Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using Python to Secure Docker Containers at the CI/CD Pipeline Level

Alina Radu
September 24, 2019
Technology
0
29

Using Python to Secure Docker Containers at the CI/CD Pipeline Level

The talk covers standalone techniques to secure Docker containers and methods to check the security health of a Docker container through python tests executed at the the CI/CD pipeline level, every time the (micro)services are built after a code change.

Alina Radu

September 24, 2019
Tweet

More Decks by Alina Radu

See All by Alina Radu
Securing the Docker Containers at the CI/CD Pipeline Level
transcedentalia
0
63
Securing the Docker Containers that Run your Microservices, European Women in Tech, Amsterdam 2018
transcedentalia
0
92
Permitting agility while enforcing security - a story of making Docker a win-win proposition
transcedentalia
0
13

Other Decks in Technology

See All in Technology
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
340
今年のRubyKaigiはProfiler Year🤘
osyoyu
0
430
Max out Local LLM in Challenging Environments
sashimimochi
1
120
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
280
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
150
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
1
120
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
1
670
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.4k
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
4
890
Gradle Build Scanを使ってビルドのことを知ろう potatotips #87
tomorrowkey
2
160
Microsoft for Startups Founders Hub_20240429 update
daikikanemitsu
1
2.4k
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
630

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
75
5.2k
The Invisible Side of Design
smashingmag
294
49k
What's new in Ruby 2.0
geeforr
337
31k
Why Our Code Smells
bkeepers
PRO
331
56k
Become a Pro
speakerdeck
PRO
13
4.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k
Practical Orchestrator
shlominoach
183
9.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
123
39k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.7k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
From Idea to $5000 a Month in 5 Months
shpigford
378
45k

Transcript

  1. Using Python to Secure Docker Containers at the CI/CD Pipeline

    Level Alina Radu @transcedentalia @PyLadiesLondon

  2. About Yelp Connecting people with great local businesses @transcedentalia

  3. @transcedentalia

  4. Agenda Shifting security to the left Security at the CI/CD

    pipeline level Failures and actionable alerts Q&A @transcedentalia

  5. Shifting security to the left

  6. Shifting security to the left Security by design Proactive security

    Automation Increase team collaboration - Eliminating silos Reducing costs @transcedentalia maravis.com

  7. @transcedentalia

  8. @transcedentalia

  9. Build pipeline of a service Configuration repository Jenkins - Orchestrates

    build and deployment - Pipelines of sequential steps - Security-check step @transcedentalia

  10. PaaSTA security-check Set of python tests High level security status

    of the service Run at every build Actionable alerts @transcedentalia

  11. @transcedentalia

  12. @transcedentalia

  13. Security tests

  14. Security tests Debian packages up to date Check is the

    latest packages are up to date against upstream repositories class DebianSystemPackageCheck(BasePlugin): def perform_check(self, docker, **kwargs): # -qq: Do it super-quietly and say yes to everything # update: Update the package index, but do not install && get all the things we would theoretically install dist_upgrade_print = docker.run( 'apt-get -qq update && apt-get --just-print dist-upgrade ',root=True).decode('utf-8') @transcedentalia

  15. Security tests Docker best practices class DockerRootCheck(BasePlugin): def perform_check(self, docker,

    **kwargs): output = docker.run('whoami').decode('utf-8').strip() if output == 'root': self.messages.append('The default user in this container is root. ' 'Please add a USER statement, see y/dockerbestpractices') return SecurityCheckResult. FAIL self.messages.append( 'The default user in this container is: ' + output) return SecurityCheckResult. PASS Container not running as root (default) @transcedentalia

  16. Security tests Docker best practices Dockerfile - Yelp maintained Docker

    images - latest images - no packages pinned to certain versions - .dockerignore contains .git class DockerfileCheck(BasePlugin): def check_dockerignore(self): dockerignore = self.get_dockerignore() if dockerignore is None: self.messages.append('No .dockerignore file exists. Create one and add .git to it.') return False if not any([line.startswith('.git') for line in dockerignore] ): self.messages.append('A .dockerignore file exists but .git is not in it; please add it.') return False return True @transcedentalia

  17. Security tests Well known vulnerabilities class ShellShockCheck(BasePlugin): COMMAND = "env

    x='() { :;}; echo vulnerable' bash -c 'echo this is a test'" def perform_check(self, docker, **kwargs): output = docker.run(self.COMMAND).decode('utf-8').strip() if output == 'this is a test': self.messages.append('Bash is safe. It is not vulnerable to shellshock.') return SecurityCheckResult. PASS self.messages.append('!! Bash is vulnerable to shellshock !!') return SecurityCheckResult. FAIL Bash Shellshock @transcedentalia

  18. Security tests Code dependency check Packages with known vulnerabilities Database

    of vulnerable packages - e.g. npmjs.com/advisories for node.js - e.g. pyup.io/safety for python @transcedentalia

  19. Security tests Image vulnerability scanning Clair open source project Scan

    base image CVEs, classified by severity Anti-pattern: patch running containers - rebuild the base image @transcedentalia

  20. Security tests No secrets in the service repository Detect and

    prevent high entropy strings from entering the code base Assume existing code has no secrets Check only the new code Loosely based off truffleHog @transcedentalia

  21. Actionable alerts Failures and alerts Security-check failed? - Email -

    Jira ticket - Sensu alert Runbook @transcedentalia

  22. Takeaways Shifting security to the left Security tests run at

    every build Service owners - more aware of the service security - involved in keeping it safe @transcedentalia

  23. yelp.com/careers/job-opening s?location=London%2C+UK Be the next Yelper Senior Platform Engineer (Elasticsearch,

    Flink, AWS) Link Senior Database Reliability Engineer Link Applied Data Scientist Link Senior Platform Engineer - Data Streams Link

  24. Q&A @transcedentalia