SlideShare uma empresa Scribd logo

Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At Night - Codemotion Milan 2017

Codemotion
Codemotion

Containers, and the tooling around them, make some parts of application security that much easier. There are some simple things you can do to make a substantial difference to the security of your applications without making any big changes to what you do. This talk will give you some small changes you can make in a few hours that will make it that much more difficult to hack your applications.

Tecnologia
1 de 27
Baixar para ler offline
Ten Container Security Tricks That Will Help You Sleep At Night Justin Cormack
Who am I? Engineer at Docker in Cambridge, UK. Background both dev and ops. Work on many projects • maintainer on moby/moby formerly docker/docker • tech lead on LinuxKit • containerD • runC • Docker for Mac • security pieces for engine eg seccomp policies etc 2
Cambridge Tech village in England 3
You want to sleep soundly?
Ten things? There are going to be a couple more than ten things here... So you could try to do at least ten! Or at least one! 6
Containers do make security a little easier • Identifiability – what did I ship? • Reproducibility – can I ship it again? • Consistency – can I build it again? • Agility – can I do all this quickly? • Usability – can I do it easily? At Docker we have always tried to ship sensible security defaults that just work for most cases. 7
Start with the whole team
No silos • DevSecOps • Teams working together to deliver quality software • Security as an ongoing process not checkboxes • Ongoing improvements and learning, not blame culture • More rapid deployment of good practise across all software 9
Teamwork • Embed security people in your teams. They need to understand what your product is doing too. • If your company is too small to have dedicated security people, assign someone to be responsible for security in each project and learn! • Make sure all the team understands the threat model from the start, and the key risks • Postmortems when things go wrong, not to blame, but to improve 10
four things you can do in development
Don't use privileged and capabilities • docker run --privileged gives you total control over the machine • adding just a few capabilities and security options does the same • don't use setuid code in containers, disable with --security-opt=no-new-privileges • run as a non root user or use user namespaces if possible • don't bind the Docker socket into a container Very rarely you may need to do some of these things, eg for some debugging, but these use cases are exceptional. 12
Use read only images • docker run --read-only ... • nothing can be modified in the container root filesystem • understand exactly what configuration is expected Sometimes images don't work, please file an issue. 13
Use official images where possible • the official images are well designed • they are updated for security issues • they use best practises for the software being packaged • they are well tested • minimal • they use modern OS versions, use alpine or stretch If there isn't one try to work with upstream project and read the guidelines https://github.com/docker-library/official-images 14
Use the secrets API • Do not check secrets into git • Do not put secrets in environment variables • Use the docker secrets API docker secret create • Or the Kubernetes API kubectl create secret • Or Vault from Hashicorp 15
Dev and Ops as a team
Always be updating • Automated build pipeline • Constantly be updating base images with security fixes • Update your other dependencies • the longer you leave updates the harder they become 17
Use an image scanning service 18
Don't try to keep containers running forever • It is not a competition! • The more often you update the harder it is for attackers • Plus you get the security updates sooner • Continuous delivery means you get small code improvements out faster • Always be updating! 19
Sign your containers • Once you have automated builds you can start signing • Guarantee that processes have been followed • Can use for automated promotion of images • Official images already signed, check them • new easier commands – docker trust view – docker trust sign – docker trust revoke 20
Operations
Use a minimal underlying OS “Use container-specific OSes instead of general-purpose ones to reduce attack surfaces. When using a container-specific OS, attack surfaces are typically much smaller than they would be with a general-purpose OS, so there are fewer opportunities to attack and compromise a container-specific OS.” NIST Application Container Security Guide http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf Failing that, at least make sure the OS is updated. 22
Advanced
Fuzz test 24
Test based on your code • eg for web based code look for XSS vulnerabilities • look at your code like an attacker • don't just look at the "happy path" Always use static analysis tools, eg linters. As many as possible... Many of the things they find will not be security issues, but a few may be. 25
Work together
THANK YOU

Recomendados

Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...Codemotion
 
Docker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, PuppetDocker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, PuppetDocker, Inc.
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...Docker, Inc.
 
