survey

30. 30 @LizRice | @AquaSecTeam “Containers … require a more collaborative

    approach by security and DevOps teams.”

31. 31 @LizRice | @AquaSecTeam “Organizations would do well to embed

    security early into the process”

32. 32 @LizRice | @AquaSecTeam Continuous integration Continuous deployment Continuous security

33. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Container security in the Enterprise: aquasec.com/survey Kubernetes CIS tests: github.com/aquasecurity/kube-bench @LizRice | @AquaSecTeam