sacon - devops-container (richard bussiere)

SACON

SACONInternational2017

RichardBussiereTenable

TechnicalDirector

India|Bangalore|November10– 11|HotelLalit Ashok

IntegratingContainerVulnerabilityManagementintoDevOps

SACON 2017

ü What’stheSecurityRiskIntroducedthroughContainers?

ü Whatcanwedoaboutit?ü ShortDemoü Conclusions

Agenda

SACON 2017

Howcanyouunderstandthevulnerabilities&riskdynamicassetsexposeyoutowhentheassetisherenowthengone?

WhackaMole??

SACON 20174

Canyouanswerthesequestions?

HowExposedAreWe? HowDoWeProactivelyReduceOurExposure?HowSecureAreWe?

Everyorganization,nomatterhowlargeorsmall,should beabletoanswerthesethreefundamentalquestionsatalltimes:

SACON 2017

CommunicateCyber Risk

Continuous Visibility

Cyber ExposureMetric

PrioritizeExposure

LiveDiscovery

MeasuringCyberExposureLeveragesVulnerability Management

Accurately represent and communicate cyber risk to the business – in

business terms

Continuous Visibility into where an asset is

secure, or exposed, and to what extent

Apply Cyber Exposure data as a key risk metric

for strategic decision support

Add context to the exposure to prioritize

and select the appropriate remediation

technique

Live Discovery of every modern asset

across any computing

environment

SACON 20176

SACON 20177

Intersecting3Domains

SACON 2017

Agile=ContinuousChangeAgile=ContinuousChange

SACON 2017

AskedtwodifferentCISOsoftwodifferentmajorIndiantelcos “What’syourcontainerstrategy”?

• Answer:”What’sacontainer?”

Singapore

• ConsideringusingDevOpsinthenearfuture…

• Mostnotsureifthisstuffisactuallypresentintheirenvironments

DevOps&Security- Disconnected?

Cansecuritykeepupwiththepace?

SACON 201710

DevOpsisdrivingchangesinITarchitecture

Monolithic Microservices

Builtasasingle,self-containedunit

Componentsareinterconnected andinterdependent

Builtasasuiteofmodularservices

Componentsarelooselycoupledandhighlycohesive

SACON 201711

Applicationcontainersenableinfrastructuremodernizationwithmicroservices

Eachmicroservice ishostedinacontainerandconnectedviaAPIs

Containersencapsulatealightweightruntimeenvironmentfortheapplication

Microservices oncontainersprovide:• Faster developmentanddeploymentvelocity

•Greaterscalabilitytoquicklycreateanddestroy

• Increasedoperationalefficiencyandresponsiveness

SACON 201712

YouTubeexample:microservices andcontainers

SACON 2017

Applicationcontainersareexplodinginadoption…

13Sources:1) Datadog,20172) Docker,2017

Docker Adoption1

8 Billion+Docker Container

Downloads2

500,000+Dockerized apps in Docker

Hub2

SACON 201714

MajorCyberExposuregap

Oforganizationswithcontainersinproduction1

18%

Perform Image Scanning

RiskAssessmentIndex2Organization’sabilitytoassess

cybersecurityrisks

Score:52%Grade:F

Score:57%Grade:F

ContainerizationPlatforms

DevOpsEnvironments

15.9

40.5

Official Images

Community Images

AveragenumberofvulnerabilitiesinDockerHub3

Sources:1) Anchore,“SnapshotoftheContainerEcoystem,”20172) Tenable,“2017GlobalCybersecurityAssuranceReportCard,”20173) Tenable,“SourcingContainerImagesfromDockerHosts,”2017

SACON 2017

Modernapplicationsraisethestakeswithrisk

15

“Modern applications are largely assembled, not developed, and developers often download and use known vulnerable open-source components and frameworks.”

-Gartner

SACON 201716

Andorganizationshavetakennotice

“Even if Docker certifies an app as being safe and effective, I'm not risking $11 billion on Docker telling me it's safe. We need extra assurance and to prove it to ourselves.”

– James Ford, Chief Strategic Architect, ADP

SACON 2017

SharingImages:DockerHub… Safe?

SACON 201718

Traditionalsecurityapproachesdonotworkwithcontainers

1 2

Inability to Use Traditional VM

Techniques

Inability to RemediateVulnerabilitiesShort Lifespan

3

SACON 2017

Insanity: Doingthesamethingoverandoveragainandexpectingadifferentresult

19

Thinkdifferentlyaboutprotectingmodernassets

SACON 201720

Preventcontainervulnerabilitiesbysecuringimagespriortodeployment

IntegratecontainersecurityintotheDevOpstoolchain

Identifyandremediatevulnerabilitiesbeforetheyareexploitable

Ensureallcontainerimagesaresecureandcompliantbeforeproduction

SACON 201721

WhatdoesthismeantoSecurityandDevOps?

