SlideShare a Scribd company logo

Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At Night - Codemotion Milan 2017

Codemotion
Codemotion

Containers, and the tooling around them, make some parts of application security that much easier. There are some simple things you can do to make a substantial difference to the security of your applications without making any big changes to what you do. This talk will give you some small changes you can make in a few hours that will make it that much more difficult to hack your applications.

Technology
1 of 27
Download to read offline
Ten Container Security Tricks That Will Help You Sleep At Night Justin Cormack
Who am I? Engineer at Docker in Cambridge, UK. Background both dev and ops. Work on many projects • maintainer on moby/moby formerly docker/docker • tech lead on LinuxKit • containerD • runC • Docker for Mac • security pieces for engine eg seccomp policies etc 2
Cambridge Tech village in England 3
You want to sleep soundly?
Ten things? There are going to be a couple more than ten things here... So you could try to do at least ten! Or at least one! 6
Containers do make security a little easier • Identifiability – what did I ship? • Reproducibility – can I ship it again? • Consistency – can I build it again? • Agility – can I do all this quickly? • Usability – can I do it easily? At Docker we have always tried to ship sensible security defaults that just work for most cases. 7
Start with the whole team
No silos • DevSecOps • Teams working together to deliver quality software • Security as an ongoing process not checkboxes • Ongoing improvements and learning, not blame culture • More rapid deployment of good practise across all software 9
Teamwork • Embed security people in your teams. They need to understand what your product is doing too. • If your company is too small to have dedicated security people, assign someone to be responsible for security in each project and learn! • Make sure all the team understands the threat model from the start, and the key risks • Postmortems when things go wrong, not to blame, but to improve 10
four things you can do in development
Don't use privileged and capabilities • docker run --privileged gives you total control over the machine • adding just a few capabilities and security options does the same • don't use setuid code in containers, disable with --security-opt=no-new-privileges • run as a non root user or use user namespaces if possible • don't bind the Docker socket into a container Very rarely you may need to do some of these things, eg for some debugging, but these use cases are exceptional. 12
Use read only images • docker run --read-only ... • nothing can be modified in the container root filesystem • understand exactly what configuration is expected Sometimes images don't work, please file an issue. 13
Use official images where possible • the official images are well designed • they are updated for security issues • they use best practises for the software being packaged • they are well tested • minimal • they use modern OS versions, use alpine or stretch If there isn't one try to work with upstream project and read the guidelines https://github.com/docker-library/official-images 14
Use the secrets API • Do not check secrets into git • Do not put secrets in environment variables • Use the docker secrets API docker secret create • Or the Kubernetes API kubectl create secret • Or Vault from Hashicorp 15
Dev and Ops as a team
Always be updating • Automated build pipeline • Constantly be updating base images with security fixes • Update your other dependencies • the longer you leave updates the harder they become 17
Use an image scanning service 18
Don't try to keep containers running forever • It is not a competition! • The more often you update the harder it is for attackers • Plus you get the security updates sooner • Continuous delivery means you get small code improvements out faster • Always be updating! 19
Sign your containers • Once you have automated builds you can start signing • Guarantee that processes have been followed • Can use for automated promotion of images • Official images already signed, check them • new easier commands – docker trust view – docker trust sign – docker trust revoke 20
Operations
Use a minimal underlying OS “Use container-specific OSes instead of general-purpose ones to reduce attack surfaces. When using a container-specific OS, attack surfaces are typically much smaller than they would be with a general-purpose OS, so there are fewer opportunities to attack and compromise a container-specific OS.” NIST Application Container Security Guide http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf Failing that, at least make sure the OS is updated. 22
Advanced
Fuzz test 24
Test based on your code • eg for web based code look for XSS vulnerabilities • look at your code like an attacker • don't just look at the "happy path" Always use static analysis tools, eg linters. As many as possible... Many of the things they find will not be security issues, but a few may be. 25
Work together
THANK YOU

Recommended

Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Codemotion
 
Docker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, PuppetDocker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, Puppet
Docker, Inc.
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
Docker, Inc.
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Docker, Inc.
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
Docker, Inc.
 
