SlideShare a Scribd company logo

Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016

Manideep Konakandla
Manideep Konakandla

My Talk at OWASP Appsec USA 2016

Technology
1 of 38
Download to read offline
Breaking && Securing your ‘Docker’ized environments Manideep K
Shameless Bragging • Masters Student + Security Researcher at “Carnegie Mellon” • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • Trained 15,000+ people in Infosec including corporates, students & cyber cops • 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc. • Ex Team Lead – Core Security & Data Analytics at TCS • Interest areas : Container Security, Application Security etc. More details on “www.manideepk.com” 2
Experience with Docker containers • Research at Carnegie Mellon University under renowned professors • Cloud Security Research Intern @Adobe • Co-Authored CIS Docker 1.12 Benchmark (You will see points from it today) • Research Intern at Carnegie Mellon 3
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host - Communication and Registry security (if time permits)  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 4
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 5
Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces Isolates containers (PID, User, Network, IPC, Mount , UTS) Cgroups Limits, accounts and isolates resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com 6
Container environment (Docker) Img Ref: Modified version of image on www.docker.com 7
8 Risk Areas Images Container Runtime Daemon Host System Kernel/ Containers Isolation (Shared kernel) Communication
Container pipeline (Docker) Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images 9
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 10
11 Containers do not contain 53% of decision makers are worried about security of containers* Containers are not production-ready Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week Containers are the “FUTURE” * Forrester/Red Hat Report , January 2015 ** You have to make them secure
Docker says At Docker we believe in “Secure by Default” * NCC Group Report on containers says Docker default security settings are quite good ** I say (and even you will, by end of this presentation) “Docker is not secure by default, you have to make it secure…!” * https://blog.docker.com/2016/04/docker-security/ ** https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/april/understanding-and-hardening-linux- containers/ 12
My approach for explanation “Point” (on later slides) What breaks it & How to secure it Why this approach? 13
Breaking and Securing “Images” 14
Image Layers – Copy on Write (CoW) model Manifest file of an image inside registry Image’s lifecycle (Img Ref: www.docker.com) Introduction to Images 15
• Where can I get Images? - Docker hub , Docker Private Store • Can I use them (directly)? - No, Not Docker hub (at least general images) for enterprises (personal?) - How about Docker Private store? • Official images are scanned with Nautilus (general images are not) • My analysis with images (sampling) • Banyanops analysis* proved that Docker hub images are prone to severe vulnerabilities such as Heartbleed, Shellshock etc. (2015 report) Quick Facts from the report : 30% official images are vulnerable 70% general images are vulnerable * : Below report was released in 2015. Though Docker initiated Nautilus after that and started mitigating the vulnerabilities in official images, it still has many unpatched. Also, unofficial Docker hub images are still untouched and are left with lot of vulnerabilities. So, though the percentage of vulnerabilities might not be exactly the same today, the essence of the report still remains the same** ** : You can open the official images on Docker hub and see the tags section of each image which shows the scan report of Nautilus for that particular image Report Link: https://banyanops.com/blog/analyzing-docker-hub/ 16
Lesson Learnt….! Do Not directly use Docker hub images (not atleast general images and not at-least for enterprise use) 17
Manideep, Then what to do? Prepare your own Docker Images (Oh Gosh, Lot of security controls to follow….!) • How to write Dockerfiles (any other similar mechanism such as Packr) securely? • How to maintain/consume images securely? 18
