SlideShare a Scribd company logo

An In-depth look at application containers

Download as PPTX, PDF
John Kinsella
John Kinsella

Slides for a talk I gave to the NIST cloud security working group on the state of container security. Due to this being a NIST talk, it's without branding or vendor mentions, where possible.

Technology
1 of 33
An In-Depth Look at Application Containers
Overview • A Brief History and Overview of Containers • Security Benefits(?) of Containers • Container Vulnerability Management • Responding to Container Attacks
Containers are not new, but…
Container Adoption Challenges
Source: ClusterHQ Container Adoption Challenges
Container (n): • Software-based isolation, for processes controlling… • Process grouping • Resource usage • What actions a process can take
cgroups
Grouping and constraints
What does a process do? • Auditing (read write audit events) • File access (read, write, create, delete) • Network access (bind, send, receive) • Process management (fork, kill) • Security (MAC) • Debug (tracing) • Administration (system config)
Capabilities • CAP_AUDIT_CONTROL • CAP_AUDIT_READ • CAP_AUDIT_WRITE • CAP_BLOCK_SUSPEND • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_DAC_READ_SEARCH • CAP_FOWNERCAP_FSETID • CAP_IPC_LOCK • CAP_IPC_OWNER • CAP_KILL • CAP_LEASE • CAP_LINUX_IMMUTABLE • CAP_MAC_ADMIN • CAP_MAC_OVERRIDE • CAP_MKNOD • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_BROADCAST • CAP_NET_RAW • CAP_SETGID • CAP_SETFCAP • CAP_SETPCAP
Capabilities Worst to best: • Run with --privileged=true • Run with –cap-add ALL • Run with --cap-drop ALL --cap-add <only needed> • Run as non-root user, unprivileged Useful: capabilities section of documentation container runtimes
Security Benefits of Containers and Microservices • Smaller surface area* • Shorter lifespan* – shorter period when open to attack • More automated process – easier to recreate/redeploy* *(in theory)
Security Benefits of Containers and Microservices • Containerized apps lend themselves to ”12 factor” design 12factor.net
Security Disadvantages of Containers and Microservices • Relatively new technology • Lots of moving parts • Shorter lifespan – this makes investigations more difficult
Results of Twitter Survey
Why Isolate? • Only as secure as your weakest link • What happens if other departments are running in your private cloud? • What happens if other customers are running in your bare metal CaaS?
Unikernels – Hardware Isolated Containers • Build custom VM images to boot bare OS to support single (usually) container
Brief Overview of Container Orchestration
Why Orchestration? • For “real” workloads: • How to launch 500 containers across 20 hosts? • Being aware of resources on each host • Getting storage and networking to right container on the right host • Distribution for speed, efficiency, cost, etc. • As part of a CI/CD process • How to do a rolling update of those 500 live containers to a new sw version?
Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN
Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN
Image Security • Where did an image come from? • Is it an official image? • Is it the right version? • Has somebody modified it?
Host Security • Follow standard hardening processes but only firewall host, not it’s containers • A host itself shouldn’t be “exposed” – there should be no public attack surface. Administer via known private network • One nasty exposure – privileged containers.
Vulnerability Management in a Container World
Managing Security Exposure in Containers
Smaller Image, Less Vulnerabilities • Avoid ”From:$bloatedDistribution” and similar • Software can’t be vulnerable if it’s not installed. An amazingly large percentage of public container images are based on bloated (500mb+) full distributions.
Why? Least Privilege • We want the smallest image possible, when we load it across 100 hosts • The smaller the image, the less exposure for potential vulnerabilities • If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
Seccomp We need to build a list of system calls called by the program… …that we want to succeed • Guess (preferably educated) • RTFM (thanks John!) • Capture behavior – maybe /usr/sbin/strace • Disassembly?
Plan For Container Attacks • Before going to production, think about how you’d investigate an attack • Containers are mostly ephemeral • Collect logs at a central location • Practice identifying and snapshotting problem containers • Don’t forget about data backup/recovery
Thanks – Let’s continue the conversation! @johnlkinsella Slides posted at http://www.slideshare.net/jlkinsel
Addendum • Classification and grouping of system calls http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm
Data Sources • Container Adoption Challenges: RightScale 2016 State of the Cloud • Layered container image: Ubuntu • Namespaces and cgroups images: IBM Data and some graphics provided by:

