Security should be integrated into every phase of the container application development life cycle, from build to ship to run. On August 31st, we hosted an online meetup to discuss the issues that need be addressed to achieve continuous security for containers.
The presentation included speakers from Rancher Labs (www.rancher.com), NeuVector (www.neuvector.com) and Black Duck Software (www.blackducksoftware.com) who discussed:
- Best practices for preparing your environment for secure deployment
- How to secure containers during run-time
- Actionable next steps to protect your applications
20. Changing Traffic Patterns – And Risks
Traffic
Explosion
Open Source
Vulnerabilities
Sophisticated
Attacks
MICROSERVICES
E A S T- W E S T T R A F F I C
!
!
!
!
DDoS
SambyCry
Wanna-Crypt
21. E A S T- W E S T T R A F F I C
!
!
!
!
Traditional Security Tools Are Blind
Can’t See East-West
Can’t Keep Up
Low Accuracy
ZERO-DAY
ATTACKS
INSIDER
ATTACKS
27. Example: Demo / Dirty Cow
Exploits Affect Hosts and Containers
CVE-2016-5195 Linux Root Escalation
Exploit
1. Attacker exploits
vulnerable application to
inject code
2. Run Dirty Cow to gain root
in container
3. Connect to external host
4. NeuVector detects
a) root escalation
b) unauthorized
connection
5. Attacker breaks out to
compromise host
Demo ‘Kill
Chain‘
28. THANK YOU
For more information contact us
at info@neuvector.com
http://neuvector.com
39. 8 of the top 10
Software Companies
(70 of the top 100)
6 of the top 8
Mobile Handset Vendors
6 of the top 10
Investment Banks
24
Countries
350+
Employees
2,000Customers
About Black Duck
40Founded
2002
Of The Fortune
100
40. Automating Five Critical Tasks and Having a Bill of Materials
Provide Distinct Advantage
INVENTORY
Open
Source
Software
MAP
Known
Security
Vulnerabilities
IDENTIFTY
License
Compliance
Risks
TRACK
Remediation
Priorities &
Progress
ALERT
New
Vulnerabilities
Affecting You
Visibility AND Control
1 2 3 4 5
41. Open Source Changed the Way Applications are Built
10% Open
Source
20% Open
Source
50% Open
Source
Up to 90%
Open Source
1998 2005 2010
TODAY
Open Source is the modern architectureCustom & Commercial Code
Open Source Software
42. Containers can be vulnerable by
virtue of the code that runs inside
them
• OSS components running inside
containers represent potential
attack vectors
• Could cause problems for the
application itself
• Could cause more problems if
the container is running with the
–privileged flag set
Agile, Containers and DevOps
46. Why Aren’t We Finding These in Testing?
• Static analysis
• Testing of source code or binaries for unknown
security vulnerabilities in custom code
• Advantages in buffer overflow, some types of
SQL injection
• Provides results in source code
• Dynamic analysis
• Testing of compiled application in a staging
environment to detect unknown security
vulnerabilities in custom code
• Advantages in injection errors, XSS
• Provides results by URL, must be traced to
source
What’s Missing?
All possible
security vulnerabilities
FREAK!
Static
Analysis
Dynamic
Analysis
47. Black Duck and NeuVector
Continuous Network Security for
Containers
• Network inspection
• Network traffic visibility and
segmentation
• ‘Layer 7’ application isolation &
threat detection
• Privilege escalation detection
• Container quarantine
• Run-time vulnerability scan
Dev Build/CI Registry Deploy Run-Time
Automated Visibility, Intelligence, and Control for Applications and
Containers through Secure DevOps
• Scanning of applications and containers
• Component discovery and identification (“Bill of Materials”)
• Analysis of known security vulnerabilities, license risks, and
operational risks
• Management of risk policies, enforcement, and remediation
• Ongoing alerting of new vulnerabilities and policy violations
• Knowledge Base of open source components and their risks
Secure
DevOps
Secure in Production