vulnerability advisor deep dive (dec 2016)
TRANSCRIPT
© 2016 IBM Corporation
IBM Bluemix
Chris RosenSenior Technical Offering Manager, IBM Bluemix Container Service
Vulnerability AdvisorSecurity at your fingertips with IBM Bluemix Container Service
© 2016 IBM Corporation
Agenda
• Getting started with Docker• Scared straight – security
concerns everywhere• IBM Bluemix Container Service• DevSecOps• Vulnerability Advisor details
© 2016 IBM Corporation
docker pull wordpressdocker run wordpress
“Over 30% of Official Images in DockerHub Contain High Priority Security Vulnerabilities”
Banyan Ops reportSource: http://bit.ly/2eknhJs
“80% of attacks leverage known vulnerabilities and configuration management setting weaknesses”
US State Department reportSource: http://bit.ly/2esbkke
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.Source: http://heartbleed.com
The consequences of an attacker successfully exploiting this vulnerability on a Web server are serious in nature. For example attackers may have the ability to dump password files or download malware on to infected computers. Once inside the victim’s firewall, the attackers could then compromise and infect other computers on the network.Source: http://symc.ly/2e1blNM
IBM Bluemix Container Service
• Fully managed hosted runtime• Integrated logging and
monitoring • Private registry• Container groups with
integrating load balancing, auto-recovery, FQDN, auto-scaling
• Volume service for persistent data
• Overlay networking and IP management
• IBM provided content• Cloud API consumption• Advanced security features• Built using Docker technology
IBM BLUEMIX CONTAINER
SERVICE
PersonasValueforboththeproviderandconsumer
(Ex:UserpushestheircustomimagesintoContainerServiceRegistry)
Iwanttomeetmyorganization’ssecurity&compliancecriteriawithouthavingtojumpthroughacomplexprocess
Wewanttomakesureimagesdon’tintroducemalwareandmisbehavedapplicationsintotheIBMCloud.Analyzeandreportinnearreal-timewherevulnerabilitiesexist.
Iwanttoenforcemyorganization’ssecurity&compliancepoliciesacrossourenterpriseapplicationsonBluemix
Iwanttoauditmyorganizationsoverallcomplianceposture
Developers/Testers
IBMCloudSecurity
&Operations
© 2016 IBM Corporation
§ The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security" with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.
Source: http://www.devsecops.org/blog/2015/2/15/what-is-devsecops
§ The goal of DevSecOps is to enable teams to release intrinsically secure software at the speed of DevOps.
§ Security as code
§ Integration with existing CI/CD pipelines
§ Ability to scan and run tests in every stage of deployment
Development + Security + Operations = DevSecOps
© 2016 IBM Corporation
What is Vulnerability Advisor (VA)?
– VA is a service within IBM Bluemix Container Service combining platform visibility and threat intelligence for early detection of vulnerabilities.
– VA is providing security and compliance insight to your Docker images and containers that run in the IBM Cloud.
– VA reduces the effort, but does not change the responsibility model.
– VA is designed to scan new and existing images, identifying new vulnerabilities as they are identified.
– VA is intended to be used against all of your test, development, and production environments.
– VA uses introspection technology, therefore no agents or image modifications are required.
© 2016 IBM Corporation
VA concepts– Policy Violations
– Configuring policy to determine if a vulnerable image can be deployed by users
– Vulnerable Packages– Analyzing a Docker image and container packages for security vulnerabilities
– Best Practice Improvements– A set of security checks – Provide recommendations to remediate
– Security Misconfigurations– A security misconfiguration issue in your application– Provide insight for remediating these misconfigurations
IBM Bluemix Container
Service go-live in Dallas
June 2015 July 2015 Sept 2015 Nov 2015 Oct 2016
Vulnerability Advisor (VA) launches for
image vulnerability
scanning
IBM Bluemix Container
Service go-live in London
VA scanning images for
weak configurations and ability to
set deployment policies
VA scanning live containers
Secure Config Advisor for applications
IBM Bluemix Container Service History
VA scanning for POWER
Docker images
Nov 2016
File-based malware detection
Risk Analysisfor discovered vulnerabilities
Simplifying the user experience
© 2016 IBM Corporation
VA: Day 0 image scanning
Create a container
Policy Violations
Vulnerable Packages
CVE - Common Vulnerabilities & Exposures
§ Publicly known security issues § Vulnerabilities§ Exposures
https://lists.debian.org/debian-security-announce/2016/msg00227.html
Best Practice Improvements
Description: Minimum password length not specified in /etc/pam.d/common-password
Corrective Action: Minimum password length must be 8.
VA: Secure Configuration Advisor
© 2016 IBM Corporation
Apache: VulnerableUse of insecure ciphers
22
Summary of insecure configurations in detected application (Apache web server)
Use of insecure cipher suite in Apache web server configuration found
© 2016 IBM Corporation
Apache: Remediated Developer fixed the cipher suite in Apache web server configuration and pushed a new Docker image. The scan verified the fix.
23
V11: Version with insecure cipher suite was v10
The developer remediated the cipher suite in Apache web server configuration and created a new Docker image. The
scan has verified the fix resolved the vulnerability.
Container Instances
VA: Day 1+ container scanning
Deployed Containers
Deployed Containers - Report
VA: Policy management
Image Deployment Policies
VA: Administrator views
Complete Bluemix Organization Image List
Complete Bluemix Space Container List
VA: Risk Analysis
How bad is it really?
This pane shows a base score of a CVE having the maximum value in the image.
This pane shows a temporal score of the CVE having the maximum base score showing on the left side.
Risk Analysis details
CVE-2015-0860
VA: Malware Detection
Additional Best Practice Rule for malware detection
© IBM Corporation 39
ConclusionContainers are the next generation of cloud computing.
According to Enterprise Technology Research, 97% of enterprises interviewed plan to implement Docker container technology.
Containers enable innovation and speed and without the proper security insight can lead to catastrophic problems for your business.
IBM Bluemix Container Service makes security a first class component of the offering and simplifies security insights.