Docker for Devs - John Zaccone, IBM
Docker for Devs - John Zaccone, IBMDocker for Devs - John Zaccone, IBM
Docker for Devs - John Zaccone, IBM
Docker, Inc.
 

Recommended

Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Codemotion
 
Docker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, PuppetDocker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, Puppet
Docker, Inc.
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
Docker, Inc.
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Docker, Inc.
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
Docker, Inc.
 
Docker for Devs - John Zaccone, IBM
Docker for Devs - John Zaccone, IBMDocker for Devs - John Zaccone, IBM
Docker for Devs - John Zaccone, IBM
Docker, Inc.
 
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerGlobal Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Docker, Inc.
 
Android Meets Docker
Android Meets DockerAndroid Meets Docker
Android Meets Docker
Docker, Inc.
 
Build Your Own SaaS using Docker
Build Your Own SaaS using DockerBuild Your Own SaaS using Docker
Build Your Own SaaS using Docker
Julien Barbier
 
OSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionOSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolution
Docker, Inc.
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
Docker, Inc.
 
Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne Livestream Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne Livestream
Jakarta_EE
 
Containers & Security
Containers & SecurityContainers & Security
Containers & Security
All Things Open
 
Advanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAdvanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and Windows
Anil Madhavapeddy
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
Mike Goelzer
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Docker, Inc.
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016
Docker
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautiful
KubeAcademy
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in Production
Docker, Inc.
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET Apps
Docker, Inc.
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
Maciej Lasyk
 
PaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpPaaSTA: Running applications at Yelp
PaaSTA: Running applications at Yelp
Nathan Handler
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Docker, Inc.
 
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Codemotion
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Docker, Inc.
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
Jim Barlow
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Priyanka Aash
 

More Related Content

What's hot

Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerGlobal Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Docker, Inc.
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
Docker, Inc.
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautiful
KubeAcademy
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET Apps
Docker, Inc.
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Docker, Inc.
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Docker, Inc.
 

What's hot (20)

Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerGlobal Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
 
Android Meets Docker
Android Meets DockerAndroid Meets Docker
Android Meets Docker
 
Build Your Own SaaS using Docker
Build Your Own SaaS using DockerBuild Your Own SaaS using Docker
Build Your Own SaaS using Docker
 
OSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionOSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolution
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
 
Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne Livestream Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne Livestream
 
Containers & Security
Containers & SecurityContainers & Security
Containers & Security
 
Advanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAdvanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and Windows
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautiful
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in Production
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET Apps
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
 
PaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpPaaSTA: Running applications at Yelp
PaaSTA: Running applications at Yelp
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
 
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
 

Viewers also liked

Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Priyanka Aash
 

Viewers also liked (20)

Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Composable architectures The Lego of IT - Alessandro David
Composable architectures The Lego of IT - Alessandro DavidComposable architectures The Lego of IT - Alessandro David
Composable architectures The Lego of IT - Alessandro David
 
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...
 
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017
 
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017
 
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017
 
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017
 
Downtime is not an option - day 2 operations - Jörg Schad
Downtime is not an option - day 2 operations - Jörg SchadDowntime is not an option - day 2 operations - Jörg Schad
Downtime is not an option - day 2 operations - Jörg Schad
 
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
 
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
 
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017
 
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017
 
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017
 
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...
 
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017
 
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017
 
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...
 

