Security Opensource Tools in Cloud Native

Slide 1

Slide 1 text

Seguridad en Aplicaciones Cloud Native

Slide 2

Slide 2 text

@krol_valencia Carol Valencia Solution Architect in Aqua Security Twitter: @krol_valencia 2

Slide 3

Slide 3 text

Agenda Cloud Native Applications Best practices to Build Containers Securing workloads with Open Source Tools 3

Slide 4

Slide 4 text

1. Cloud Native Application

Slide 5

Slide 5 text

“ @krol_valencia Open Source Cloud Computing for Applications We curate & promote a trusted tool kit for modern architectures. Non-profit, part of the Linux Foundation 5

Slide 6

Slide 6 text

@krol_valencia 6 Source: https://landscape.cncf.io/images/landscape.png

Slide 7

Slide 7 text

@krol_valencia 7 Source https://tanzu.vmware.com/cloud-native

Slide 8

Slide 8 text

@krol_valencia Vulnerabilities and Exposures 8

Slide 9

Slide 9 text

2. Container Security

Slide 10

Slide 10 text

Evolution difference Container 10 Developer Culture is Bypassing Security - Steve Giguere

Slide 11

Slide 11 text

@krol_valencia Best Practice Design Container Build Small container images: Alpine, Bazel, Distroless, DockerSlim, UPX, NixOS distribution à Less vulnerabilities Build one process one service Container immutability 11

Slide 12

Slide 12 text

@krol_valencia Immutability 12 Source: The Container Security Checklist - Liz Rice

Slide 13

Slide 13 text

@krol_valencia Hardening Containers Public images ? Run as root ? Private, Base image Create users limited 13

Slide 14

Slide 14 text

@krol_valencia Hardening Containers Privileged capabilities ? Grant the specific capabilities that it needs Drop kernel modules, system time, trace processes (CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE ). 14 Source: The Container Security Checklist - Liz Rice

Slide 15

Slide 15 text

@krol_valencia Hardening Containers Security Profile ● SELinux ● AppArmor ● Seccomp-bpf 15

Slide 16

Slide 16 text

3. Securing workloads with Open Source Tools

Slide 17

Slide 17 text

Hardening Host Unsecured, unhardened host OS Best practices Center for Internet Security (CIS) Benchmark for Distribution 17

Slide 18

Slide 18 text

Container Runtimes Mount docker.sock or sensitive host directories Docker bench security Center for Internet Security (CIS) Benchmark for Docker 18

Slide 19

Slide 19 text

Secrets Secrets encrypted at rest and in transit Dynamic secrets 19 Source: https://www.hashicorp.com/blog/why-we-need-dynamic-secrets/ Secrets in the Source code Secrets Kubernetes: base64 Etcd not encrypted

Slide 20

Slide 20 text

@krol_valencia Cloud Native Software Supply Chain 20 KubeSec Enterprise Online: Beyond Vulnerability Scanning - Amir Jerbi

Slide 21

Slide 21 text

@krol_valencia Vulnerability Scanner 21 KubeSec Enterprise Online: Beyond Vulnerability Scanning - Amir Jerbi

Slide 22

Slide 22 text

Vulnerability Scanner 22

Slide 23

Slide 23 text

Hardening Orchestrator 23

Slide 24

Slide 24 text

Hardening Orchestrator 24

Slide 25

Slide 25 text

@krol_valencia CSPM – Cloud Secure Posture Management 25 https://github.com/aquasecurity/cloudsploit

Slide 26

Slide 26 text

Slide 27

Slide 27 text

@krol_valencia 27 Carol Valencia linkedin.com/in/carolgv github: krol3 [email protected] Gracias!