Docker for Devs - John Zaccone, IBM
Docker for Devs - John Zaccone, IBMDocker for Devs - John Zaccone, IBM
Docker for Devs - John Zaccone, IBMDocker, Inc.
 

Recomendados

Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...Codemotion
 
Docker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, PuppetDocker for Ops - Scott Coulton, Puppet
Docker for Ops - Scott Coulton, PuppetDocker, Inc.
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...Docker, Inc.
 
Docker for Devs - John Zaccone, IBM
Docker for Devs - John Zaccone, IBMDocker for Devs - John Zaccone, IBM
Docker for Devs - John Zaccone, IBMDocker, Inc.
 
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerGlobal Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerDocker, Inc.
 
Android Meets Docker
Android Meets DockerAndroid Meets Docker
Android Meets DockerDocker, Inc.
 
Build Your Own SaaS using Docker
Build Your Own SaaS using DockerBuild Your Own SaaS using Docker
Build Your Own SaaS using DockerJulien Barbier
 
OSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionOSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionDocker, Inc.
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...Docker, Inc.
 
Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne Livestream Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne LivestreamJakarta_EE
 
Containers & Security
Containers & SecurityContainers & Security
Containers & SecurityAll Things Open
 
Advanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAdvanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAnil Madhavapeddy
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiMike Goelzer
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonDocker, Inc.
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeAcademy
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in ProductionDocker, Inc.
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET AppsDocker, Inc.
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOpsMaciej Lasyk
 
PaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpPaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpNathan Handler
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Docker, Inc.
 
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...Codemotion
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Docker, Inc.
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 

Mais conteúdo relacionado

Mais procurados

Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerGlobal Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerDocker, Inc.
 
Android Meets Docker
Android Meets DockerAndroid Meets Docker
Android Meets DockerDocker, Inc.
 
Build Your Own SaaS using Docker
Build Your Own SaaS using DockerBuild Your Own SaaS using Docker
Build Your Own SaaS using DockerJulien Barbier
 
OSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionOSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionDocker, Inc.
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...Docker, Inc.
 
Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne Livestream Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne LivestreamJakarta_EE
 
Advanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAdvanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAnil Madhavapeddy
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiMike Goelzer
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonDocker, Inc.
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeAcademy
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in ProductionDocker, Inc.
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET AppsDocker, Inc.
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOpsMaciej Lasyk
 
PaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpPaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpNathan Handler
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Docker, Inc.
 
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...Codemotion
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Docker, Inc.
 

Mais procurados (20)

Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, DockerGlobal Operations with Docker for the Enterprise - Nico Kabar, Docker
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
 
Android Meets Docker
Android Meets DockerAndroid Meets Docker
Android Meets Docker
 
Build Your Own SaaS using Docker
Build Your Own SaaS using DockerBuild Your Own SaaS using Docker
Build Your Own SaaS using Docker
 
OSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolutionOSCON: Unikernels and Docker: From revolution to evolution
OSCON: Unikernels and Docker: From revolution to evolution
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
 
Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne Livestream Turbocharged Java with Quarkus | JakartaOne Livestream
Turbocharged Java with Quarkus | JakartaOne Livestream
 
Containers & Security
Containers & SecurityContainers & Security
Containers & Security
 
Advanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAdvanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and Windows
 
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiWhat's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautiful
 
How to be successful running Docker in Production
How to be successful running Docker in ProductionHow to be successful running Docker in Production
How to be successful running Docker in Production
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET Apps
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
 
PaaSTA: Running applications at Yelp
PaaSTA: Running applications at YelpPaaSTA: Running applications at Yelp
PaaSTA: Running applications at Yelp
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
 
