7. 7
Image Build Practice (1/2)
◎ Minimal Base Images
◎ Least Privileged User
◎ Use Fixed Tags
◎ Sign/Verify Images (Docker Notary)
◎ Don’t Contain Sensitive Information
Ref
8. 8
Image Build Practice (2/2)
◎ Use COPY Instead of ADD
◎ Use Metadata Labels
◎ Multi-Stage Build Small/Secure Images
◎ Use Linter (hadolint)
◎ Find/Fix/Monitor Vulnerabilities
Ref
9. How to Find Vulnerabilities?
◎ Of Course! Scanning!
◎ Commercial V.S. Open Source
◎ Open Source: Anchor, Clair, Trivy...
9
10. Scan Coverage
◎ OS Packages
○ Alpine, Red Hat Universal Base Image, Red Hat
Enterprise Linux, CentOS, Debian and Ubuntu
◎ Application Dependencies
○ Bundler, Composer, Pipenv, Poetry, npm, yarn and
Cargo
10
11. Try to Use It! (1/2)
11
~$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy
python:alpine3.10
12. Try to Use It! (2/2)
12
~$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy
golang:1.12.9-buster
13. DevSecOps
◎ Integrate with CI/CD Framework, e.g. if Find
Critical Vulnerability then Fail the Pipeline
◎ Don’t Forget Store the Vulnerability
Database/Data
◎ Use Json Format Output to Generate
Report
13
15. Regular Vulnerability Assessment
◎ Process of Defining, Identifying, Classifying
and Prioritizing Vulnerabilities
◎ Information on the Security Weaknesses in
its environment
◎ Assess the Risks Associated with those
Weaknesses and Evolving Threats
15
18. HashiCorp Vault
◎ Secures, stores, and tightly controls access
to tokens, passwords, certificates, API keys
◎ Handles leasing, key revocation, key rolling,
and auditing
18
19. Ideal Credential Lifecycle
Service is Accessed
Application
1. Request Access Credential (Running)
2. Use the Credential to Access Service
3. Revoke the Credential
Credentials Only
Exist in Memory
19
20. Authentication
◎ Vault provide various auth method
○ Tokens, AppRole
○ AWS, Azure, Google Cloud
○ LDAP, GitHub ...etc
20
21. Authorization
◎ Vault store credentials like key/value DB, e.g.
○ /secret/stag/database/admin
○ /secret/prod/database/admin
◎ Hence, predefined policy grant appropriate
permission, e.g.
path "secret/stag/database/admin" {
capabilities = ["read"]
} 21
22. Dynamic Credentials
◎ Vault support many secret backend
○ AWS, Azure, GCP, Database...etc
◎ Take database for example, you could generate
dynamic database credentials
$ vault read database/creds/my-role
Key Value
--- -----
lease_duration 1h
password 8cab931c-d62e-a73d-60d3-5ee85139cd66
username v-root-e2978cd0- 22
37. Enforcement Runtime Security Tools
◎ Using the Policy to Change the Behavior of
a Process by Preventing System Calls from
Succeeding
○ Pod Security Policy
○ AppArmor
○ Seccomp
37
38. 38
Pod Security Policies
◎ Define a Set of Conditions that a Pod Must
Run With in Order to be Accepted Into the
System
○ Usage of volume types
○ Usage of host networking and ports
○ The user and group IDs of the container
○ ... Ref
39. How to Use PSP
(Cluster)Role
(Cluster)RoleBinding For Pod
For Deployment, ...
Create
Use
With
39
40. When a Pod Created...
◎ The PSP is Enabled, Pod Don’t Use the PSP
-> Fail
◎ The PSP is Enabled, Pod Can Use the PSP,
Pod Don’t Follow PSP -> Fail
◎ The PSP is Enabled, Pod Can Use the PSP,
Pod Follow PSP -> Success
40
41. Auditing Runtime Security Tools
◎ Using the Policy to Monitor the Behavior of
a Process and Notify when its behavior
steps outside the policy
○ Falco
○ Auditd
41
42. Falco
◎ A Behavioral Activity Monitor Designed to
Detect Anomalous Activity in Your
Applications
42
44. Falco Rules
- macro: access_file
condition: evt.type=open
- rule: program_accesses_file
desc: track whenever a set of programs opens a file
condition: proc.name in (cat, ls) and (access_file)
output: a tracked program opened a file (user=%user.name
command=%proc.cmdline file=%fd.name)
priority: INFO
44
45. Falco V.S. Others
Falco Others
User Space Kernel Level
Kill/Suspend/Starve the Falco
Process
Replacing a loaded set of
policies or BPF program in the
kernel is probably more difficult
Much Richer Set of Information
Powering Its Policies
Those Types of Policies are
More Difficult to Implement at
the Kernel Level
45
48. Open Policy Agent
◎ A general-purpose Policy Engine that Helps Solve Use
Cases Ranging From Authorization and Admission
Control to Resource Placement.
○ Kubernetes Admission Control
○ HTTP API Authorization
○ Remote Access
○ Data Filtering with Partial Evaluation
48
50. Finally Not YAML
◎ Rego was Inspired by Datalog, Which is a
Well Understood, Decades Old Query
Language
◎ Rego Queries are Assertions on Data Stored
in OPA
50
Ref