Recommended

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security EssentialsDNIF
 

Recommended

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security EssentialsDNIF
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Containers 101
Containers 101Containers 101
Containers 101Black Duck by Synopsys
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security Amazon Web Services
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on RailsJonathan Weiss
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recapehazlett
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?Manideep Konakandla
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017Manideep Konakandla
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Digital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and MicroservicesDigital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and MicroservicesLightbend
 

More Related Content

What's hot

Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on RailsJonathan Weiss
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recapehazlett
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017Manideep Konakandla
 

What's hot (20)

Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
Container Security
Container SecurityContainer Security
Container Security
 
Containers 101
Containers 101Containers 101
Containers 101
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Container Security
Container SecurityContainer Security
Container Security
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
Container security
Container securityContainer security
Container security
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple Steps
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on Rails
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recap
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017
 

Similar to An In-depth look at application containers

DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Digital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and MicroservicesDigital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and MicroservicesLightbend
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesAngelos Kapsimanis
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
The economies of scaling software - Abdel Remani
The economies of scaling software - Abdel RemaniThe economies of scaling software - Abdel Remani
The economies of scaling software - Abdel Remanijaxconf
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
The Economies of Scaling Software
The Economies of Scaling SoftwareThe Economies of Scaling Software
The Economies of Scaling SoftwareAbdelmonaim Remani
 
BGOUG "Agile Data: revolutionizing database cloning'
BGOUG "Agile Data: revolutionizing database cloning'BGOUG "Agile Data: revolutionizing database cloning'
BGOUG "Agile Data: revolutionizing database cloning'Kyle Hailey
 
Microservices, Kubernetes, and Application Modernization Done Right
Microservices, Kubernetes, and Application Modernization Done RightMicroservices, Kubernetes, and Application Modernization Done Right
Microservices, Kubernetes, and Application Modernization Done RightLightbend
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016Shannon Lietz
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAThijs Ebbers
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?DevOps.com
 
Denver devops : enabling DevOps with data virtualization
Denver devops : enabling DevOps with data virtualizationDenver devops : enabling DevOps with data virtualization
Denver devops : enabling DevOps with data virtualizationKyle Hailey
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security Jimmy Mesta
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 

Similar to An In-depth look at application containers (20)

DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Digital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and MicroservicesDigital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and Microservices
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced Architectures
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
The economies of scaling software - Abdel Remani
The economies of scaling software - Abdel RemaniThe economies of scaling software - Abdel Remani
The economies of scaling software - Abdel Remani
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
The Economies of Scaling Software
The Economies of Scaling SoftwareThe Economies of Scaling Software
The Economies of Scaling Software
 
BGOUG "Agile Data: revolutionizing database cloning'
BGOUG "Agile Data: revolutionizing database cloning'BGOUG "Agile Data: revolutionizing database cloning'
BGOUG "Agile Data: revolutionizing database cloning'
 
Microservices, Kubernetes, and Application Modernization Done Right
Microservices, Kubernetes, and Application Modernization Done RightMicroservices, Kubernetes, and Application Modernization Done Right
Microservices, Kubernetes, and Application Modernization Done Right
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEA
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
 
Denver devops : enabling DevOps with data virtualization
Denver devops : enabling DevOps with data virtualizationDenver devops : enabling DevOps with data virtualization
Denver devops : enabling DevOps with data virtualization
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 

More from John Kinsella

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityJohn Kinsella
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World KeynoteJohn Kinsella
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configurationJohn Kinsella
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityJohn Kinsella
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glassJohn Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?John Kinsella
 

More from John Kinsella (8)

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and Visibility
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World Keynote
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configuration
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glass
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

