vulnerability advisor deep dive (dec 2016)

© 2016 IBM Corporation

IBM Bluemix

Chris RosenSenior Technical Offering Manager, IBM Bluemix Container Service

Vulnerability AdvisorSecurity at your fingertips with IBM Bluemix Container Service

© 2016 IBM Corporation

Agenda

• Getting started with Docker• Scared straight – security

concerns everywhere• IBM Bluemix Container Service• DevSecOps• Vulnerability Advisor details

© 2016 IBM Corporation

docker pull wordpressdocker run wordpress

“Over 30% of Official Images in DockerHub Contain High Priority Security Vulnerabilities”

Banyan Ops reportSource: http://bit.ly/2eknhJs

“80% of attacks leverage known vulnerabilities and configuration management setting weaknesses”

US State Department reportSource: http://bit.ly/2esbkke

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.Source: http://heartbleed.com

The consequences of an attacker successfully exploiting this vulnerability on a Web server are serious in nature. For example attackers may have the ability to dump password files or download malware on to infected computers. Once inside the victim’s firewall, the attackers could then compromise and infect other computers on the network.Source: http://symc.ly/2e1blNM

IBM Bluemix Container Service

• Fully managed hosted runtime• Integrated logging and

monitoring • Private registry• Container groups with

integrating load balancing, auto-recovery, FQDN, auto-scaling

• Volume service for persistent data

• Overlay networking and IP management

• IBM provided content• Cloud API consumption• Advanced security features• Built using Docker technology

IBM BLUEMIX CONTAINER

SERVICE

PersonasValueforboththeproviderandconsumer

(Ex:UserpushestheircustomimagesintoContainerServiceRegistry)

Iwanttomeetmyorganization’ssecurity&compliancecriteriawithouthavingtojumpthroughacomplexprocess

Wewanttomakesureimagesdon’tintroducemalwareandmisbehavedapplicationsintotheIBMCloud.Analyzeandreportinnearreal-timewherevulnerabilitiesexist.

Iwanttoenforcemyorganization’ssecurity&compliancepoliciesacrossourenterpriseapplicationsonBluemix

Iwanttoauditmyorganizationsoverallcomplianceposture

Developers/Testers

IBMCloudSecurity

&Operations

© 2016 IBM Corporation

§ The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security" with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.

Source: http://www.devsecops.org/blog/2015/2/15/what-is-devsecops

§ The goal of DevSecOps is to enable teams to release intrinsically secure software at the speed of DevOps.

§ Security as code

§ Integration with existing CI/CD pipelines

§ Ability to scan and run tests in every stage of deployment

Development + Security + Operations = DevSecOps

© 2016 IBM Corporation

What is Vulnerability Advisor (VA)?

– VA is a service within IBM Bluemix Container Service combining platform visibility and threat intelligence for early detection of vulnerabilities.

– VA is providing security and compliance insight to your Docker images and containers that run in the IBM Cloud.

– VA reduces the effort, but does not change the responsibility model.

– VA is designed to scan new and existing images, identifying new vulnerabilities as they are identified.

– VA is intended to be used against all of your test, development, and production environments.

– VA uses introspection technology, therefore no agents or image modifications are required.

© 2016 IBM Corporation

VA concepts– Policy Violations

– Configuring policy to determine if a vulnerable image can be deployed by users

– Vulnerable Packages– Analyzing a Docker image and container packages for security vulnerabilities

– Best Practice Improvements– A set of security checks – Provide recommendations to remediate

– Security Misconfigurations– A security misconfiguration issue in your application– Provide insight for remediating these misconfigurations

IBM Bluemix Container

Service go-live in Dallas

June 2015 July 2015 Sept 2015 Nov 2015 Oct 2016

Vulnerability Advisor (VA) launches for

image vulnerability

scanning

IBM Bluemix Container

Service go-live in London

VA scanning images for

weak configurations and ability to

set deployment policies

VA scanning live containers

Secure Config Advisor for applications

IBM Bluemix Container Service History

VA scanning for POWER

Docker images

Nov 2016

File-based malware detection

Risk Analysisfor discovered vulnerabilities

Simplifying the user experience

© 2016 IBM Corporation

VA: Day 0 image scanning

Create a container

Policy Violations

Vulnerable Packages

CVE - Common Vulnerabilities & Exposures

§ Publicly known security issues § Vulnerabilities§ Exposures

https://lists.debian.org/debian-security-announce/2016/msg00227.html

Best Practice Improvements

Description: Minimum password length not specified in /etc/pam.d/common-password

Corrective Action: Minimum password length must be 8.

VA: Secure Configuration Advisor

© 2016 IBM Corporation

Apache: VulnerableUse of insecure ciphers

22

Summary of insecure configurations in detected application (Apache web server)

Use of insecure cipher suite in Apache web server configuration found

© 2016 IBM Corporation

Apache: Remediated Developer fixed the cipher suite in Apache web server configuration and pushed a new Docker image. The scan verified the fix.

23

V11: Version with insecure cipher suite was v10

The developer remediated the cipher suite in Apache web server configuration and created a new Docker image. The

scan has verified the fix resolved the vulnerability.

Container Instances

VA: Day 1+ container scanning

Deployed Containers

Deployed Containers - Report

VA: Policy management

Image Deployment Policies

VA: Administrator views

Complete Bluemix Organization Image List

Complete Bluemix Space Container List

VA: Risk Analysis

How bad is it really?

This pane shows a base score of a CVE having the maximum value in the image.

This pane shows a temporal score of the CVE having the maximum base score showing on the left side.

Risk Analysis details

CVE-2015-0860

VA: Malware Detection

Additional Best Practice Rule for malware detection

© IBM Corporation 39

ConclusionContainers are the next generation of cloud computing.

According to Enterprise Technology Research, 97% of enterprises interviewed plan to implement Docker container technology.

Containers enable innovation and speed and without the proper security insight can lead to catastrophic problems for your business.

IBM Bluemix Container Service makes security a first class component of the offering and simplifies security insights.

© 2016 IBM Corporation

Thank you!!

Chris Rosen@ChrisRosen188crosen@us.ibm.com