automated container security - continuous lifecycle...
TRANSCRIPT
![Page 2: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/2.jpg)
•••••••••
![Page 3: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/3.jpg)
Who is the guy on stage?
![Page 4: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/4.jpg)
![Page 5: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/5.jpg)
Container lifecycle
● CI integration● Package
vulnerability management
● Library vulnerability management
● Registry scan● Image compliance● Image trust
● RBAC● Identity
management● Container
compliance● Runtime
protection
![Page 6: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/6.jpg)
![Page 7: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/7.jpg)
Changes in the attack vector
![Page 8: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/8.jpg)
New security challengesDocker Virtual Machine / Bare Metal
No update mechanism Update mechanism keeps the OS up to date
No antivirus (device mapper) Typical Antivirus
Compliance (CIS vulnerabilities) --
OS kernel is shared between containers
Hypervisor is the interface point
![Page 9: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/9.jpg)
•••
••••
![Page 10: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/10.jpg)
![Page 11: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/11.jpg)
•••••• docker run ubuntu
![Page 12: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/12.jpg)
FROM buildpack-deps:wheezy
# gpg keys listed at https://github.com/nodejs/node
RUN set -ex \
&& for key in \
9554F04D7259F04124DE6B476D5A82AC7E37093B \
...
; do \
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
done
RUN curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz" \
...
&& gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \
...
CMD [ "node" ]
![Page 13: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/13.jpg)
dima@icecream:~$ sudo docker history node
IMAGE CREATED CREATED BY SIZE COMMENT
940065556150 6 days ago /bin/sh -c #(nop) CMD ["node"] 0 B
5f4d45468b32 6 days ago /bin/sh -c curl -SLO "https://nodejs.org/dist 37.42 MB
30f05ea42c64 6 days ago /bin/sh -c #(nop) ENV NODE_VERSION=5.7.1 0 B
15224b5905c8 7 days ago /bin/sh -c #(nop) ENV NPM_CONFIG_LOGLEVEL=inf 0 B
ac2b28ee0fd4 7 days ago /bin/sh -c set -ex && for key in 9554F0 51.75 kB
7aad83ccd4c5 7 days ago /bin/sh -c apt-get update && apt-get install 314.7 MB
575901a9b28b 7 days ago /bin/sh -c apt-get update && apt-get install 122.6 MB
6b3946d5b323 7 days ago /bin/sh -c apt-get update && apt-get install 44.32 MB
040bf8e08425 7 days ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B
73e8d4f6bf84 7 days ago /bin/sh -c #(nop) ADD file:b5391cb13172fb513d 125.1 MB
![Page 14: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/14.jpg)
•
•
•
•
![Page 15: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/15.jpg)
CVE-2016-0798 & CVE-2016-0798 is the DROWN Attack
![Page 16: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/16.jpg)
![Page 17: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/17.jpg)
•••
![Page 18: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/18.jpg)
••••
![Page 19: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/19.jpg)
![Page 20: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/20.jpg)
![Page 21: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/21.jpg)
user@host ~ $ docker kill a83Error response from daemon: [Twistlock] The command 'container_kill' denied for user 'jake' by rule 'Default - Deny all'
![Page 22: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/22.jpg)
![Page 23: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/23.jpg)
![Page 24: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/24.jpg)
•••
![Page 25: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/25.jpg)
![Page 26: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/26.jpg)
Vulnerable
![Page 27: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/27.jpg)
••
••
••
![Page 28: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/28.jpg)
1.a.b.c.d.
2.3.4.5.
![Page 29: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/29.jpg)
![Page 30: Automated Container Security - Continuous Lifecycle Londoncontinuouslifecycle.london/wp-content/uploads/2016/... · Automated Container Security ... Image trust RBAC Identity management](https://reader030.vdocuments.mx/reader030/viewer/2022041014/5ec56daa03cdf255a46fba31/html5/thumbnails/30.jpg)