Add to collection(s) Add to saved
  1. No category
Uploaded by Prason Pandey

Prason's Talk on Container Security

SECURING CONTAINERS WITH A
DEFENSIVE MINDSET
[~]$ WHOAMI
PRASON PANDEY
$DEVSECOPS ENGINEER
@REDUCT NEPAL
PUTTING EVERYTHING
INSIDE CONTAINER
OS
Source
Dependency
Services
File System
STATS
2023: 70%+ global orgs run 2+
containerized apps in production.
Docker is the #1 most loved Stackoverflow Survey.
Containerization - The Future of
the Cloud.
WHAT ABOUT
SECURITY?
WHY?
Cryptominer are everywhere
87% of Container Images in
Production are vulnerable.
Containers are hacker's favroite
target.
SECURITY PARADIGM
Development
Runtime Security
DEVELOPMENT
RIGHT BASE IMAGE
Choose base images from reputable sources.
Use lightweight images to reduce attack surface (ALPINE).
DOCKER_CONTENT_TRUST = 1
RESOURCES LIMITING
Containers depend on system resources: CPU, memory, storage.
Resource overuse in containers leads to performance problems and even
system crashes.
Limt resources through Dockerfile
SECRET HANDLING
Top priority: Protect credentials and cryptographic keys.
Avoid hard-coding sensitive information.
Utilize secret management tools.
Implement regular security audits and secret scans.
WRITING SECURE CODE
Build with security as a top priority.
Perform routine code vulnerability scans (Manual + Automated).
Vet and monitor third-party libraries.
Scan code pre-runtime.
LEAST PRIVILEGE
Follow principle of least privilege.
Use non-root user accounts within containers.
Do not use the --privileged flag; unless really required.
Avoid using the '--network host' option in container setups to maintain network
segmentation.
RUNTIME SECURITY
1
CAPABALITIES
KEEP IT OR DROP IT
Linux capabilities grant specific
privileges to processes.
Docker supports the addition and
removal of capabilities.
Remove unnecessary capabilities to
enhance security
2
TRIVY
3
SECCOMP
STOPPING SYSCALLS
Seccomp allows for filtering the
syscalls.
With version 1.10, Docker uses default
Seccomp profile by default.
Remove unnecessary syscalls to
enhance security
4
STRACE
5
GVISIOR
GVISIOR
Application kernel, written in Go.
provides a virtualized environment
in order to sandbox containers.
gVisor runs anywhere Linux
does.
ARCHITECTURE
COMMUNITY DRIVEN
THANK YOU!
Related documents
ssc-containers
ssc-containers
Innovative conversion of used chemical containers - joint CSR with Shangrila Boracay
Innovative conversion of used chemical containers - joint CSR with Shangrila Boracay
What is Docker
What is Docker
DCI and Clicker Questions
DCI and Clicker Questions
Heat and colour investigation - ScienceWeb
Heat and colour investigation - ScienceWeb
Worksheet1 - Lab Equipment
Worksheet1 - Lab Equipment
Cheat-Sheet-Images-Containers
Cheat-Sheet-Images-Containers
Java-Sep-2023
Java-Sep-2023
3 Problems for DMKN
3 Problems for DMKN
slides-getting-started
slides-getting-started
1 Chapter Summary for QZBR
1 Chapter Summary for QZBR
1 Homework Help for OELC
1 Homework Help for OELC
Download