Writing Dockerfiles securely (our “Points” are here….) 1) Follow version pinning mechanisms for base images, packages etc. (Caching issue) CIS Docker 1.12– 5.27 2) Download packages securely - Ex: GPG (MITM issue) : CIS Docker 1.12 – 4.11 3) Create a user for containers (Priv issue / root issue) : CIS Docker 1.12 – 4.1 4) Do not use any kind of update instructions alone in the Dockerfile (Caching issue) CIS Docker 1.12 – 4.7 5) Remove setuid, setgid permissions within the images (Priv Escalation) : CIS Docker 1.12 – 4.8 6) Do not install unnecessary packages within the images (Increased attack surface) CIS Docker 1.12 – 4.3 7) Do not write secrets in Dockerfiles (Information Disclosure). Use Keywhiz, Vault etc. CIS Docker 1.12 – 4.10 8) Use COPY instead of ADD (Increased attack surface) : CIS Docker 1.12 – 4.9 9) Use HEALTHCHECK command (Best practice) : CIS Docker 1.12 – 4.6 10) Use gosu instead of sudo wherever possible ( TTY and signal forwarding issue) 11) Do not prefer to run multiple applications within one container (Increased attack surface) 19
How to maintain / consume images securely? 1) Docker Content Trust (Enable it!) • Based on Thandy framework and is little complex to understand • Ensures integrity, authenticity and freshness guarantees to images (Without DCT?) • Extensive analysis done (Seems secure…) • Create your own Notary setup 2) Images should be “vulnerability-free” and should be “frequently” scanned with tools like Twistlock, Nautilus etc. Tools should be capable of doing binary level analysis /hash based match and just not version string matching. 3) All images / packages within images must be up-to-date (Except compatibility issues) 4) Follow all CIS Docker benchmark standards 20
Breaking and Securing “Container runtime” 21
Container runtime security 1) Ensure Docker commands get latest images (Caching issue) : CIS Docker 1.12 – 5.27 2) Enable PIDs cgroup per container (fork bomb) : CIS Docker 1.12 - 5.28 3) Do not use default docker0 bridge (ARP spoofing, MITM etc.) : CIS Docker 1.12 - 5.29 4) Set memory limits per container (DOS) : CIS Docker 1.12 - 5.10 5) Do not use privileged containers (Violation of least privilege) : CIS Docker 1.12 - 5.4 6) Bind incoming traffic to any specific interface (Info disclosure etc.) : CIS Docker 1.12 - 5.13 7) Do not share host’s process, user, UTS, IPC, network namespaces to containers (Info disclosure etc.) 8) Do not disable capabilities (significance of SYS_TIME, NET_RAW) 9) Prefer to set no new privileges flag (no runtime priv. gain atacks) : CIS Docker 1.12 – 5.25 10) Do not disable seccomp profiles (Container breakout) : CIS Docker 1.12 – 5.21 11) Set CPU shares appropriately (DOS) : CIS Docker 1.12 – 5.11 12) Use Apparmor / SELinux profiles (No access restriction) : CIS Docker 1.12 – 5.1, 5.2 13) Mounts (Violation of least privilege) 14) Beware of non namespaced components : kernel keyring etc. (Container breakout) 15) Adhere CIS Docker 1.12 benchmark 22
Breaking and Securing “Daemon” 23
1) Enable user namespaces - When user namespaces are enabled (which are disabled by default) root inside the container will be “no more” root on the host. (Without user namespaces?) - Enable user namespaces when launching daemon with “- - userns-remap” flag - Know about the restrictions (no read only filesystem for containers, no - -privileged flag etc.) 2) Disable communication between containers - By default, all containers are on the same bridge and can communicate (intercept traffic) - Add “- - icc = false” flag when launching daemon which would prevent container communication - Use user-defined networks for allowing group of containers to communicate (DO NOT use legacy container linking method as it leaks secrets stored in environment variables between containers) 3) Enable TLS & authentication for communication between daemon and client - By default, communication between docker daemon and client are not encrypted and there is no authentication between them. - Enable TLS & CA authentication at daemon level which would prevent attacks such as MITM, server or client impersonation etc. Daemon Security 24
Daemon Security 4) Enable ulimits for your docker daemon (You can do it at runtime per container) - ulimits are great way to restrict lot of resources such as CPU time limit, max file descriptors that can be opened, max no of processes etc. - By default, no ulimits are set . You can enable them by using flags. Ex: “- -default-ulimit nproc=10” 5) Use authorization plugins - By default, every user having access to daemon can run any Docker command. Auth plugins provides granular control on “who runs what” at daemon level. - You can enable auth plugins while launching daemon with the flag “- -authorization-plugin=plugin1 –authorization-plugin=plugin2 …………….” 6) Ensure only trusted users will have access to docker daemon as all the members within the docker group will have effective root privileges 25