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
 

Destaque

Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Composable architectures The Lego of IT - Alessandro David
Composable architectures The Lego of IT - Alessandro DavidComposable architectures The Lego of IT - Alessandro David
Composable architectures The Lego of IT - Alessandro DavidCodemotion
 
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...Codemotion
 
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017Codemotion
 
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017Codemotion
 
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017Codemotion
 
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017Codemotion
 
Downtime is not an option - day 2 operations - Jörg Schad
Downtime is not an option - day 2 operations - Jörg SchadDowntime is not an option - day 2 operations - Jörg Schad
Downtime is not an option - day 2 operations - Jörg SchadCodemotion
 
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native Codemotion
 
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017Codemotion
 
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017Codemotion
 
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017Codemotion
 
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017Codemotion
 
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...Codemotion
 
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017Codemotion
 
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017Codemotion
 
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...Codemotion
 

Destaque (20)

Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Composable architectures The Lego of IT - Alessandro David
Composable architectures The Lego of IT - Alessandro DavidComposable architectures The Lego of IT - Alessandro David
Composable architectures The Lego of IT - Alessandro David
 
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...
Mobile UX for user engagement and monetization - Emilia Ciardi - Codemotion R...
 
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017
Francesco Arcieri - La monetizzazione delle API - Codemotion Milan 2017
 
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017
Dark patterns and mobile UX design - Emilia Ciardi - Codemotion Amsterdam 2017
 
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017
Tomer Elmalem - GraphQL APIs: REST in Peace - Codemotion Milan 2017
 
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017
From Doctor to Coder: A Whole New World? - Aisha Sie - Codemotion Amsterdam 2017
 
Downtime is not an option - day 2 operations - Jörg Schad
Downtime is not an option - day 2 operations - Jörg SchadDowntime is not an option - day 2 operations - Jörg Schad
Downtime is not an option - day 2 operations - Jörg Schad
 
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
Webinar - Matteo Manchi: Dal web al nativo: Introduzione a React Native
 
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
Yan Cui - Serverless in production, an experience report - Codemotion Milan 2017
 
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017
Diego Viganò - Milano Chatbots Meetup - Codemotion Milan 2017
 
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017
Nicola Corti/Valentina Mazzoni - GDG Italia Meetup - Codemotion Milan 2017
 
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017
Tomas Petricek - The Gamma: Democratizing data science - Codemotion Milan 2017
 
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...
Alison B Lowndes - Fueling the Artificial Intelligence Revolution with Gaming...
 
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017
Lorna Mitchell - Becoming Polyglot - Codemotion Milan 2017
 
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017
Agnieszka Naplocha - Breaking the norm with creative CSS - Codemotion Milan 2017
 
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...
Andrea Maietta - Il fascino della supercazzola: un breve viaggio nel mondo de...
 

Semelhante a Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At Night - Codemotion Milan 2017

Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices WorkshopAhmed AbouZaid
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
Securing Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupSecuring Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupKumar Ashwin
 
Securing Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupSecuring Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupKumar Ashwin
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDocker, Inc.
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Going Production with Docker and Swarm
Going Production with Docker and SwarmGoing Production with Docker and Swarm
Going Production with Docker and SwarmC4Media
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for DockerCalidad Infotech
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 

Semelhante a Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At Night - Codemotion Milan 2017 (20)

Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Securing Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupSecuring Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad Meetup
 
Securing Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad MeetupSecuring Containers From Day One | null Ahmedabad Meetup
Securing Containers From Day One | null Ahmedabad Meetup
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Going Production with Docker and Swarm
Going Production with Docker and SwarmGoing Production with Docker and Swarm
Going Production with Docker and Swarm
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for Docker
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
The Three Musketeers
The Three MusketeersThe Three Musketeers
The Three Musketeers
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple Steps
 
Docker best Practices
Docker best PracticesDocker best Practices
Docker best Practices
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 

Mais de Codemotion

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Codemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyCodemotion
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaCodemotion
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserCodemotion
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Codemotion
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Codemotion
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Codemotion
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Codemotion
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Codemotion
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Codemotion
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Codemotion
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Codemotion
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Codemotion
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Codemotion
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Codemotion
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...Codemotion
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Codemotion
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Codemotion
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Codemotion
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Codemotion
 

