Our cloud security expert examines the security challenges that come with container adoption and unpack the key steps required to integrate and automate container assessment into the DevOps cycle to help developers build and deploy cloud native apps at speed whilst keeping one eye on security.

1. Mastering Container Security in
modern day DevOps
Sergio Loureiro
October 2020

2. Helping customers improve security posture since 2001
Full stack security assessment
Over 2,000 customers in all regions of the world
Application security for DevSecOps
Comprehensive Cloud and Container security

3. Agenda
 How containers have become a vital organ for DevOps and the hidden risks
 Common Docker and Kubernetes vulnerabilities to be aware of
 Steps to secure containers through workload protection and configuration assessment
 Secure SDLC and DevSecOps: automating and integrating container
security assessment to spot vulnerabilities before moving into production
 Application security and container hardening best practice to secure your
application from end to end
3

4. 4

5. Public Containers
• Vulnerabilities
• Malware
Own Containers
• Poor coding skills
• No security testing
5
Infrastructure
• Misconfigurations
• Lack of hardening
Hidden Risks

6. Public Containers
• Crypto-mining
• Known vulnerabilities
Own Containers
• Vulnerabilities
• Look at the bigger picture: SDLC
6
Infrastructure
• runc vulnerability
• Docker running as root
• Kubernetes misconfiguration
Common vulnerabilities and attacks

7. Public Containers
• Static analysis
• Security testing
• Clean registries
Own containers
• Bake Security into SDLC
7
Infrastructure Configuration
• CIS Docker
• CIS Kubernetes
Steps to secure containers

8. Secure SDLC and DevSecOps

9. 9
Image credit: Microsoft

10. Libraries->Containers->Applications
1. Shift security to the left (Dev) of
application security program
2. Getting vulnerabilities earlier, so cheaper
to remediate
In a nutshell
Checking that all containers do not have
vulnerabilities before assembling applications
10
Dev Security Use Cases

11. Security starts at Development and earlier
11
Containerized applications
• Increase of innovation speed
• Support agile approach
• Cost efficiency
• Flexibility
Customer security challenges
• Security testing in an agile approach
• Container Security
Plan Code Build Test Release Deploy Operate Monitor

12. 1. Shift security to the left of
application security program
2. Integrate with CI/CD tools
3. Keep agility with automation
12
Security in a nutshell
1. Checking that all containers do not
have vulnerabilities before
assembling - SCA
2. Security testing as early as
possible - SAST
Coding

13. Build
• Automated assembling, no
manual steps
• Infrastructure as Code (IaC)
13
Security Testing
• DAST
• Pentesting
Building and Testing

14. Infrastructure Continuous
Assessment
• Docker hardening
• Kubernetes hardening
• OS hardening
14
Application Continuous
Assessment
• DAST
• Pentest
• One off vs Continuous
• Scope
Deploying

15. Example with AWS simple ECR pipeline
15
Image credit: AWS

16. Secure your application from end to end

17. SDLC
17
Security Education
SAST
SCA
DAST
Pen Test
Continuous Test
Infrastructure Test
Plan Code Build Test Release Deploy Operate Monitor
Secure Code Warrior
Cloudsec Inspect
Appsec Scale
Appsec Snapshot
Appsec SWAT
Netsec Outscan / HIAB or Cloudsec Inspect

18. DevSecOps
18

19. Sergio Loureiro, sel@outpost24.com
Let’s start assessing your containers today!