practical approaches to container security
TRANSCRIPT
An Open Discussion
Container Platform Security
Developer Security
Pipeline Security
//container platform security
Container Platform Security
● Involve Everyone - DevSecOps (or whatever)
● Context is Everything - Environment Specifics
● Exceptions Are Not be the Norm
Container Platform SecurityDO
● Assume there is a security sign-off
● Reason with design decisions that promote enhanced security
● Publish all security considerations
● Automate security configurations
● Monitor and alert on security violations
● Provide varying levels of “experimentation” and “production” resources
DON’T
● Design in a vacuum
● Make assumptions
● Presume the platform “includes all security”
● Ignore the requests of security related team members
● Permit privileged access instead of educating users
● Allow unverified images to run
//developer security
Development Security
● Reduce Friction - Quick and Easy Tooling
● Replicate Production - Local Environment Tooling
● Design for Security - Non-Risky User and FS Permissions
Development Security
DO
● Relax security to learn, but tighten to deploy
● Use local tools and automation to pre-scan images
● Document security related configurations
● Share & socialize security related learnings
● Work with build teams to streamline base images
DON’T
● Ask for, or expect, security exceptions
● Assume the new technology will “get by” old security policies
● Create custom images for every new app or build
● Run apps as or containers as root
● Run multiple applications in a container
//pipeline security
Pipeline Security
● Shift Left
● Automate All the Things
● Notify All of the Users
● Share and Socialize
Pipeline Security
DO
● Include non-intrusive security scanning as a regular testing process
● Replicate pipeline configuration locally (within reason)
● Run multiple scanning tools (defense in depth)
● Aggregate results and review as a team
DON’T
● Wait for security scans to be run post-release
● Throw scan failures “over the wall”
● Stop improving and optimizing the pipeline
● Manually configure pipelines
Be CuriousAsk Questions
Promote SecurityShow Off
Quick list of some helpful tools:
- Container Platform- Docker & ‘oc cluster up’ or CDK
- Developer- openscap/atomic scan- sysdig inspect- IDE plugins - foritfy, owasp, etc.
- Pipelines- Docker & CI Containers (ie.
Jenkins)- Blackduck, sonarqube, jfrog x-ray,
owasp zap, etc.