Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your code when you don't even know where it's running

676c8aec28ade455c442e648abfa1db5?s=47 Liz Rice
March 22, 2018

Securing your code when you don't even know where it's running

Being Cloud Native - using containers, microservices & orchestration - gives you opportunities to improve your deployment security. Leverage automation for continuous security.

676c8aec28ade455c442e648abfa1db5?s=128

Liz Rice

March 22, 2018
Tweet

More Decks by Liz Rice

Other Decks in Technology

Transcript

  1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Securing your code when you don’t even know where it is Liz Rice @LizRice | @AquaSecTeam
  2. 2 @LizRice | @AquaSecTeam

  3. 3 @LizRice | @AquaSecTeam

  4. 4 @LizRice | @AquaSecTeam Traditional process Create software Deploy Patch

    Provision servers There’s a vulnerability!
  5. 5 @LizRice | @AquaSecTeam Server drift time state

  6. 6 @LizRice | @AquaSecTeam DevOps happened! ▪ Infrastructure as code

    ▪ Containers ▪ CI / CD ▪ GitOps
  7. 7 @LizRice | @AquaSecTeam What is Cloud Native? Containers ◼

    Orchestration ◼ Microservices
  8. 8 @lizrice Cattle not pets

  9. 9 @LizRice | @AquaSecTeam Pipeline process builds “cattle” Create software

    Build images Deploy
  10. 10 @LizRice | @AquaSecTeam Security is a concern when deploying

    containers 88% agree Sonatype 2017 DevSecOps Survey
  11. 11 @LizRice | @AquaSecTeam Hundreds of microservices Thousands of containers

    Average container life ~ 2.5 days
  12. 12 @LizRice | @AquaSecTeam /bin /lib /usr /opt /var /bin

    /lib /usr /var /bin /opt /usr /var Dependencies in every container
  13. 13 @LizRice | @AquaSecTeam Applying patches to containers?

  14. 14 @LizRice | @AquaSecTeam

  15. 15 @LizRice | @AquaSecTeam Pipeline process Create software Build images

    Deploy Immutable Never modify Always move in this direction
  16. 16 @LizRice | @AquaSecTeam Scan for vulnerabilities Create software Build

    images Deploy
  17. 17 @LizRice | @AquaSecTeam Image policies Create software Build images

    Deploy ✓ ✓
  18. 18 @LizRice | @AquaSecTeam Hundreds of microservices Thousands of containers

    All containers running from approved images
  19. 19 @LizRice | @AquaSecTeam What about the hosts?

  20. 20 @LizRice | @AquaSecTeam Hosts Host OS Automated testing Recycling

    Intrusion detection
  21. 21 @LizRice | @AquaSecTeam Wait, there’s more!

  22. Reducing images

  23. 23 @LizRice | @AquaSecTeam Reducing image size ▪ Few tools

    needed in containers ▪ Smaller attack surface FROM scratch EXPOSE 8080 COPY hello / COPY templates templates CMD ["/hello"]
  24. 24 @LizRice | @AquaSecTeam Microservice network segmentation ▪ Restrict communication

    between microservices ▪ Encrypted connections
  25. 25 @LizRice | @AquaSecTeam Runtime protection ▪ Restrict container activity

    ▪ Prevent anomalous / suspicious behaviour
  26. Shellshock demo

  27. Cloud Native Security Advantages

  28. 28 @LizRice | @AquaSecTeam Container security advantages ▪ Decomposition of

    the problem ▪ Additional layers of defence ▪ Continuous deployment ▪ Shorter attack window ▪ Community best practices ▪ Dedicated container security tools
  29. 29 @LizRice | @AquaSecTeam Room for improvement in container security

    80% agree Aqua Security 2017 Survey
  30. 30 @LizRice | @AquaSecTeam “Containers … require a more collaborative

    approach by security and DevOps teams.”
  31. 31 @LizRice | @AquaSecTeam “Organizations would do well to embed

    security early into the process”
  32. 32 @LizRice | @AquaSecTeam Continuous integration Continuous deployment Continuous security

  33. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Container security in the Enterprise: aquasec.com/survey Kubernetes CIS tests: github.com/aquasecurity/kube-bench @LizRice | @AquaSecTeam