Breaking and Securing “The host where containers are hosted” 26
Security controls on the host 1) Maintain up-to-date Linux kernel - They have all vulnerabilities fixed and latest security controls included - Ex: PIDs cgroup (prevents fork bomb) is only available in kernels > 4.3 2) Apply kernel hardening policies such as GRSecurity, PaX etc. - These are kernel patch sets which help in preventing multiple kind of memory, access control exploits etc. These would prevent exploitation even though attacker was able to break out of container. Also, ensure that these kernel patches do not interfere with your Docker setup (test with sysctl and then lock down) 3) Harden the host as per your enterprise / CIS / SANS guidelines 4) Keep Docker always up-to-date 27
Container pipeline (Holistic View) – Communication & Registry Security Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Img Ref: Modified version of image on www.docker.com * * 28
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 29
Few tips for enterprises • Setup your own in-house registry having “secure and ready-to-consume” images • Prepare customized auth plugins, seccomp, apparmor profiles as per your requirements • Do not share secrets in environment variables • Use tools like Twistlock, Scalock etc. to secure your container environments. These tools provide capabilities like Image lockdown, RBAC, automatic profiling etc. • Use TPM, TCB etc. in Docker environments (Add docker daemon to TCB) • Use image optimization techniques (Do not compromise security!) • Container specific rules to be created in SIEM • Group containers on VM’s (basing on trust, operational categories) • Employ least privilege, defense in depth, reduced attack surface principles • Employ file integrity monitoring tools for critical files • Prepare separate patch management, vulnerability management etc. procedures for container environments • Adhere to latest CIS Docker benchmark or prepare your own internal benchmarks customizing standard CIS Docker benchmark as per your organizational requirements 30
Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 31
Future (My 2¢) • Hardware level Isolation ( Container’s performance + VM security ) - Clear Containers (QEMU+KVM : Very light weight VM ‘s. Though not up to Docker performance, they are optimizing more). - Has lot of scope. My area of work for next few days. • No more shared kernel as in clear containers • Trusted place for getting Images. Ex: Docker store • Advancement in container security tools : Twistlock, Scalock are only tools which cover entire container ecosystems today. They are adding more features • In-built “proper” hardening of host when Docker installed (GRSEC, PaX etc.) • Docker Images encryption – similar to VM (Most security controls of VM will be soon shipped to container ecosystem) • Portability between container technologies (lot of current work) • Name spacing the missing components: Kernel keyring, SYS_TIME etc. • Enhanced security controls on the daemon, images and container runtime Ex: better default seccomp by in-built profiling etc. 32
My Next Plans • Research on hardware level isolation to containers • In-depth Research on other container technologies • Whitepaper (or possibly a book? ) on Docker Security • Continue contribution to CIS Docker Benchmark (Please join!) • Will be presenting at RSA conference (poster under RSA Scholar Program), Grehack etc. • Feel free to reach me if you have similar interests or want to collaborate 33
Conclusion 34
References 1. https://www.nccgroup.trust/globalassets/our- research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 2. http://www.oreilly.com/webops-perf/free/files/docker-security.pdf 3. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 4. CIS Docker Benchmark 1.12 5. http://csrc.nist.gov/news_events/cif_2015/research/day1_research_430-530.pdf 6. http://www.slideshare.net/SreenivasMakam/docker-security-overview?qid=49963984-be1a-4322-a3a8- e5a2963127c0&v=&b=&from_search=1 7. http://www.slideshare.net/Docker/docker-security-workshop-slides 8. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 9. https://clearlinux.org/features/clear-containers 10. https://arxiv.org/pdf/1501.02967.pdf 11. http://www.slideshare.net/Docker/the-golden-ticket-docker-and-high-security-microservices-by-aaron- grattafiori?qid=dd633f11-1c78-42ce-86f0-88068690a6ee&v=&b=&from_search=2 12. https://docs.docker.com/engine/security/ 13. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence 35
Special Thanks to Adobe 36
Q & A time 37
Thank you…! Reach me on www.manideepk.com for any questions 38

