Upload
manideep-konakandla
View
44
Download
0
Embed Size (px)
Citation preview
1 TCS Confidential
Manideep Konakandla
Carnegie Mellon University @Bsides SF – Feb 13, 2017
How secure are your Docker Images?
2
Who am I? Hmm, yeah - Shameless Bragging
• J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc.
• Masters Student (Graduating in May’17) + Security Researcher at CMU
• Authored a book on Info Sec & Ethical Hacking at the age of 20
• Featured in INDIA’s largest news papers and news channels
• 10 certifications + Trained 15,000+ people in Information Security
• Ex “Team Lead – Core Security & Data Analytics” at TCS
• Interest areas : Container Security, Application Security, System Security etc.
More details about me on www.manideepk.com
3
What am I up to with Containers?
• Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks
• Extensive research at Carnegie Mellon (CMU)
• Presented (/will be presenting) at OWASP AppsecUSA, Container World etc.
• Cloud Security Research Intern @Adobe last Summer
5
What are we doing for next 30 mins?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
6
What are we doing for next 30 mins?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
7
Quick “60 second” Intro
Containers?
Lightweight
Application centric
No more - “it works on my machine” Micro-services
Namespaces : Isolation (PID, User, Network, IPC,
Mount, UTS)
Cgroups : Isolates, limits and accounts resource
usage (CPU, memory etc.)
BUZZ……….! Are containers
brand new?
Img Ref: www.docker.com
Containers in 45 seconds
8
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
9
What’s next?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
11
Security of “Dockerfile”
• Do not write secrets in Dockerfile (Info Disclosure). Use secret management
solutions (Twitter’s Vine)
• Create a USER or else container will run as a root (Privilege escalation)
• Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue)
• Remove unnecessary setuid, setgid permissions (Privilege escalation)
• Do not write any kind of update instructions alone in the Dockerfile (Caching)
• Download packages securely using GPG (MITM) and also do not download
unnecessary packages (Increased attack surface)
• Use COPY instead of ADD (Increased attack surface)
• Use HEALTHCHECK command (Best practice)
• Use gosu instead of sudo wherever possible
• Try to restrict a image (/container) to one service
13
Maintaining/ Consuming Images
• Docker Content Trust
- Provides authenticity, integrity and freshness guarantees
- Takes some time to understand & prepare production setup (worth it!)
• Vulnerability–free Images
- Tool selection : binary level analysis + hash based
- Tool recommendation (Meet me!)
• Except compatibility issues, all images and packages must be up-to-date
14
Enterprise zone (Personal users ALLOWED!)
• Do not use Docker hub Images
- Why?
- How about Docker Store?
• Maintain your own in-house registries
• Perform image optimization techniques (I did not explore into this!)
• Use commercial tools (meet me for recommendations) which provide
- Image Lockdown
- RBAC etc.
• Use file monitoring solutions to monitor any malicious changes in image layers
• Have separate patch, vulnerability (any other) management procedures for
container ecosystems (including Images)
• Customize CIS Docker benchmarks as per your requirements and adhere to it
15
What’s next?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
17
What’s next?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
20
References
1. CIS Docker Benchmarks - 1.12 and 1.13
2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf
3. www.oreilly.com/webops-perf/free/files/docker-security.pdf
4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf
5. http://www.slideshare.net/Docker/docker-security-workshop-slides
6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231
7. https://docs.docker.com/engine/security/
8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
21 TCS Confidential
That’s it…!
You can collect my V-Card
Reach me on www.manideepk.com for any questions