If it’s in a container it’s secure right ? A guide to container security by @scottcoulton 

About me. Platform engineering lead @ 

Does the traditional infosec toolchain work efficiently in a world where a container’s average lifespan is 2 days? 

1. Intro What we will cover ➔ How is container security different ? Does traditional security fit ? ➔ How to protect our container Protecting from the inside out ➔ Security and CD Can the 2 worlds live together ➔ Live demo 

The way that traditional infosec works is Reactive Containers allow you to be Proactive in your approach to infosec 

2. Examples Here are a few comparable examples: ➔ Traditional Nessus, AV, HIDS ➔ New school AppArmor, Clair, Notary 

The risks. ● DoS the host (CPU, Memory or Disk) ● Fork Bomb ● Kernel modification ● Privilege Escalation 

Let’s look @ protecting the engine. Docker 1.12 Benchmark 

Some sane defaults. ● Don’t run --pid host or --net host (without knowing the risks) ● Don’t bind your daemon to tcp://0.0.0.0:4243 ● Don’t use aufs as your storage driver ● Use TLS for all daemon traffic 

Just one! That’s all you need. (I am talking about process inside your container !!!) 

If you know the process then apply AppArmor. 

AppArmor example. 

Infosec and continuous delivery. The myth ... 

Add security to the pipeline Enter 

Sign our images with Notary. 

The full continuous delivery pipeline. 

3. Live Demo We are going to test what we have learnt today and run a standard Nginx image We will them use the Dirtyc0w vulnerability to write to a file owned by root, then privilege escalate to root for a standard user : ➔ Without AppArmor All exploits will work ➔ With AppArmor Our container will be safe 

The code from the live demo is available @ https://github.com /scotty-c 

Any Questions ?