Recommended

How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?Manideep Konakandla
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017Manideep Konakandla
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
RSA conference poster on Docker container security
RSA conference poster on Docker container securityRSA conference poster on Docker container security
RSA conference poster on Docker container securityManideep Konakandla
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 

Recommended

How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?Manideep Konakandla
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017Manideep Konakandla
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
RSA conference poster on Docker container security
RSA conference poster on Docker container securityRSA conference poster on Docker container security
RSA conference poster on Docker container securityManideep Konakandla
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images SecurityJose Manuel Ortega Candel
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudJohn Kinsella
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker SecurityStephane Woillez
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekwiTTyMinds1
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016Anthony Chow
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...NETWAYS
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Docker 101
Docker 101Docker 101
Docker 101Lâm Đào
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
 
Common Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementCommon Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementMatt Ray
 
The Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesThe Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesDBmaestro - Database DevOps
 

More Related Content

What's hot

Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekwiTTyMinds1
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016Anthony Chow
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...NETWAYS
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
 

What's hot (20)

Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
OSDC 2016 - Inspecting Security of Docker formatted Container Images to find ...
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Docker 101
Docker 101Docker 101
Docker 101
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
CDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentCDI and Seam 3: an Exciting New Landscape for Java EE Development
CDI and Seam 3: an Exciting New Landscape for Java EE Development
 

Viewers also liked

Common Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementCommon Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementMatt Ray
 
The Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesThe Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesDBmaestro - Database DevOps
 
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Zohar Stolar
 
DevOps Picc12 Management Talk
DevOps Picc12 Management TalkDevOps Picc12 Management Talk
DevOps Picc12 Management TalkMichael Rembetsy
 
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...CA Technologies
 
Dockerfile at Guidewire
Dockerfile at GuidewireDockerfile at Guidewire
Dockerfile at GuidewireDocker, Inc.
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen DayDocker, Inc.
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsDocker, Inc.
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Docker, Inc.
 
Containerd - core container runtime component
Containerd - core container runtime component Containerd - core container runtime component
Containerd - core container runtime component Docker, Inc.
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdDocker, Inc.
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRIDocker, Inc.
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPCDocker, Inc.
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker, Inc.
 

Viewers also liked (18)

Common Challenges in DevOps Change Management
Common Challenges in DevOps Change ManagementCommon Challenges in DevOps Change Management
Common Challenges in DevOps Change Management
 
The Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for DummiesThe Future of Change Management and DevOps for Dummies
The Future of Change Management and DevOps for Dummies
 
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
Introduction to containers running dockers using kubernetes - הרצאה לכנס מיק...
 
DevOps Picc12 Management Talk
DevOps Picc12 Management TalkDevOps Picc12 Management Talk
DevOps Picc12 Management Talk
 
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
Case Study: Verizon - CA Workload Automation ESP Edition: Best Practice’s, De...
 
Dockerfile at Guidewire
Dockerfile at GuidewireDockerfile at Guidewire
Dockerfile at Guidewire
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container Environments
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0
 
Containerd - core container runtime component
Containerd - core container runtime component Containerd - core container runtime component
Containerd - core container runtime component
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPC
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 

Similar to Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016

Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risksGlib Pakharenko
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container SecurityAll Things Open
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Docker: do's and don'ts
Docker: do's and don'tsDocker: do's and don'ts
Docker: do's and don'tsPaolo Tonin
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsPatrick Chanezon
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 

Similar to Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016 (20)

Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risks
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
Container security
Container securityContainer security
Container security
 
What You Should Know About Container Security
What You Should Know About Container SecurityWhat You Should Know About Container Security
What You Should Know About Container Security
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Docker: do's and don'ts
Docker: do's and don'tsDocker: do's and don'ts
Docker: do's and don'ts
 
Boycott Docker
Boycott DockerBoycott Docker
Boycott Docker
 
Docker best Practices
Docker best PracticesDocker best Practices
Docker best Practices
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Devoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and BoltsDevoxx 2016 - Docker Nuts and Bolts
Devoxx 2016 - Docker Nuts and Bolts
 
Container Security
Container SecurityContainer Security
Container Security
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016

