16. How do Applications Contribute to a
Security Posture?
• Information about environment and usage
• Defense in depth
• Confidentiality, Integrity, Availability
16 Security Leadership Exchange 2019
33. Cat Herding, 2019
33
Containers aren’t only in a
cluster.
What tools are in use?
How to provide/enforce
standards
Security Leadership Exchange 2019
35. Container Security Workflow
Container Registry
S t a t i c A n a l y s i s R u n t i m e A n a l y s i s R u n t i m e P r o t e c t i o n
Instrument
Container
Sec
Behavior
Templates
Security
Policies
Security Policy
Enforcement
SecOpsDevOps
Notifications
Alerts Insight
Instrumented
Container
Instrumented Container runs in observation
mode on premise or in cloud
A s s e s s m e n t / I n s t r u m e n t a t i o n T e s t / S t a g i n g P r o d u c t i o n
Validate
Container
Scan
Container
Automated enforcement of Secured Container
on premise or in cloud
Secured
Container
Inject security
probes for N/W,
I/O, and App tiers
Compliance
Enforcement
Pass/Fail
SW Composition
Security
Vulnerability Scan
Instrumented
Container
Instrumented Container
inserted into registry
Insecure Container
posted to registry
Insecure
Container
Dev
git commit
git push
New
container
build with
basic unit test
New
Container
Any failed containers
are returned to DevOps
Failed
Container
<< FAIL PASS >>
Show of hands – who here’s seen me talk before?
Anybody familiar with Application Security Weekly?
Familiar with Qualys?
There once was a bank not feeling they needed to use containers as they didn’t need to deploy so quickly
Recent examples:
Data volumes accidently deleted
Taking 3 days to release new versions of software to production
Certificate mismatches
Hours to provision a new VM
Weeks to acquire new hardware
DON’T RUN K8S IF YOU DON’T HAVE TO
I’m starting day two of Infosec World hard here.
There may be strong feelings on this statement, maybe some eye rolling
I’m going to ask you to keep an open mind.
Obvious – vulnerabilities
This is an appsec viewpoint, yeah? Folks will realize that container security, while it can be about infrastructure security, is very relevant to appsec.
Improved control over deployments
Easier scalability
Update your apps easier
Reconfigure on the fly to disable features which may be vulnerable or resource intensive
Better understanding of where your data is and who accesses it
Automate health checks and recovery
All through automation.
A level of automation has been introduced, frequently without more than a drive-by question to the security team, than can easily overwhelm their capabilities.
Screenshot from Qualys Jenkins plugin for Container Security. Allows the ability to specify triggers as to when an image scan “fails” the build
This sounds like an inventory question, and it is partially…
A modern application can be made up of tens or hundreds of microservices. Something must be put in place to manage the security signal