Mais de Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Último

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At Night - Codemotion Milan 2017

  • 1. Ten Container Security Tricks That Will Help You Sleep At Night Justin Cormack
  • 2. Who am I? Engineer at Docker in Cambridge, UK. Background both dev and ops. Work on many projects • maintainer on moby/moby formerly docker/docker • tech lead on LinuxKit • containerD • runC • Docker for Mac • security pieces for engine eg seccomp policies etc 2
  • 4. You want to sleep soundly?
  • 5.
  • 6. Ten things? There are going to be a couple more than ten things here... So you could try to do at least ten! Or at least one! 6
  • 7. Containers do make security a little easier • Identifiability – what did I ship? • Reproducibility – can I ship it again? • Consistency – can I build it again? • Agility – can I do all this quickly? • Usability – can I do it easily? At Docker we have always tried to ship sensible security defaults that just work for most cases. 7
  • 8. Start with the whole team
  • 9. No silos • DevSecOps • Teams working together to deliver quality software • Security as an ongoing process not checkboxes • Ongoing improvements and learning, not blame culture • More rapid deployment of good practise across all software 9
  • 10. Teamwork • Embed security people in your teams. They need to understand what your product is doing too. • If your company is too small to have dedicated security people, assign someone to be responsible for security in each project and learn! • Make sure all the team understands the threat model from the start, and the key risks • Postmortems when things go wrong, not to blame, but to improve 10
  • 11. four things you can do in development
  • 12. Don't use privileged and capabilities • docker run --privileged gives you total control over the machine • adding just a few capabilities and security options does the same • don't use setuid code in containers, disable with --security-opt=no-new-privileges • run as a non root user or use user namespaces if possible • don't bind the Docker socket into a container Very rarely you may need to do some of these things, eg for some debugging, but these use cases are exceptional. 12
  • 13. Use read only images • docker run --read-only ... • nothing can be modified in the container root filesystem • understand exactly what configuration is expected Sometimes images don't work, please file an issue. 13
  • 14. Use official images where possible • the official images are well designed • they are updated for security issues • they use best practises for the software being packaged • they are well tested • minimal • they use modern OS versions, use alpine or stretch If there isn't one try to work with upstream project and read the guidelines https://github.com/docker-library/official-images 14
  • 15. Use the secrets API • Do not check secrets into git • Do not put secrets in environment variables • Use the docker secrets API docker secret create • Or the Kubernetes API kubectl create secret • Or Vault from Hashicorp 15
  • 16. Dev and Ops as a team
  • 17. Always be updating • Automated build pipeline • Constantly be updating base images with security fixes • Update your other dependencies • the longer you leave updates the harder they become 17
  • 18. Use an image scanning service 18
  • 19. Don't try to keep containers running forever • It is not a competition! • The more often you update the harder it is for attackers • Plus you get the security updates sooner • Continuous delivery means you get small code improvements out faster • Always be updating! 19
  • 20. Sign your containers • Once you have automated builds you can start signing • Guarantee that processes have been followed • Can use for automated promotion of images • Official images already signed, check them • new easier commands – docker trust view – docker trust sign – docker trust revoke 20
  • 22. Use a minimal underlying OS “Use container-specific OSes instead of general-purpose ones to reduce attack surfaces. When using a container-specific OS, attack surfaces are typically much smaller than they would be with a general-purpose OS, so there are fewer opportunities to attack and compromise a container-specific OS.” NIST Application Container Security Guide http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf Failing that, at least make sure the OS is updated. 22
  • 25. Test based on your code • eg for web based code look for XSS vulnerabilities • look at your code like an attacker • don't just look at the "happy path" Always use static analysis tools, eg linters. As many as possible... Many of the things they find will not be security issues, but a few may be. 25