Tweet
Tweet

Slide 1

Slide 1 text

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Securing your code when you don’t even know where it is Liz Rice @LizRice | @AquaSecTeam

Slide 2

Slide 2 text

2 @LizRice | @AquaSecTeam

Slide 3

Slide 3 text

3 @LizRice | @AquaSecTeam

Slide 4

Slide 4 text

4 @LizRice | @AquaSecTeam Traditional process Create software Deploy Patch Provision servers There’s a vulnerability!

Slide 5

Slide 5 text

5 @LizRice | @AquaSecTeam Server drift time state

Slide 6

Slide 6 text

6 @LizRice | @AquaSecTeam DevOps happened! ■ Infrastructure as code ■ Containers ■ CI / CD ■ GitOps

Slide 7

Slide 7 text

7 @LizRice | @AquaSecTeam What is Cloud Native? Containers ◼ Orchestration ◼ Microservices

Slide 8

Slide 8 text

8 @lizrice Cattle not pets

Slide 9

Slide 9 text

9 @LizRice | @AquaSecTeam Pipeline process builds “cattle” Create software Build images Deploy

Slide 10

Slide 10 text

10 @LizRice | @AquaSecTeam Security is a concern when deploying containers 88% agree Sonatype 2017 DevSecOps Survey

Slide 11

Slide 11 text

11 @LizRice | @AquaSecTeam Hundreds of microservices Thousands of containers Average container life ~ 2.5 days

Slide 12

Slide 12 text

12 @LizRice | @AquaSecTeam /bin /lib /usr /opt /var /bin /lib /usr /var /bin /opt /usr /var Dependencies in every container

Slide 13

Slide 13 text

13 @LizRice | @AquaSecTeam Applying patches to containers?

Slide 14

Slide 14 text

14 @LizRice | @AquaSecTeam

Slide 15

Slide 15 text

15 @LizRice | @AquaSecTeam Pipeline process Create software Build images Deploy Immutable Never modify Always move in this direction

Slide 16

Slide 16 text

16 @LizRice | @AquaSecTeam Scan for vulnerabilities Create software Build images Deploy

Slide 17

Slide 17 text

17 @LizRice | @AquaSecTeam Image policies Create software Build images Deploy ✓ ✓

Slide 18

Slide 18 text

18 @LizRice | @AquaSecTeam Hundreds of microservices Thousands of containers All containers running from approved images

Slide 19

Slide 19 text

19 @LizRice | @AquaSecTeam What about the hosts?

Slide 20

Slide 20 text

20 @LizRice | @AquaSecTeam Hosts Host OS Automated testing Recycling Intrusion detection

Slide 21

Slide 21 text

21 @LizRice | @AquaSecTeam Wait, there’s more!

Slide 22

Slide 22 text

Reducing images

Slide 23

Slide 23 text

23 @LizRice | @AquaSecTeam Reducing image size ■ Few tools needed in containers ■ Smaller attack surface FROM scratch EXPOSE 8080 COPY hello / COPY templates templates CMD ["/hello"]

Slide 24

Slide 24 text

24 @LizRice | @AquaSecTeam Microservice network segmentation ■ Restrict communication between microservices ■ Encrypted connections

Slide 25

Slide 25 text

25 @LizRice | @AquaSecTeam Runtime protection ■ Restrict container activity ■ Prevent anomalous / suspicious behaviour

Slide 26

Slide 26 text

Shellshock demo

Slide 27

Slide 27 text

Cloud Native Security Advantages

Slide 28

Slide 28 text

28 @LizRice | @AquaSecTeam Container security advantages ■ Decomposition of the problem ■ Additional layers of defence ■ Continuous deployment ■ Shorter attack window ■ Community best practices ■ Dedicated container security tools

Slide 29

Slide 29 text

29 @LizRice | @AquaSecTeam Room for improvement in container security 80% agree Aqua Security 2017 Survey

Slide 30

Slide 30 text

30 @LizRice | @AquaSecTeam “Containers … require a more collaborative approach by security and DevOps teams.”

Slide 31

Slide 31 text

31 @LizRice | @AquaSecTeam “Organizations would do well to embed security early into the process”

Slide 32

Slide 32 text

32 @LizRice | @AquaSecTeam Continuous integration Continuous deployment Continuous security

Slide 33

Slide 33 text

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Container security in the Enterprise: aquasec.com/survey Kubernetes CIS tests: github.com/aquasecurity/kube-bench @LizRice | @AquaSecTeam