SlideShare uma empresa Scribd logo
1 de 24
Baixar para ler offline
Securing Containers from Day One
Kumar Ashwin
0xcardinal.com
null Ahmedabad
Container Security
About Me
Kumar Ashwin
• Security Consultant @ Payatu
• Manages null Study Groups for six different Security Domains and also
contributes to other communities
• 0xcardinal.com
• 0xCardinal on social platforms
Agenda
• What are containers?
• Why we need containers?
• VM v/s Containers
• Cgroups & Namespaces
• Docker Primer
• Build Optimization
• Security
• Resources
• QnA
https://giphy.com/gifs/rockstargames-usz0fqhUiVxSs6IUKB
What are containers?
Containers are nothing but just another Linux process which is isolated from
other processes running on the same host.
Why do we
need
containers?
Virtual Machines v/s Containers
https://www.docker.com/blog/containers-replacing-virtual-machines/
cgroups &
namespaces
namespaces
It defines
what a
container can
see, uses
syscalls to do
so.
https://wizardzines.com/comics/namespaces/
Demo : namespaces
Will share how the name spaces work using unshare and creating namespaces
for user and network, and demonstrating the difference.
cgroups
It defines
what a
container can
use or access,
uses syscalls
to do so.
https://wizardzines.com/comics/cgroups/
Docker
Primer
🐳
Docker itself is not a
Container.
Myth busting
What is Docker?
• Docker is a container engine, which
is a piece of software that accepts user requests, including command line
options, pulls images, and from the end user's perspective runs the
container.
• Other than docker there are other container engines as well, like - RKT, CRI-O,
and LXD
Docker Architecture
https://docs.docker.com/get-started/overview/
Docker Basics
• There are different images, which are stored in the registry, from where it pull
the image, to create different containers.
• Generally, a Dockerfile (contains commands/instructions) is used to build a
container.
• If you want to run a multi-container Docker application – Docker Compose is
your go to tool.
• Common docker/docker compose commands, that are generally used -
• docker pull <image-name> - used to pull images from registry
• docker run [args] <image-name> - used to run a container from the image defined
• docker build [args] – used to build a container out of a Dockerfile
• docker-compose up – used to build a multi-container setup from docker-compose.yml
• docker ps – used to list down the active containers
• For every RUN, COPY, ADD instruction in a Dockerfile, a layer is created.
Dockerfile
* insecure
Build Optimization
• Minimize number of layers. Improves performance.
• Multi-Stage Builds
• Do not install unnecessary packages
• Decouple the application
• Slim down the image – using docker-slim
• It promises to slim down the image by 30x - https://github.com/docker-slim/docker-slim
Why Dockerfile Security?
• Here we will be talking about securing the images pre-build and what are the
practices that we can follow.
• A great start point to look for security issues are Dockerfile.
• Dockerfiles?
• These are the blueprints of the system/container that is to be created.
• Infrastructure as a Code (IaaC)
• One of the main components for the entire supply chain security.
Security Best-Practices
• Prefer minimal base images
• Use .dockerignore file to exclude files from build
• Create Golden Images
• Golden Images are hardened base images than can be used further development
• Do not run containers as root
• Adding this in the Dockerfile will help in chainging the user
FROM alpine:latest
RUN useradd –u 1234 non-root-user
USER non-root-user
• Do not commit secrets in Dockerfile or Containers
• Can use BuildKit to pass secrets to use in containers securely
• Use COPY instead of ADD, wherever possible
More Security Stuff
• Use linters like hadolint, that will help to build best practice Docker Images.
More Security Stuff
• Use dockle to scan
images against CIS
benchmarks.
• CIS Benchmark security
Comparision
Seccomp
• It is a security feature in the Linux kernel. It can be used to restrict any system
calls in the docker container.
• E.g.,
Some Resources
• Containers from Scratch [YouTube]
• Dockerfile Best Practices
• Multi-stage builds
• dockle checkpoint comparison
• Tips for optimizing builds
• Dockerfile Tutorial
• Practical guide to write Dockerfile
QnA
Securing Containers from Day One
Thank You!
twitter.com/0xcardinal
Kumar Ashwin

Mais conteúdo relacionado

Mais procurados

Neil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep DiveNeil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep DiveWinOps Conf
 
Cloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless ArchitectureCloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless ArchitectureAWS Vietnam Community
 
(APP309) Running and Monitoring Docker Containers at Scale | AWS re:Invent 2014
(APP309) Running and Monitoring Docker Containers at Scale | AWS re:Invent 2014(APP309) Running and Monitoring Docker Containers at Scale | AWS re:Invent 2014
(APP309) Running and Monitoring Docker Containers at Scale | AWS re:Invent 2014Amazon Web Services
 
WinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release PipelinesWinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release PipelinesWinOps Conf
 
Moving Applications into Azure Kubernetes
Moving Applications into Azure KubernetesMoving Applications into Azure Kubernetes
Moving Applications into Azure KubernetesHussein Salman
 
Sebastien goasguen cloud stack the next year
Sebastien goasguen   cloud stack the next yearSebastien goasguen   cloud stack the next year
Sebastien goasguen cloud stack the next yearShapeBlue
 
Sebastien goasguen cloud stack and docker
Sebastien goasguen   cloud stack and dockerSebastien goasguen   cloud stack and docker
Sebastien goasguen cloud stack and dockerShapeBlue
 
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Trivadis
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Docker, Inc.
 
MVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming modelMVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming modelAlex Thissen
 
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin SystemsContainers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin SystemsDocker, Inc.
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinApplication Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinDocker, Inc.
 
Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT RightScale
 
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaTraining And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaCodeOps Technologies LLP
 
Meetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWSMeetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWSAWS Vietnam Community
 
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...CodeOps Technologies LLP
 

Mais procurados (20)

Docker in the Cloud
Docker in the CloudDocker in the Cloud
Docker in the Cloud
 
Neil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep DiveNeil Peterson - Azure CLI Deep Dive
Neil Peterson - Azure CLI Deep Dive
 
Cloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless ArchitectureCloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless Architecture
 
(APP309) Running and Monitoring Docker Containers at Scale | AWS re:Invent 2014
(APP309) Running and Monitoring Docker Containers at Scale | AWS re:Invent 2014(APP309) Running and Monitoring Docker Containers at Scale | AWS re:Invent 2014
(APP309) Running and Monitoring Docker Containers at Scale | AWS re:Invent 2014
 
DevOpsCon Cloud Workshop
DevOpsCon Cloud Workshop DevOpsCon Cloud Workshop
DevOpsCon Cloud Workshop
 
WinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release PipelinesWinOps Conf 2016 - Michael Greene - Release Pipelines
WinOps Conf 2016 - Michael Greene - Release Pipelines
 
Moving Applications into Azure Kubernetes
Moving Applications into Azure KubernetesMoving Applications into Azure Kubernetes
Moving Applications into Azure Kubernetes
 
ASP.NET vNext
ASP.NET vNextASP.NET vNext
ASP.NET vNext
 
Sebastien goasguen cloud stack the next year
Sebastien goasguen   cloud stack the next yearSebastien goasguen   cloud stack the next year
Sebastien goasguen cloud stack the next year
 
Sebastien goasguen cloud stack and docker
Sebastien goasguen   cloud stack and dockerSebastien goasguen   cloud stack and docker
Sebastien goasguen cloud stack and docker
 
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
 
MVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming modelMVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming model
 
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin SystemsContainers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
Containers: Life Beyond Microservices? by Sushil Kumar, Robin Systems
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinApplication Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
 
Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT
 
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaTraining And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
 
Meetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWSMeetup #3: Migrate a fast scale system to AWS
Meetup #3: Migrate a fast scale system to AWS
 
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
 

Semelhante a Securing Containers From Day One | null Ahmedabad Meetup

Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsRamit Surana
 
Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices WorkshopAhmed AbouZaid
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochranedotCloud
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesabhishek chawla
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with DockerGeeta Vinnakota
 
Learning Dockers - Step by Step
Learning Dockers - Step by StepLearning Dockers - Step by Step
Learning Dockers - Step by StepAdnan Siddiqi
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDocker, Inc.
 
