Slide 1

Slide 1 text

SecDevops Containers

Slide 2

Slide 2 text

SecDevops Containers ● @jmortegac ● http://jmortega.github.io ● https://www.linkedin.com/in/jmortega1/

Slide 3

Slide 3 text

SecDevops Containers https://bpbonline.com/products/devops-and-containers-security- security-and-monitoring-in-docker-containers

Slide 4

Slide 4 text

● Introduction ● Containers Security ● SecDevops tools ● DevOps security best practices SecDevops Containers

Slide 5

Slide 5 text

SecDevops Containers

Slide 6

Slide 6 text

SecDevops Containers

Slide 7

Slide 7 text

SecDevops Containers ● Increased speed and agility for security teams. ● Increased or better collaboration and communication across teams. ● Increased opportunities for automated builds and quality assurance testing. ● Early identification of vulnerabilities in application code.

Slide 8

Slide 8 text

● 1. Containers are NOT Virtual Machines ● 2. Containers are isolated area in the OS kernel ● 3. Kubernetes is a Container Orchestration Platform. ● 4. Kubernetes abstracts the cloud vendor (AWS,Azure, GCP) scalability features. SecDevops Containers

Slide 9

Slide 9 text

● Build Small Container Images ○ Use Alpine Image as your base Linux OS ○ Using distroless images ○ Smaller image size reduce the Container vulnerabilities. SecDevops Containers

Slide 10

Slide 10 text

● Distroless Images ○ https://github.com/GoogleCloudPlatform/distroless SecDevops Containers

Slide 11

Slide 11 text

● Containers inmutability ○ Container images follow a unix philosophy ○ Container images should be immutable ○ RUN rm /usr/bin/apt-* /usr/bin/dpkg* SecDevops Containers

Slide 12

Slide 12 text

● Avoid root user ○ Create a User account ○ Add Runtime software’s based on the User Account. ○ Run the App under the user account ○ Add Security module SELinux or AppArmour to increase the security SecDevops Containers

Slide 13

Slide 13 text

● Container Security ○ Secure your HOST OS. Containers runs on Host Kernel. ○ No Runtime software downloads inside the container. ○ Declare the software requirements at the build time itself. ○ Download Docker base images from Authentic site. ○ Limit the resource utilization using Container orchestrators like Kubernetes. ○ Don’t run anything on Super privileged mode. SecDevops Containers

Slide 14

Slide 14 text

● Docker hub ○ Do you have your own container registry? ○ Do you check your Dockerfiles? ○ Your pipelines has permissions and access to publish in docker hub? ○ Do you inspect your Dockerfiles? ○ Do you have Docker builds correctly configured? ○ Do you control where layers are built? SecDevops Containers

Slide 15

Slide 15 text

● Docker Content Trust ○ https://docs.docker.com/engine/security/trust/ content_trust/ ○ export DOCKER_CONTENT_TRUST =1 ○ Protection of malicious code in images. ○ Protection against repeated attacks. ○ Protection against key commitments. SecDevops Containers

Slide 16

Slide 16 text

● Exploring layers in docker images ○ https://github.com/wagoodman/dive SecDevops Containers

Slide 17

Slide 17 text

● Container introspection tool ○ https://github.com/genuinetools/amicontained SecDevops Containers

Slide 18

Slide 18 text

● Docker bench security ○ https://github.com/docker/docker-bench-security SecDevops Containers

Slide 19

Slide 19 text

SecDevops Containers

Slide 20

Slide 20 text

SecDevops Containers

Slide 21

Slide 21 text

SecDevops Containers

Slide 22

Slide 22 text

SecDevops Containers

Slide 23

Slide 23 text

● Kubernetes Security ○ Preventing image manipulation and unauthorized access ○ Deploying Pods without root permissions ○ Pod Security Policies ○ Secrets management SecDevops Containers

Slide 24

Slide 24 text

● Pods Security ○ Never access a Pod directly from another Pod. ○ Never use :latest tag in the image in the production scenario. SecDevops Containers

Slide 25

Slide 25 text

● Namespaces ○ Group your services/pods traffic rules based on specific namespace. ○ Handle specific Resource Allocations for a Namespace. ○ If you have more than a dozen Microservices then it’s time to bring in Namespaces. SecDevops Containers

Slide 26

Slide 26 text

● Using official images ○ Use images provided by a vendor ○ Critical vulnerabilities are resolved automatically when they are updated. SecDevops Containers

Slide 27

Slide 27 text

● https://kubesec.io/ SecDevops Containers

Slide 28

Slide 28 text

SecDevops Containers

Slide 29

Slide 29 text

SecDevops Containers Dangerous pod configurations

Slide 30

Slide 30 text

SecDevops Containers CPU and memory limits to prevent DoS

Slide 31

Slide 31 text

SecDevops Containers runAsNonRoot flag in pod configuration

Slide 32

Slide 32 text

SecDevops Containers Capabilities in pod configuration

Slide 33

Slide 33 text

SecDevops Containers Kubebench-CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench ● Master Node Security Configuration ○ API Server ○ Scheduler ○ Controller Manager /Configuration Files ○ General Security Primitives ○ PodSecurityPolicices ● Worker Node Security Configuration ○ Kubelet ○ Configuration Files

Slide 34

Slide 34 text

SecDevops Containers Kubebench-CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench

Slide 35

Slide 35 text

SecDevops Containers Kubehunter

Slide 36

Slide 36 text

SecDevops Containers Kubeaudit https://github.com/Shopify/kubeaudit

Slide 37

Slide 37 text

SecDevops Containers Pod Security Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Slide 38

Slide 38 text

SecDevops Containers Kube PSP advisor https://kubernetes.io/docs/concepts/policy/pod-security-policy/ "hostNetwork": [ { "metadata": { "name": "busy-rs", "kind": "ReplicaSet" }, "namespace": "psp-test", "hostPID": true, "hostNetwork": true, "hostIPC": true, "volumeTypes": [ "configMap" ] }, { "metadata": { "name": "busy-pod", "kind": "Pod" }, "namespace": "psp-test", "hostNetwork": true, "volumeTypes": [ "hostPath", "secret" ], "mountedHostPath": [ "/usr/bin" ]

Slide 39

Slide 39 text

SecDevops Containers Sysdig falco https://sysdig.com/opensource/falco/

Slide 40

Slide 40 text

SecDevops Containers Sysdig falco policies ○ A shell that runs inside a container with root privileges. ○ A process that generates another process with unexpected behavior. ○ Reading a confidential file, for example the etc/shadow ○ A process that is using a file that is not a device type in the /dev path, indicating a possible rootkit activity.

Slide 41

Slide 41 text

SecDevops Containers Security best practices ● Do not run containers and pods as root. ● Disable capabilities and privileges ● One application per container, microservice oriented approach. ● Use small images

Slide 42

Slide 42 text

● Training and communication is the key to success ● DevSecOps is not about only ools but the correct tools are necessary. ● Follow “Least privilege principle” SecDevops Containers

Slide 43

Slide 43 text

● https://opensource.com/article/18/8/tools-container-s ecurity ● https://www.devsecops.org/ ● https://github.com/devsecops/awesome-devsecops ● https://cloudowski.com/articles/how-to-increase-cont ainer-security-with-proper-images/ ● https://www.twistlock.com/container-security ● https://developer.okta.com/blog/2019/07/18/container -security-a-developer-guide SecDevops Containers