  • 1. Breaking && Securing your ‘Docker’ized environments Manideep K
  • 2. Shameless Bragging • Masters Student + Security Researcher at “Carnegie Mellon” • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • Trained 15,000+ people in Infosec including corporates, students & cyber cops • 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc. • Ex Team Lead – Core Security & Data Analytics at TCS • Interest areas : Container Security, Application Security etc. More details on “www.manideepk.com” 2
  • 3. Experience with Docker containers • Research at Carnegie Mellon University under renowned professors • Cloud Security Research Intern @Adobe • Co-Authored CIS Docker 1.12 Benchmark (You will see points from it today) • Research Intern at Carnegie Mellon 3
  • 4. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host - Communication and Registry security (if time permits)  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 4
  • 5. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 5
  • 6. Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces Isolates containers (PID, User, Network, IPC, Mount , UTS) Cgroups Limits, accounts and isolates resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com 6
  • 7. Container environment (Docker) Img Ref: Modified version of image on www.docker.com 7
  • 8. 8 Risk Areas Images Container Runtime Daemon Host System Kernel/ Containers Isolation (Shared kernel) Communication
  • 9. Container pipeline (Docker) Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images 9
  • 10. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 10
  • 11. 11 Containers do not contain 53% of decision makers are worried about security of containers* Containers are not production-ready Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week Containers are the “FUTURE” * Forrester/Red Hat Report , January 2015 ** You have to make them secure
  • 12. Docker says At Docker we believe in “Secure by Default” * NCC Group Report on containers says Docker default security settings are quite good ** I say (and even you will, by end of this presentation) “Docker is not secure by default, you have to make it secure…!” * https://blog.docker.com/2016/04/docker-security/ ** https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/april/understanding-and-hardening-linux- containers/ 12
  • 13. My approach for explanation “Point” (on later slides) What breaks it & How to secure it Why this approach? 13
  • 15. Image Layers – Copy on Write (CoW) model Manifest file of an image inside registry Image’s lifecycle (Img Ref: www.docker.com) Introduction to Images 15
  • 16. • Where can I get Images? - Docker hub , Docker Private Store • Can I use them (directly)? - No, Not Docker hub (at least general images) for enterprises (personal?) - How about Docker Private store? • Official images are scanned with Nautilus (general images are not) • My analysis with images (sampling) • Banyanops analysis* proved that Docker hub images are prone to severe vulnerabilities such as Heartbleed, Shellshock etc. (2015 report) Quick Facts from the report : 30% official images are vulnerable 70% general images are vulnerable * : Below report was released in 2015. Though Docker initiated Nautilus after that and started mitigating the vulnerabilities in official images, it still has many unpatched. Also, unofficial Docker hub images are still untouched and are left with lot of vulnerabilities. So, though the percentage of vulnerabilities might not be exactly the same today, the essence of the report still remains the same** ** : You can open the official images on Docker hub and see the tags section of each image which shows the scan report of Nautilus for that particular image Report Link: https://banyanops.com/blog/analyzing-docker-hub/ 16
  • 17. Lesson Learnt….! Do Not directly use Docker hub images (not atleast general images and not at-least for enterprise use) 17
  • 18. Manideep, Then what to do? Prepare your own Docker Images (Oh Gosh, Lot of security controls to follow….!) • How to write Dockerfiles (any other similar mechanism such as Packr) securely? • How to maintain/consume images securely? 18