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and PipelinesDocker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and PipelinesMatt Bentley
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciRajesh Kolla
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Containers and security
Containers and securityContainers and security
Containers and securitysriram_rajan
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Dockerize the World
Dockerize the WorldDockerize the World
Dockerize the Worlddamovsky
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 

Semelhante a Securing Containers From Day One | null Ahmedabad Meetup (20)

Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
 
Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
 
Django and Docker
Django and DockerDjango and Docker
Django and Docker
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
 
Virtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management servicesVirtualization, Containers, Docker and scalable container management services
Virtualization, Containers, Docker and scalable container management services
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Docker
 
Learning Dockers - Step by Step
Learning Dockers - Step by StepLearning Dockers - Step by Step
Learning Dockers - Step by Step
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and PipelinesDocker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
Docker Indy Meetup - An Opinionated View of Building Docker Images and Pipelines
 
Docker Workshop
Docker WorkshopDocker Workshop
Docker Workshop
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Docker
DockerDocker
Docker
 
Containers and security
Containers and securityContainers and security
Containers and security
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Dockerize the World
Dockerize the WorldDockerize the World
Dockerize the World
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and Tutum
 

Último

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Último (20)

201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

Securing Containers From Day One | null Ahmedabad Meetup

  • 1. Securing Containers from Day One Kumar Ashwin 0xcardinal.com null Ahmedabad Container Security
  • 2. About Me Kumar Ashwin • Security Consultant @ Payatu • Manages null Study Groups for six different Security Domains and also contributes to other communities • 0xcardinal.com • 0xCardinal on social platforms
  • 3. Agenda • What are containers? • Why we need containers? • VM v/s Containers • Cgroups & Namespaces • Docker Primer • Build Optimization • Security • Resources • QnA https://giphy.com/gifs/rockstargames-usz0fqhUiVxSs6IUKB
  • 4. What are containers? Containers are nothing but just another Linux process which is isolated from other processes running on the same host.
  • 6. Virtual Machines v/s Containers https://www.docker.com/blog/containers-replacing-virtual-machines/
  • 8. namespaces It defines what a container can see, uses syscalls to do so. https://wizardzines.com/comics/namespaces/
  • 9. Demo : namespaces Will share how the name spaces work using unshare and creating namespaces for user and network, and demonstrating the difference.
  • 10. cgroups It defines what a container can use or access, uses syscalls to do so. https://wizardzines.com/comics/cgroups/
  • 12. Docker itself is not a Container. Myth busting
  • 13. What is Docker? • Docker is a container engine, which is a piece of software that accepts user requests, including command line options, pulls images, and from the end user's perspective runs the container. • Other than docker there are other container engines as well, like - RKT, CRI-O, and LXD
  • 15. Docker Basics • There are different images, which are stored in the registry, from where it pull the image, to create different containers. • Generally, a Dockerfile (contains commands/instructions) is used to build a container. • If you want to run a multi-container Docker application – Docker Compose is your go to tool. • Common docker/docker compose commands, that are generally used - • docker pull <image-name> - used to pull images from registry • docker run [args] <image-name> - used to run a container from the image defined • docker build [args] – used to build a container out of a Dockerfile • docker-compose up – used to build a multi-container setup from docker-compose.yml • docker ps – used to list down the active containers • For every RUN, COPY, ADD instruction in a Dockerfile, a layer is created.
  • 17. Build Optimization • Minimize number of layers. Improves performance. • Multi-Stage Builds • Do not install unnecessary packages • Decouple the application • Slim down the image – using docker-slim • It promises to slim down the image by 30x - https://github.com/docker-slim/docker-slim
  • 18. Why Dockerfile Security? • Here we will be talking about securing the images pre-build and what are the practices that we can follow. • A great start point to look for security issues are Dockerfile. • Dockerfiles? • These are the blueprints of the system/container that is to be created. • Infrastructure as a Code (IaaC) • One of the main components for the entire supply chain security.
  • 19. Security Best-Practices • Prefer minimal base images • Use .dockerignore file to exclude files from build • Create Golden Images • Golden Images are hardened base images than can be used further development • Do not run containers as root • Adding this in the Dockerfile will help in chainging the user FROM alpine:latest RUN useradd –u 1234 non-root-user USER non-root-user • Do not commit secrets in Dockerfile or Containers • Can use BuildKit to pass secrets to use in containers securely • Use COPY instead of ADD, wherever possible
  • 20. More Security Stuff • Use linters like hadolint, that will help to build best practice Docker Images.
  • 21. More Security Stuff • Use dockle to scan images against CIS benchmarks. • CIS Benchmark security Comparision
  • 22. Seccomp • It is a security feature in the Linux kernel. It can be used to restrict any system calls in the docker container. • E.g.,
  • 23. Some Resources • Containers from Scratch [YouTube] • Dockerfile Best Practices • Multi-stage builds • dockle checkpoint comparison • Tips for optimizing builds • Dockerfile Tutorial • Practical guide to write Dockerfile
  • 24. QnA Securing Containers from Day One Thank You! twitter.com/0xcardinal Kumar Ashwin