EnterpriseSecurity DevOps

Ensure containers are part of a holistic Cyber Exposure program

Reduce risk across a growing modern attack surface

Identify and remediate vulnerabilities as early in the SDLC as possible

Deliver quality, well-tested code at high velocity and scale

Integrate security into the DevOps toolchain, without sacrificing speed

Identify and remediate vulnerabilities as early in the SDLC as possible

SACON 2017

PerformrapidvulnerabilityandmalwaredetectiontestingwithintheDevOpstoolchain

OutoftheboxintegrationswithCI/CDbuildsystems

• Jenkins, Bamboo, Shippable, Travis CI and more• Import across container images registries• Fully documented RESTful API for custom

integrations

22

“Shiftleft”withsecurityinthesoftwaredevelopmentlifecycle

RegistryTestBuildSource Control

Build ContainerUnit TestsAPI TestsSecurity TestsPush to Registry

SACON 2017

Produceadetailedbillofmaterialscoveringalllayersandcomponents

• Libraries / binaries• Configuration files• Dependencies• Applications

“At-a-glancevisibility”intobothcontainerimageinventoryandsecurity

23

Knowwhatisinsideacontainerbeforedeployment

Layer 1

Layer 2

Layer 3

Layer 4

Container Image Layers

SACON 2017

Assessmentofcontainerimagesbylayer

Detectthepresenceofmalwareinthelayers

Applylayerhierarchyintelligencetounderstandwhenvulnerabilitiesaremitigatedinhigherlayers

24

Deepassessmentofcontainerimages

SACON 2017

Continuouslymonitorinproductioncontainersfornewvulnerabilities

Automaticallyre-testasnewvulnerabilitiesareidentified

Respondtonewlyemergingriskstoencsureontinuous protection

25

Continuouslyprotectcontainersfromnewlyidentifiedthreats

SACON 2017

Writecontainersecuritypoliciesthataligntosecuritygoalsandobjectives

Notifydevelopersimmediatelywhencontainerimagesexceedorganizationriskthresholds

Allowdeveloperstotakedirectactionwithspecificremediationadvice

26

Policy- Ensurecontainersinproductionarecompliantwithpolicy

SACON 201727

Reducecostsbycatchingcontainervulnerabilitiesearlier

1X 7X 15X

100X

Design Implementation Testing Maintenance

Cost of Fixing Defects in SLDC1

1)Source:ComputerBusinessReview,”ThecostoffixingbugsthroughouttheSDLC,”March2017

Reducecostsby>85%byremediatingvulnerabilitiesbeforedeployment

Reducefalsepositivesandensuredevelopersdonotwastetimefixingnon-vulns

Reduce Costs

SACON 201728

EliminateBlindSpots

Comprehensiveinsightinto:• Containerimageinventory• Summaryofvulnerabilitiesandmalware

• DistributionofvulnerabilitiesbyCVSSscoreandrisklevel

Eliminate Blind Spots

SACON 201729

AvoidslowingdownexistingDevOpsprocessesandworkflows

<30secondsecuritytestwithintheDevOpstoolchain

OutoftheboxintegrationwithcommonCI/CDsystemsandcontainerregistries

Accelerate DevOps

SACON 2017

ContainerHost

TheEntireProcessLaidOut…

KubernetesSwarmMesosphereCloudFoundry

GitlabGithub EnterpriseGithubBitbucker ServerBitbucket

JenkinsBambooDistelliWerckerCodeship

SourceControl Build

PublicRegistry

Registry

Containerimages liveherebeforedeployment

Orchestration

Docker

SACON 2017

InjectingSecurityintoDevOpsWorkflow

ContainerHost

Build

PublicRegistry

Registry

Orchestration

SACON 2017

WhentoScanContainerImages?

Pre-ProductionbyDeveloper

In-ProductionAutomaticallyandContinuously

Build PublicRegistry

SACON 2017

VulnerabilityScanningwithModernStacks

Server

HostOS

ContainerEngine

Bins/Libs

MySQL

Bins/Libs

App

App

App

MySQL

MySQL

Containers

Scanforvulnsusing“traditional”approaches

Scanforvulnsbyscanningcontainerimages

ExternalWebAppScanning

SACON 201734

Identifyrunningcontainerhosts…

Vulnerability Management

SACON 201735

…andhardenhostswiththeCISDockerbenchmark

ConfigurationPatchingPermissionsAccessSprawl

SACON 2017

TryTenable.io ContainerSecuritytoday

Try It for Free

tenable.com/try-container

60 Day Fully Operational Trial for FREE!!

SACON 201737