5. Security Posture
Information security status of an organization
based on information assurance resources
and defense capabilities
Infosec World 20195
6. How do Applications Contribute to a
Security Posture?
• Provide information about environment and usage
• Defense in depth
• Confidentiality, Integrity, Availability
Infosec World 20196
12. You cannot
underestimate how
much legacy
environments are
slowing your
organization down.
Infosec World 201912
• Increase speed to market
• Enhance efficiency
• Improve quality
• Lower TCO
26. Runtime Security
Infosec World 201926
Least privilege
Newfound control capabilities
Is this your app, or downloaded?
Is the app doing what is expected?
30. Container Security Workflow
Container Registry
S t a t i c A n a l y s i s R u n t i m e A n a l y s i s R u n t i m e P r o t e c t i o n
Instrument
Container
Sec
Behavior
Templates
Security
Policies
Security Policy
Enforcement
SecOpsDevOps
Notifications
Alerts Insight
Instrumented
Container
Instrumented Container runs in observation
mode on premise or in cloud
A s s e s s m e n t / I n s t r u m e n t a t i o n T e s t / S t a g i n g P r o d u c t i o n
Validate
Container
Scan
Container
Automated enforcement of Secured Container
on premise or in cloud
Secured
Container
Inject security
probes for N/W,
I/O, and App tiers
Compliance
Enforcement
Pass/Fail
SW Composition
Security
Vulnerability Scan
Instrumented
Container
Instrumented Container
inserted into registry
Insecure Container
posted to registry
Insecure
Container
Dev
git commit
git push
New
container
build with
basic unit test
New
Container
Any failed containers
are returned to DevOps
Failed
Container
<< FAIL PASS >>
31. Qualys Container Security
BUILD HOSTRUNTIMEREGISTRY
PRE-DEPLOYMENT PHASE
POST-DEPLOYMENT PHASE
Container
Container Sensor Layered-In Sensor or
Container Sensor
Cloud Agent or
Scanner Appliances
Infosec World 201931
32. How do we Leverage Excitement
to Improve Security?
I’m starting day two of Infosec World hard here.
There may be strong feelings on this statement, maybe some eye rolling
I’m going to ask you to keep an open mind.
Obvious – vulnerabilities
This is an appsec viewpoint, yeah? Folks will realize that container security, while it can be about infrastructure security, is very relevant to appsec.
Improved control over deployments
Easier scalability
Update your apps easier
Reconfigure on the fly to disable features which may be vulnerable or resource intensive
Better understanding of where your data is and who accesses it
Automate health checks and recovery
All through automation.
Is this a container security talk, or an application security talk?
Unikernels
I had a VC recently ask me this…
There once was a bank not feeling they needed to use containers as they didn’t need to deploy so quickly
Recent examples:
Data volumes accidently deleted
Taking 3 days to release new versions of software to production
Certificate mismatches
Hours to provision a new VM
Weeks to acquire new hardware
These screenshots are from Layered Insight’s Gitlab installation. This is how we rolled features to production with a single click.
Don’t have to use Gitlab – there’s Jenkins, CircleCI, Bamboo, etc
CI is good, but let’s not stop now! Let’s automate deployment, too
And rollback.
Pair this with Cloud Providers like AWS and Azure, or container orchestration systems like Kubernetes and Docker Swarm
If you have to wait for somebody to do something other than click a button to deploy, there’s space for improvement.
A level of automation has been introduced, frequently without more than a drive-by question to the security team, than can easily overwhelm their capabilities.
A modern application can be made up of tens or hundreds of microservices. Something must be put in place to manage the security signal
Screenshots from Qualys container security product.
I’ve heard companies say they want to just scan and save the results in case something happens because they don’t have staff to review and process.
Screenshot from Qualys Jenkins plugin for Container Security. Allows the ability to specify triggers as to when an image scan “fails” the build
Commercial from 2000 superbowl
Policy based runtime security
Ability to control in ways which previously were very difficult