Similar to Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At Night - Codemotion Milan 2017

Securing Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupSecuring Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad Meetup
Kumar Ashwin
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
Docker, Inc.
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Going Production with Docker and Swarm
Going Production with Docker and SwarmGoing Production with Docker and Swarm
Going Production with Docker and Swarm
C4Media
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 

Similar to Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At Night - Codemotion Milan 2017 (20)

Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Securing Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupSecuring Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad Meetup
 
Securing Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupSecuring Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad Meetup
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Going Production with Docker and Swarm
Going Production with Docker and SwarmGoing Production with Docker and Swarm
Going Production with Docker and Swarm
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for Docker
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
The Three Musketeers
The Three MusketeersThe Three Musketeers
The Three Musketeers
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple Steps
 
Docker best Practices
Docker best PracticesDocker best Practices
Docker best Practices
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 

More from Codemotion

More from Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At Night - Codemotion Milan 2017

  • 1. Ten Container Security Tricks That Will Help You Sleep At Night Justin Cormack
  • 2. Who am I? Engineer at Docker in Cambridge, UK. Background both dev and ops. Work on many projects • maintainer on moby/moby formerly docker/docker • tech lead on LinuxKit • containerD • runC • Docker for Mac • security pieces for engine eg seccomp policies etc 2
  • 4. You want to sleep soundly?
  • 5.
  • 6. Ten things? There are going to be a couple more than ten things here... So you could try to do at least ten! Or at least one! 6
  • 7. Containers do make security a little easier • Identifiability – what did I ship? • Reproducibility – can I ship it again? • Consistency – can I build it again? • Agility – can I do all this quickly? • Usability – can I do it easily? At Docker we have always tried to ship sensible security defaults that just work for most cases. 7
  • 8. Start with the whole team
  • 9. No silos • DevSecOps • Teams working together to deliver quality software • Security as an ongoing process not checkboxes • Ongoing improvements and learning, not blame culture • More rapid deployment of good practise across all software 9
  • 10. Teamwork • Embed security people in your teams. They need to understand what your product is doing too. • If your company is too small to have dedicated security people, assign someone to be responsible for security in each project and learn! • Make sure all the team understands the threat model from the start, and the key risks • Postmortems when things go wrong, not to blame, but to improve 10
  • 11. four things you can do in development
  • 12. Don't use privileged and capabilities • docker run --privileged gives you total control over the machine • adding just a few capabilities and security options does the same • don't use setuid code in containers, disable with --security-opt=no-new-privileges • run as a non root user or use user namespaces if possible • don't bind the Docker socket into a container Very rarely you may need to do some of these things, eg for some debugging, but these use cases are exceptional. 12
  • 13. Use read only images • docker run --read-only ... • nothing can be modified in the container root filesystem • understand exactly what configuration is expected Sometimes images don't work, please file an issue. 13
  • 14. Use official images where possible • the official images are well designed • they are updated for security issues • they use best practises for the software being packaged • they are well tested • minimal • they use modern OS versions, use alpine or stretch If there isn't one try to work with upstream project and read the guidelines https://github.com/docker-library/official-images 14
  • 15. Use the secrets API • Do not check secrets into git • Do not put secrets in environment variables • Use the docker secrets API docker secret create • Or the Kubernetes API kubectl create secret • Or Vault from Hashicorp 15
  • 16. Dev and Ops as a team
  • 17. Always be updating • Automated build pipeline • Constantly be updating base images with security fixes • Update your other dependencies • the longer you leave updates the harder they become 17
  • 18. Use an image scanning service 18
  • 19. Don't try to keep containers running forever • It is not a competition! • The more often you update the harder it is for attackers • Plus you get the security updates sooner • Continuous delivery means you get small code improvements out faster • Always be updating! 19
  • 20. Sign your containers • Once you have automated builds you can start signing • Guarantee that processes have been followed • Can use for automated promotion of images • Official images already signed, check them • new easier commands – docker trust view – docker trust sign – docker trust revoke 20
  • 22. Use a minimal underlying OS “Use container-specific OSes instead of general-purpose ones to reduce attack surfaces. When using a container-specific OS, attack surfaces are typically much smaller than they would be with a general-purpose OS, so there are fewer opportunities to attack and compromise a container-specific OS.” NIST Application Container Security Guide http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf Failing that, at least make sure the OS is updated. 22
  • 25. Test based on your code • eg for web based code look for XSS vulnerabilities • look at your code like an attacker • don't just look at the "happy path" Always use static analysis tools, eg linters. As many as possible... Many of the things they find will not be security issues, but a few may be. 25