  • 19. Writing Dockerfiles securely (our “Points” are here….) 1) Follow version pinning mechanisms for base images, packages etc. (Caching issue) CIS Docker 1.12– 5.27 2) Download packages securely - Ex: GPG (MITM issue) : CIS Docker 1.12 – 4.11 3) Create a user for containers (Priv issue / root issue) : CIS Docker 1.12 – 4.1 4) Do not use any kind of update instructions alone in the Dockerfile (Caching issue) CIS Docker 1.12 – 4.7 5) Remove setuid, setgid permissions within the images (Priv Escalation) : CIS Docker 1.12 – 4.8 6) Do not install unnecessary packages within the images (Increased attack surface) CIS Docker 1.12 – 4.3 7) Do not write secrets in Dockerfiles (Information Disclosure). Use Keywhiz, Vault etc. CIS Docker 1.12 – 4.10 8) Use COPY instead of ADD (Increased attack surface) : CIS Docker 1.12 – 4.9 9) Use HEALTHCHECK command (Best practice) : CIS Docker 1.12 – 4.6 10) Use gosu instead of sudo wherever possible ( TTY and signal forwarding issue) 11) Do not prefer to run multiple applications within one container (Increased attack surface) 19
  • 20. How to maintain / consume images securely? 1) Docker Content Trust (Enable it!) • Based on Thandy framework and is little complex to understand • Ensures integrity, authenticity and freshness guarantees to images (Without DCT?) • Extensive analysis done (Seems secure…) • Create your own Notary setup 2) Images should be “vulnerability-free” and should be “frequently” scanned with tools like Twistlock, Nautilus etc. Tools should be capable of doing binary level analysis /hash based match and just not version string matching. 3) All images / packages within images must be up-to-date (Except compatibility issues) 4) Follow all CIS Docker benchmark standards 20
  • 22. Container runtime security 1) Ensure Docker commands get latest images (Caching issue) : CIS Docker 1.12 – 5.27 2) Enable PIDs cgroup per container (fork bomb) : CIS Docker 1.12 - 5.28 3) Do not use default docker0 bridge (ARP spoofing, MITM etc.) : CIS Docker 1.12 - 5.29 4) Set memory limits per container (DOS) : CIS Docker 1.12 - 5.10 5) Do not use privileged containers (Violation of least privilege) : CIS Docker 1.12 - 5.4 6) Bind incoming traffic to any specific interface (Info disclosure etc.) : CIS Docker 1.12 - 5.13 7) Do not share host’s process, user, UTS, IPC, network namespaces to containers (Info disclosure etc.) 8) Do not disable capabilities (significance of SYS_TIME, NET_RAW) 9) Prefer to set no new privileges flag (no runtime priv. gain atacks) : CIS Docker 1.12 – 5.25 10) Do not disable seccomp profiles (Container breakout) : CIS Docker 1.12 – 5.21 11) Set CPU shares appropriately (DOS) : CIS Docker 1.12 – 5.11 12) Use Apparmor / SELinux profiles (No access restriction) : CIS Docker 1.12 – 5.1, 5.2 13) Mounts (Violation of least privilege) 14) Beware of non namespaced components : kernel keyring etc. (Container breakout) 15) Adhere CIS Docker 1.12 benchmark 22
  • 24. 1) Enable user namespaces - When user namespaces are enabled (which are disabled by default) root inside the container will be “no more” root on the host. (Without user namespaces?) - Enable user namespaces when launching daemon with “- - userns-remap” flag - Know about the restrictions (no read only filesystem for containers, no - -privileged flag etc.) 2) Disable communication between containers - By default, all containers are on the same bridge and can communicate (intercept traffic) - Add “- - icc = false” flag when launching daemon which would prevent container communication - Use user-defined networks for allowing group of containers to communicate (DO NOT use legacy container linking method as it leaks secrets stored in environment variables between containers) 3) Enable TLS & authentication for communication between daemon and client - By default, communication between docker daemon and client are not encrypted and there is no authentication between them. - Enable TLS & CA authentication at daemon level which would prevent attacks such as MITM, server or client impersonation etc. Daemon Security 24
  • 25. Daemon Security 4) Enable ulimits for your docker daemon (You can do it at runtime per container) - ulimits are great way to restrict lot of resources such as CPU time limit, max file descriptors that can be opened, max no of processes etc. - By default, no ulimits are set . You can enable them by using flags. Ex: “- -default-ulimit nproc=10” 5) Use authorization plugins - By default, every user having access to daemon can run any Docker command. Auth plugins provides granular control on “who runs what” at daemon level. - You can enable auth plugins while launching daemon with the flag “- -authorization-plugin=plugin1 –authorization-plugin=plugin2 …………….” 6) Ensure only trusted users will have access to docker daemon as all the members within the docker group will have effective root privileges 25
  • 26. Breaking and Securing “The host where containers are hosted” 26
  • 27. Security controls on the host 1) Maintain up-to-date Linux kernel - They have all vulnerabilities fixed and latest security controls included - Ex: PIDs cgroup (prevents fork bomb) is only available in kernels > 4.3 2) Apply kernel hardening policies such as GRSecurity, PaX etc. - These are kernel patch sets which help in preventing multiple kind of memory, access control exploits etc. These would prevent exploitation even though attacker was able to break out of container. Also, ensure that these kernel patches do not interfere with your Docker setup (test with sysctl and then lock down) 3) Harden the host as per your enterprise / CIS / SANS guidelines 4) Keep Docker always up-to-date 27
  • 28. Container pipeline (Holistic View) – Communication & Registry Security Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Img Ref: Modified version of image on www.docker.com * * 28
  • 29. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 29
  • 30. Few tips for enterprises • Setup your own in-house registry having “secure and ready-to-consume” images • Prepare customized auth plugins, seccomp, apparmor profiles as per your requirements • Do not share secrets in environment variables • Use tools like Twistlock, Scalock etc. to secure your container environments. These tools provide capabilities like Image lockdown, RBAC, automatic profiling etc. • Use TPM, TCB etc. in Docker environments (Add docker daemon to TCB) • Use image optimization techniques (Do not compromise security!) • Container specific rules to be created in SIEM • Group containers on VM’s (basing on trust, operational categories) • Employ least privilege, defense in depth, reduced attack surface principles • Employ file integrity monitoring tools for critical files • Prepare separate patch management, vulnerability management etc. procedures for container environments • Adhere to latest CIS Docker benchmark or prepare your own internal benchmarks customizing standard CIS Docker benchmark as per your organizational requirements 30
  • 31. Agenda  Introduction - One minute quick dive on containers - Container environment - Risk Areas  Breaking && Securing - Images - Container runtime - Daemon - Host  Holistic view of entire container pipeline  Few tips for enterprises  Future  Conclusion  References  Q&A 31
  • 32. Future (My 2¢) • Hardware level Isolation ( Container’s performance + VM security ) - Clear Containers (QEMU+KVM : Very light weight VM ‘s. Though not up to Docker performance, they are optimizing more). - Has lot of scope. My area of work for next few days. • No more shared kernel as in clear containers • Trusted place for getting Images. Ex: Docker store • Advancement in container security tools : Twistlock, Scalock are only tools which cover entire container ecosystems today. They are adding more features • In-built “proper” hardening of host when Docker installed (GRSEC, PaX etc.) • Docker Images encryption – similar to VM (Most security controls of VM will be soon shipped to container ecosystem) • Portability between container technologies (lot of current work) • Name spacing the missing components: Kernel keyring, SYS_TIME etc. • Enhanced security controls on the daemon, images and container runtime Ex: better default seccomp by in-built profiling etc. 32
  • 33. My Next Plans • Research on hardware level isolation to containers • In-depth Research on other container technologies • Whitepaper (or possibly a book? ) on Docker Security • Continue contribution to CIS Docker Benchmark (Please join!) • Will be presenting at RSA conference (poster under RSA Scholar Program), Grehack etc. • Feel free to reach me if you have similar interests or want to collaborate 33
  • 35. References 1. https://www.nccgroup.trust/globalassets/our- research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 2. http://www.oreilly.com/webops-perf/free/files/docker-security.pdf 3. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 4. CIS Docker Benchmark 1.12 5. http://csrc.nist.gov/news_events/cif_2015/research/day1_research_430-530.pdf 6. http://www.slideshare.net/SreenivasMakam/docker-security-overview?qid=49963984-be1a-4322-a3a8- e5a2963127c0&v=&b=&from_search=1 7. http://www.slideshare.net/Docker/docker-security-workshop-slides 8. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 9. https://clearlinux.org/features/clear-containers 10. https://arxiv.org/pdf/1501.02967.pdf 11. http://www.slideshare.net/Docker/the-golden-ticket-docker-and-high-security-microservices-by-aaron- grattafiori?qid=dd633f11-1c78-42ce-86f0-88068690a6ee&v=&b=&from_search=2 12. https://docs.docker.com/engine/security/ 13. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence 35
  • 37. Q & A time 37
  • 38. Thank you…! Reach me on www.manideepk.com for any questions 38