SlideShare a Scribd company logo

Deep Dive into Container Security

WhiteSource, profile picture
WhiteSource

The document discusses container security, highlighting the reliance on open source components and the significant increase in reported vulnerabilities. It outlines best practices for integrating security into DevOps workflows, including the use of private registries, image scanning, and implementing CI/CD gates. Key recommendations include managing deployments, validating image signatures, and employing role-based access control.

Software
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Deep Dive into Container Security Shiri Ivtsan, Product Manager
Monolith to Microservice and Container
Container Lifecycle Build RunShip
Open Source 96.8% Of the developers rely on Open Source components
Number of Reported Open Source Vulnerabilities GREW by 51.2% in 2017 https://www.whitesourcesoftware.com/open-source-vulnerability-management-report
Open Source Challenges https://www.whitesourcesoftware.com/open-source-vulnerability-management-report 1One challenging area in particular is pronounced https://www.whitesourcesoftware.com/open-source-vulnerability-management-report
The Common Way of Handling Security Vulnerabilities Security teams analyze and prioritize vulnerabilities Sending emails or opening issues/tickets Closing the loop on resolution is hard
Bridging the Gap is a Must Security DevOps Developers
How to Bake Security Into Existing Workflows
Let’s Start With Some Questions ▪ Do you use a private registry? ▪ When using a public registry, are the images signed? ▪ Do you regularly scan your images? ▪ How quickly are images rebuilt with security fixes?
CI/CD Gates Integrate security testing into your build and CI process DevOps Build TestDeploy
CI/CD Gates Use automated policies to fail builds with issues
Security Layers Scan across the lifecycle:
Trusted Sources Use private registries and sign images from public registries
Step 3: Don’t Use Defaults Enable Role-Based Access Control (RBAC) in your container orchestration
Step 3: Don’t Use Defaults Use Namespaces to Establish Security Boundaries
Manage Deployments Prevent deployment of images with known vulnerabilities
Manage Deployments Prevent deployment of containers that require root
Manage Deployments Validate image signatures
Monitor for new vulnerabilities Manage Deployments
Thank You!

More Related Content

PDF
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
PDF
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
PDF
Taking Open Source Security to the Next Level
WhiteSource
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
PDF
The Challenges of Scaling DevSecOps
WhiteSource
 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
PDF
The State of Open Source Vulnerabilities Management
WhiteSource
 
PPTX
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
Taking Open Source Security to the Next Level
WhiteSource
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
The Challenges of Scaling DevSecOps
WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
The State of Open Source Vulnerabilities Management
WhiteSource
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 

What's hot (20)

PDF
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
PPTX
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
PPTX
DevSecOps outline
Nickleus Jimenez
 
PPTX
DevSecOps
Joel Divekar
 
PDF
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
PDF
RoboCop: Bringing Law and Order to CI/CD
Franklin Mosley
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
PDF
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
SecureSoftwareDevOn SecureSoftwareDevOn
 
PPTX
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
PDF
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
PDF
PIACERE - DevSecOps Automated
PIACERE
 
PDF
Container Security: What Enterprises Need to Know
DevOps.com
 
PPTX
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
PPTX
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
PPTX
A journey from dev ops to devsecops
Veritis Group, Inc
 
PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
DevSecOps outline
Nickleus Jimenez
 
DevSecOps
Joel Divekar
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
RoboCop: Bringing Law and Order to CI/CD
Franklin Mosley
 
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
SecureSoftwareDevOn SecureSoftwareDevOn
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
PIACERE - DevSecOps Automated
PIACERE
 
Container Security: What Enterprises Need to Know
DevOps.com
 
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
A journey from dev ops to devsecops
Veritis Group, Inc
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Ad

Similar to Deep Dive into Container Security (20)

PDF
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
PDF
Barriers to Container Security and How to Overcome Them
WhiteSource
 
PPTX
Understanding container security
John Kinsella
 
PDF
DevSecOps: The Open Source Way
Gordon Haff
 
PDF
Why Should Developers Care About Container Security?
All Things Open
 
PDF
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PPTX
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
PPTX
A question of trust - understanding Open Source risks
Tim Mackey
 
PDF
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
PPTX
An In-depth look at application containers
John Kinsella
 
PDF
Securing Microservices in Containerized Environments
DevOps.com
 
PDF
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
PPTX
DevSecOps in a cloudnative world
Karthik Gaekwad
 
PDF
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
PDF
Security Patterns for Microservice Architectures
VMware Tanzu
 
PDF
Why should developers care about container security?
Eric Smalling
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Understanding container security
John Kinsella
 
DevSecOps: The Open Source Way
Gordon Haff
 
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
A question of trust - understanding Open Source risks
Tim Mackey
 
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
An In-depth look at application containers
John Kinsella
 
Securing Microservices in Containerized Environments
DevOps.com
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
DevSecOps in a cloudnative world
Karthik Gaekwad
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh
 
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Security Patterns for Microservice Architectures
VMware Tanzu
 
Why should developers care about container security?
Eric Smalling
 
Ad

More from WhiteSource (15)

PDF
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
PDF
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
PDF
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
PPTX
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
PDF
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
PDF
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
PDF
Top Open Source Licenses Explained
WhiteSource
 
PPTX
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
PPTX
The State of Open Source Vulnerabilities - A WhiteSource Webinar
WhiteSource
 
PDF
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
PPTX
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
PPTX
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
PPTX
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
WhiteSource
 
PPTX
How temenos manages open source use, the easy way combined
WhiteSource
 
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
Top Open Source Licenses Explained
WhiteSource
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
WhiteSource
 
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
WhiteSource
 
How temenos manages open source use, the easy way combined
WhiteSource
 

Recently uploaded (20)

PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Introduction to Artificial Intelligence
lohedi9363
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 

Deep Dive into Container Security