An In-depth look at application containers

  • 1. An In-Depth Look at Application Containers
  • 2. Overview • A Brief History and Overview of Containers • Security Benefits(?) of Containers • Container Vulnerability Management • Responding to Container Attacks
  • 3. Containers are not new, but…
  • 6. Container (n): • Software-based isolation, for processes controlling… • Process grouping • Resource usage • What actions a process can take
  • 9. What does a process do? • Auditing (read write audit events) • File access (read, write, create, delete) • Network access (bind, send, receive) • Process management (fork, kill) • Security (MAC) • Debug (tracing) • Administration (system config)
  • 10. Capabilities • CAP_AUDIT_CONTROL • CAP_AUDIT_READ • CAP_AUDIT_WRITE • CAP_BLOCK_SUSPEND • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_DAC_READ_SEARCH • CAP_FOWNERCAP_FSETID • CAP_IPC_LOCK • CAP_IPC_OWNER • CAP_KILL • CAP_LEASE • CAP_LINUX_IMMUTABLE • CAP_MAC_ADMIN • CAP_MAC_OVERRIDE • CAP_MKNOD • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_BROADCAST • CAP_NET_RAW • CAP_SETGID • CAP_SETFCAP • CAP_SETPCAP
  • 11. Capabilities Worst to best: • Run with --privileged=true • Run with –cap-add ALL • Run with --cap-drop ALL --cap-add <only needed> • Run as non-root user, unprivileged Useful: capabilities section of documentation container runtimes
  • 12. Security Benefits of Containers and Microservices • Smaller surface area* • Shorter lifespan* – shorter period when open to attack • More automated process – easier to recreate/redeploy* *(in theory)
  • 13. Security Benefits of Containers and Microservices • Containerized apps lend themselves to ”12 factor” design 12factor.net
  • 14. Security Disadvantages of Containers and Microservices • Relatively new technology • Lots of moving parts • Shorter lifespan – this makes investigations more difficult
  • 16.
  • 17. Why Isolate? • Only as secure as your weakest link • What happens if other departments are running in your private cloud? • What happens if other customers are running in your bare metal CaaS?
  • 18. Unikernels – Hardware Isolated Containers • Build custom VM images to boot bare OS to support single (usually) container
  • 19. Brief Overview of Container Orchestration
  • 20. Why Orchestration? • For “real” workloads: • How to launch 500 containers across 20 hosts? • Being aware of resources on each host • Getting storage and networking to right container on the right host • Distribution for speed, efficiency, cost, etc. • As part of a CI/CD process • How to do a rolling update of those 500 live containers to a new sw version?
  • 21. Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN
  • 22. Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN
  • 23. Image Security • Where did an image come from? • Is it an official image? • Is it the right version? • Has somebody modified it?
  • 24. Host Security • Follow standard hardening processes but only firewall host, not it’s containers • A host itself shouldn’t be “exposed” – there should be no public attack surface. Administer via known private network • One nasty exposure – privileged containers.
  • 25. Vulnerability Management in a Container World
  • 26. Managing Security Exposure in Containers
  • 27. Smaller Image, Less Vulnerabilities • Avoid ”From:$bloatedDistribution” and similar • Software can’t be vulnerable if it’s not installed. An amazingly large percentage of public container images are based on bloated (500mb+) full distributions.
  • 28. Why? Least Privilege • We want the smallest image possible, when we load it across 100 hosts • The smaller the image, the less exposure for potential vulnerabilities • If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
  • 29. Seccomp We need to build a list of system calls called by the program… …that we want to succeed • Guess (preferably educated) • RTFM (thanks John!) • Capture behavior – maybe /usr/sbin/strace • Disassembly?
  • 30. Plan For Container Attacks • Before going to production, think about how you’d investigate an attack • Containers are mostly ephemeral • Collect logs at a central location • Practice identifying and snapshotting problem containers • Don’t forget about data backup/recovery
  • 31. Thanks – Let’s continue the conversation! @johnlkinsella Slides posted at http://www.slideshare.net/jlkinsel
  • 32. Addendum • Classification and grouping of system calls http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm
  • 33. Data Sources • Container Adoption Challenges: RightScale 2016 State of the Cloud • Layered container image: Ubuntu • Namespaces and cgroups images: IBM Data and some graphics provided by:

Editor's Notes

  1. Write-in: Provenance of containers
  2. We believe first compromised Docker-powered containers were running ElasticSearch