Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the Docker Containers that Run your Microservices, European Women in Tech, Amsterdam 2018

Alina Radu
November 28, 2018

Securing the Docker Containers that Run your Microservices, European Women in Tech, Amsterdam 2018

presented @ European Women in Tech, Amsterdam 2018

Alina Radu

November 28, 2018
Tweet

More Decks by Alina Radu

Other Decks in Technology

Transcript

  1. • containers what & why • shifting security to the

    left • security at the CI/CD pipeline level • failures & actionable alerts • Q&A Agenda
  2. • unit of software • code, runtime, system tools, libraries,

    settings • cgroups and namespaces • image becomes container at runtime • Docker engine What is a Docker container? docker.com
  3. • isolation & security • lightweight & minimal overhead •

    simplicity ◦ testing and deployment • portability ◦ same OS family • cattle not pets Why are containers useful? RedHat
  4. • least privilege • defense in depth • minimize the

    attack surface • OWASP Security principles
  5. • security by design • proactive security • automation •

    increase team collaboration ◦ eliminate silos • reducing costs Shifting security to the left @petecheslock
  6. • Docker for code delivery and containment • Mesos for

    code execution and scheduling (runs Docker containers) • Marathon for managing long-running services • Chronos for running things on a timer (nightly batches) • SmartStack for service registration and discovery • Sensu for monitoring/alerting • Jenkins (optionally) for continuous deployment (CI/CD) PaaSTA: Platform as a Service
  7. • configuration repository • Jenkins ◦ orchestrates build and deployment

    ◦ pipelines of sequential steps ◦ security-check step Build pipeline of a service
  8. • set of tests • python • security status of

    the service • run at every build • actionable alerts for failures PaaSTA security-check
  9. • Debian packages up to date • Docker best practices

    • well known vulnerabilities • code dependency check • base Docker image vulnerability scanning • no secrets in the service repo Security tests
  10. • Check if the latest packages are installed against upstream

    repositories • apt-get -qq update && apt-get --just-print dist-upgrade Debian packages up to date
  11. • container not running as root (default) • Dockerfile ◦

    Yelp maintained Docker images, no public images ◦ latest images ◦ no packages pinned to certain versions ◦ .dockerignore contains .git Docker container best practices
  12. • Certain version(s) of a package • Docker images ◦

    public images for open source projects ◦ non-standard Yelp images Whitelisting
  13. • bash shellshock • extending the list in the future

    ◦ heartbleed - server side applications Well known vulnerabilities
  14. • python/npm/php packages with known vulnerabilities • checks the content

    of yarn.lock for packages with published vulnerabilities (https://www.npmjs.com/advisories db) Code dependency check
  15. • clair open source project • scan base image •

    CVEs • classified by severity • anti-pattern: patch running containers • rebuild the base image Image vulnerability scanning
  16. • detect-secrets open source project • detect and prevent high

    entropy strings from entering the code base • assumes existing code has no secrets • checks only the new code • loosely based on truffleHog No secrets into the service repository
  17. • shifting security to the left • security-check at build

    level ◦ integrated in the CI/CD pipeline • service owners ◦ more aware of the security of the service ◦ involved in keeping it safe Takeaways