Practical Approaches to Container Security
-
Upload
shea-stewart -
Category
Technology
-
view
49 -
download
4
Transcript of Practical Approaches to Container Security
![Page 2: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/2.jpg)
An Open Discussion
Container Platform Security
Developer Security
Pipeline Security
![Page 3: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/3.jpg)
//container platform security
![Page 4: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/4.jpg)
Container Platform Security
● Involve Everyone - DevSecOps (or whatever)
● Context is Everything - Environment Specifics
● Exceptions Are Not be the Norm
![Page 5: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/5.jpg)
Container Platform SecurityDO
● Assume there is a security sign-off
● Reason with design decisions that promote enhanced security
● Publish all security considerations
● Automate security configurations
● Monitor and alert on security violations
● Provide varying levels of “experimentation” and “production” resources
DON’T
● Design in a vacuum
● Make assumptions
● Presume the platform “includes all security”
● Ignore the requests of security related team members
● Permit privileged access instead of educating users
● Allow unverified images to run
![Page 6: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/6.jpg)
//developer security
![Page 7: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/7.jpg)
Development Security
● Reduce Friction - Quick and Easy Tooling
● Replicate Production - Local Environment Tooling
● Design for Security - Non-Risky User and FS Permissions
![Page 8: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/8.jpg)
Development Security
DO
● Relax security to learn, but tighten to deploy
● Use local tools and automation to pre-scan images
● Document security related configurations
● Share & socialize security related learnings
● Work with build teams to streamline base images
DON’T
● Ask for, or expect, security exceptions
● Assume the new technology will “get by” old security policies
● Create custom images for every new app or build
● Run apps as or containers as root
● Run multiple applications in a container
![Page 9: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/9.jpg)
//pipeline security
![Page 10: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/10.jpg)
Pipeline Security
● Shift Left
● Automate All the Things
● Notify All of the Users
● Share and Socialize
![Page 11: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/11.jpg)
Pipeline Security
DO
● Include non-intrusive security scanning as a regular testing process
● Replicate pipeline configuration locally (within reason)
● Run multiple scanning tools (defense in depth)
● Aggregate results and review as a team
DON’T
● Wait for security scans to be run post-release
● Throw scan failures “over the wall”
● Stop improving and optimizing the pipeline
● Manually configure pipelines
![Page 12: Practical Approaches to Container Security](https://reader034.fdocuments.in/reader034/viewer/2022042707/5a669de57f8b9ac3578b4a6b/html5/thumbnails/12.jpg)
Be CuriousAsk Questions
Promote SecurityShow Off
Quick list of some helpful tools:
- Container Platform- Docker & ‘oc cluster up’ or CDK
- Developer- openscap/atomic scan- sysdig inspect- IDE plugins - foritfy, owasp, etc.
- Pipelines- Docker & CI Containers (ie.
Jenkins)- Blackduck, sonarqube, jfrog x-ray,
owasp zap, etc.