Preview Mode Links will not work in preview mode

Apr 29, 2018

 

 

Container security

 

Jay Beale  @inguardians , @jaybeale

 

Containers

  • What the heck is a container?
    • Linux distribution with a kernel
      • Containers run on top of that, sharing the kernel, but not the filesystem
    • Namespaces
      • Mount
      • Network
      • Hostname
      • PID
      • IPC
      • Users
  • Somebody said we’ve had containers since before Docker
    • Containers started in 2005, with OpenVZ
    • Docker was 2013, Kubernetes 2014
  • Image Security
    • CoreOS Clair for vuln scanning images
    • Public repos vs private
    • Don’t keep the image running for so long?
    • Don’t run as root
  • More Containment stuff
    • Non-privileged containers
    • Remap the users, so root in container isn’t root outside
    • Drop root capabilities
    • Seccomp for kernel syscalls
    • AppArmor or SELinux
  • All of above is about Docker, what about Kubernetes
    • Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements
    • Network policy (egress firewalls)
    • RBAC (define what users and service accounts can do what)
    • Use namespaces per tenant and think hard about multi-tenancy
    • Use the CIS guides for lockdown of K8S and the host
    • Kube-bench

Difference between containers and sandboxing

 

Roll your own -

    Containers

        Using public registries - leave you vulnerable

        Use your own private repos for deploying containers

 

Reduce attack surface

Reduce user access

 

Automation will allow more security to get baked in.

 

https://www.infoworld.com/article/3104030/security/5-keys-to-docker-container-security.html



https://blog.blackducksoftware.com/8-takeaways-nist-application-container-security-guide





https://www.vagrantup.com/downloads.html

 

https://www.vmware.com/products/thinapp.html

 

https://www.meetup.com/SEASec-East/events/249983387/





S3 buckets / Azure Blobs

 

https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services

 

https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec