SlideShare a Scribd company logo

App sec in the time of docker containers

Akash Mahajan, profile picture
Akash Mahajan

The document discusses application security in the context of Docker containers, emphasizing the importance of balancing developer productivity with security. It outlines best practices for securely using Docker, including following the CIS Docker benchmark and employing continuous testing. The author highlights practical steps for implementing security measures and shares anecdotal evidence of Docker-related vulnerabilities.

Technology
1 of 28
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
APP SEC IN THE TIME OF DOCKER CONTAINERS Akash Mahajan - Director Appsecco C0C0N 2016
SOMETHING ABOUT ME ➤ Director of Appsecco ➤ Appsecco is a specialist application security company ➤ Author of ‘Burp Suite Essentials’ ➤ Burp Suite is the most popular software for security testing applications ➤ Community Champion ➤ OWASP Bangalore Chapter Leader ➤ n|u Co-Founder and Community Manager ➤ Co-Trainer of Xtreme Web Hacking Class ➤ Links ➤ @makash | https://linkd.in/webappsecguy | akashm.com
“There is space for only 5 types of security approaches in this world -Said no one ever
HOW WE DO APPSEC CURRENTLY?
AUTOMATED WEB APPLICATION SCANNERS
BUG BOUNTY BEGINNERS - WIN SOME - LOSE SOME
BUG BOUNTY/PENTESTERS & EXPERTS MAKE IT LOOK SIMPLE
SECURITY TESTERS PLOD AWAY USING CHECKLISTS & TOOLS
WHAT IS A DOCKER CONTAINER?
A DOCKER CONTAINER? ➤ A container allows a developer to package up and application and all of its dependent parts in a box ➤ This box is basically an isolated environment and the application has everything it needs to run inside of this environment
CONTAINERS ARE COMING A value of 100 is the peak popularity for a term DOCKER IN GOOGLE TRENDS SINCE JUL 2013-PRESENT
IF THE DRY GRAPH WASN’T ENOUGH TO CONVINCE YOU
“Why has this change to docker become imminent? -Me, when I started noticing how quickly the developer world was moving to docker
REPEAT AFTER ME DEVELOPER PRODUCTIVITY DEVELOPER PRODUCTIVITY DEVELOPER PRODUCTIVITY
“Regardless of how much security folks think their opinion matters, most of the developers don’t give a fish about what we think - Akash Mahajan, learning the truth the hard way
THIS IS WHAT DEVELOPERS WANT - AN IT FREE WORLD Attribution pending. Will update the slides once I know where I nicked this from!
BUT ISN’T THIS JUST LIKE CHROOT?
INSTALLING MUTILLIDAE (PHP+APACHE+MYSQL APP)
“If a developer has to choose between being productive or being secure, more or less she/he will chose being productive - Something I should have said!
WHAT CAN WE DO NOW TO GET ON THE BANDWAGON? ➤ Depends on how you do application security ➤ For testing applications ➤ We usually need the setup running somewhere (testing) ➤ Being able to get the complete setup by just running a simple command, makes all of us “productive” ➤ For secure development ➤ Pre-configured dockerfiles with selective containers which allow for secure configuration by default ➤ For secure operations ➤ Running docker in secured, isolated instances
DOES DOCKER PROVIDE ISOLATION FROM THE HOST? ➤ Yes if you practice defence in depth ➤ Follow the CIS Docker Benchmark to get a checklist of things to do on ➤ Host Configuration (15 list items) ➤ Docker Daemon Configuration (13 list items) ➤ Files, Permissions and configuration files for Docker Daemon (20 list items) ➤ Container Images (5 list items) ➤ Container Runtime (25 list items) ➤ Follow Docker Security Operations Best Practices
DOCKER HOST AND CONTAINER SECURITY GETTING STARTED Start by reading Understanding docker security and best practices https://blog.docker.com/2015/05/understanding-docker-security-and- best-practices/ Use the Docker Bench Security script to automatically check best practices as outlined by the CIS Docker Benchmark version 1.11 https:// github.com/docker/docker-bench-security Play this awesome game to break out of docker containers in your browser https://contained.af/ Read the full CIS Docker 1.11.0 Benchmark report https:// benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf Definitely read if you plan to run docker in prod or are guiding someone who does http://container-solutions.com/is-docker-safe-for-production/
NEW TOOLS, APPROACHES AND OPPORTUNITIES The configuration for docker containers will need to be tested in a continuous manner Auditing of existing deployments against security benchmarks like the CIS Docker Benchmark Following agile practices, dockers build built using CI/CD tools like Jenkins based on pre-commit and post-commit hooks Bring in your SAST, DAST, *ST analysis at any point in this pipeline Setting up and managing private registries Also setting up private repositories for nom etc.
TO START WITH, THIS IS WHAT YOU SHOULD DO Test the application as you normally would If you find appsec issues report these Do white box assessment with the docker security checklists You already have a roadmap as mentioned in slide 21 & 22 Keep track of any privilege escalation bugs in docker daemon or the underlying hypervisor/VM tech you are using Understand what is the software supply chain for the application & pick secure alternatives for orchestration itself Application containers make it simple for everyone so use them for training, best practices etc.
DOCKER FAILS Couple of #devoops moments
TWITTER’S VINE SOURCE CODE DUMP BY @AVICODER ➤ @avicoder a bug bounty hunter, he spoke about this bug at a null/ OWASP/G4H Bangalore meet in June 2016 ➤ He found an interesting sub domain for Vine ( A twitter video app) ➤ He had stumbled upon a private docker registry being used ➤ He realised that the version being used didn’t use any authentication and by querying the API he determined the docker files being hosted ➤ He did a docker pull of an image that contained the source code for the Vine App and got $$$$$ bounty ➤ https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
DOCKER IMAGE INSECURITY ➤ This has been fixed now! Especially from docker version 1.10 ➤ Earlier if an image had been compressed with xz (in C so not safety for memory) ➤ Docker Daemon would exec the xz binary as root user ➤ If there was a single vulnerability in xz, a docker pull could result in complete compromise ➤ Read more about the vulnerability https://titanous.com/ posts/docker-insecurity ➤ Read more about how this was fixed https://titanous.com/ posts/docker-insecurity
QUESTIONS @makash | https://linkd.in/webappsecguy | akashm.com

More Related Content

PDF
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
PDF
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
PPTX
What it feels like to live in a Security Enabled DevOps World
Karun Chennuri
 
PDF
Hybrid Cloud Networking
SVForum Cloud SIG
 
PDF
Hacking into your containers, and how to stop it!
Eric Smalling
 
PDF
Red Hat multi-cluster management & what's new in OpenShift
Kangaroot
 
PDF
Policy as code what helm developers need to know about security
LibbySchulze
 
PDF
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
What it feels like to live in a Security Enabled DevOps World
Karun Chennuri
 
Hybrid Cloud Networking
SVForum Cloud SIG
 
Hacking into your containers, and how to stop it!
Eric Smalling
 
Red Hat multi-cluster management & what's new in OpenShift
Kangaroot
 
Policy as code what helm developers need to know about security
LibbySchulze
 
Rugged DevOps: Bridging Security and DevOps
James Wickett
 

What's hot (20)

PDF
Building security into the pipelines
Vandana Verma
 
PDF
Redefining cloud native debugging
LibbySchulze
 
PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Docker, Inc.
 
PDF
DevOps Spain 2019. Beatriz Martínez-IBM
atSistemas
 
PPTX
Secure your applications with Azure AD and Key Vault
Davide Benvegnù
 
PDF
Practical Guide to Securing Kubernetes
Lacework
 
PPTX
Thinking about Jenkins Security
Mark Waite
 
PPTX
10 tips for Cloud Native Security
Karthik Gaekwad
 
PDF
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
Priyanka Aash
 
PDF
Terrascan - Cloud Native Security Tool
sangam biradar
 
PDF
Webinar: Introduction to CloudBees Jenkins Platform
Kiratech
 
PDF
Introduction to the DevNet Sandbox and IVT
Cisco DevNet
 
PDF
Networking in Docker EE 2.0 with Kubernetes and Swarm
Abhinandan P.b
 
PDF
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
Docker, Inc.
 
PDF
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
PDF
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
PPTX
AWS Security Strategy
2nd Sight Lab
 
PDF
Secure your Application with Google cloud armor
DevOps Indonesia
 
PDF
Enterprise Java on Azure: From Java EE to Spring, we have you covered
Ed Burns
 
Building security into the pipelines
Vandana Verma
 
Redefining cloud native debugging
LibbySchulze
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Docker, Inc.
 
DevOps Spain 2019. Beatriz Martínez-IBM
atSistemas
 
Secure your applications with Azure AD and Key Vault
Davide Benvegnù
 
Practical Guide to Securing Kubernetes
Lacework
 
Thinking about Jenkins Security
Mark Waite
 
10 tips for Cloud Native Security
Karthik Gaekwad
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
Priyanka Aash
 
Terrascan - Cloud Native Security Tool
sangam biradar
 
Webinar: Introduction to CloudBees Jenkins Platform
Kiratech
 
Introduction to the DevNet Sandbox and IVT
Cisco DevNet
 
Networking in Docker EE 2.0 with Kubernetes and Swarm
Abhinandan P.b
 
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
Docker, Inc.
 
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
AWS Security Strategy
2nd Sight Lab
 
Secure your Application with Google cloud armor
DevOps Indonesia
 
Enterprise Java on Azure: From Java EE to Spring, we have you covered
Ed Burns
 
Ad

Viewers also liked (20)

PPTX
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
PPTX
Security Issues in Cloud Computing
Jyotika Pandey
 
PPTX
Cloud computing security issues and challenges
Dheeraj Negi
 
PPTX
Hybrid Cloud Computing - Seccurity Aspects and Challanges
Roman Nedzelsky
 
PPT
Startups Security
Akash Mahajan
 
PPTX
What is cloud ?
Dibyadip Das
 
PPTX
Cloud Security Issues 1.04.10
Rugby7277
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
PPTX
DataSploit - Tool Demo at Null Bangalore - March Meet.
Shubham Mittal
 
PPTX
AWS Survival Guide
Ken Johnson
 
PPTX
Burp Suite Starter
Fadi Abdulwahab
 
PPTX
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
PPTX
Antifragile, Microservices and DevOps - A Study
William Yang
 
PPT
Security Issues of Cloud Computing
Falgun Rathod
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PDF
Cloud Security - Security Aspects of Cloud Computing
Jim Geovedi
 
PPTX
Security as Code owasp
Shannon Lietz
 
PPTX
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
PPTX
Finding Security a Home in a DevOps World
Shannon Lietz
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
Security Issues in Cloud Computing
Jyotika Pandey
 
Cloud computing security issues and challenges
Dheeraj Negi
 
Hybrid Cloud Computing - Seccurity Aspects and Challanges
Roman Nedzelsky
 
Startups Security
Akash Mahajan
 
What is cloud ?
Dibyadip Das
 
Cloud Security Issues 1.04.10
Rugby7277
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
Shubham Mittal
 
AWS Survival Guide
Ken Johnson
 
Burp Suite Starter
Fadi Abdulwahab
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
Antifragile, Microservices and DevOps - A Study
William Yang
 
Security Issues of Cloud Computing
Falgun Rathod
 
The Journey to DevSecOps
SeniorStoryteller
 
Cloud Security - Security Aspects of Cloud Computing
Jim Geovedi
 
Security as Code owasp
Shannon Lietz
 
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
Finding Security a Home in a DevOps World
Shannon Lietz
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Ad

Similar to App sec in the time of docker containers (20)

PDF
Docker Containers Security
Stephane Woillez
 
PDF
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Codemotion
 
PDF
Dockercon 2015 - Faster Cheaper Safer
Adrian Cockcroft
 
PPTX
Docker Docker - Docker Security - Docker
Boyd Hemphill
 
PDF
Why Should Developers Care About Container Security?
All Things Open
 
PDF
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PPTX
Container security Familiar problems in new technology
Frank Victory
 
PDF
DockerCon SF 2015: Faster, Cheaper, Safer
Docker, Inc.
 
PDF
Container Security
Salman Baset
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
PPTX
Docker Container Security - A Network View
NeuVector
 
PDF
Container Security: How We Got Here and Where We're Going
Phil Estes
 
PDF
Docker?!?! But I'm a SysAdmin
Docker, Inc.
 
PDF
Why should developers care about container security?
Eric Smalling
 
PDF
Securing Containers From Day One | null Ahmedabad Meetup
Kumar Ashwin
 
PDF
Securing Containers From Day One | null Ahmedabad Meetup
Kumar Ashwin
 
PDF
Containers & CaaS
OpenCity Community
 
PDF
Docker London: Container Security
Phil Estes
 
Docker Containers Security
Stephane Woillez
 
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Codemotion
 
Dockercon 2015 - Faster Cheaper Safer
Adrian Cockcroft
 
Docker Docker - Docker Security - Docker
Boyd Hemphill
 
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Container security Familiar problems in new technology
Frank Victory
 
DockerCon SF 2015: Faster, Cheaper, Safer
Docker, Inc.
 
Container Security
Salman Baset
 
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Docker Container Security - A Network View
NeuVector
 
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Docker?!?! But I'm a SysAdmin
Docker, Inc.
 
Why should developers care about container security?
Eric Smalling
 
Securing Containers From Day One | null Ahmedabad Meetup
Kumar Ashwin
 
Securing Containers From Day One | null Ahmedabad Meetup
Kumar Ashwin
 
Containers & CaaS
OpenCity Community
 
Docker London: Container Security
Phil Estes
 

More from Akash Mahajan (15)

PDF
On Writing Well - A talk given at WinjaBlogs Session
Akash Mahajan
 
PPTX
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
ODP
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
PPTX
The real incident of stealing a droid app+data
Akash Mahajan
 
PPTX
Believe It Or Not SSL Attacks
Akash Mahajan
 
PPTX
I haz your mouse clicks and key strokes
Akash Mahajan
 
PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
PPTX
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
PPTX
Php security
Akash Mahajan
 
PPTX
Secure passwords-theory-and-practice
Akash Mahajan
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PDF
Web application security
Akash Mahajan
 
PPTX
Web application security
Akash Mahajan
 
PPTX
Web application security
Akash Mahajan
 
PPTX
Secure Programming In Php
Akash Mahajan
 
On Writing Well - A talk given at WinjaBlogs Session
Akash Mahajan
 
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
The real incident of stealing a droid app+data
Akash Mahajan
 
Believe It Or Not SSL Attacks
Akash Mahajan
 
I haz your mouse clicks and key strokes
Akash Mahajan
 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
Php security
Akash Mahajan
 
Secure passwords-theory-and-practice
Akash Mahajan
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Web application security
Akash Mahajan
 
Web application security
Akash Mahajan
 
Web application security
Akash Mahajan
 
Secure Programming In Php
Akash Mahajan
 

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Approach and Philosophy of On baking technology
30anthuong17
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 

App sec in the time of docker containers

  • 1. APP SEC IN THE TIME OF DOCKER CONTAINERS Akash Mahajan - Director Appsecco C0C0N 2016
  • 2. SOMETHING ABOUT ME ➤ Director of Appsecco ➤ Appsecco is a specialist application security company ➤ Author of ‘Burp Suite Essentials’ ➤ Burp Suite is the most popular software for security testing applications ➤ Community Champion ➤ OWASP Bangalore Chapter Leader ➤ n|u Co-Founder and Community Manager ➤ Co-Trainer of Xtreme Web Hacking Class ➤ Links ➤ @makash | https://linkd.in/webappsecguy | akashm.com
  • 3. “There is space for only 5 types of security approaches in this world -Said no one ever
  • 4. HOW WE DO APPSEC CURRENTLY?
  • 6. BUG BOUNTY BEGINNERS - WIN SOME - LOSE SOME
  • 7. BUG BOUNTY/PENTESTERS & EXPERTS MAKE IT LOOK SIMPLE
  • 8. SECURITY TESTERS PLOD AWAY USING CHECKLISTS & TOOLS
  • 9. WHAT IS A DOCKER CONTAINER?
  • 10. A DOCKER CONTAINER? ➤ A container allows a developer to package up and application and all of its dependent parts in a box ➤ This box is basically an isolated environment and the application has everything it needs to run inside of this environment
  • 11. CONTAINERS ARE COMING A value of 100 is the peak popularity for a term DOCKER IN GOOGLE TRENDS SINCE JUL 2013-PRESENT
  • 12. IF THE DRY GRAPH WASN’T ENOUGH TO CONVINCE YOU
  • 13. “Why has this change to docker become imminent? -Me, when I started noticing how quickly the developer world was moving to docker
  • 14. REPEAT AFTER ME DEVELOPER PRODUCTIVITY DEVELOPER PRODUCTIVITY DEVELOPER PRODUCTIVITY
  • 15. “Regardless of how much security folks think their opinion matters, most of the developers don’t give a fish about what we think - Akash Mahajan, learning the truth the hard way
  • 16. THIS IS WHAT DEVELOPERS WANT - AN IT FREE WORLD Attribution pending. Will update the slides once I know where I nicked this from!
  • 17. BUT ISN’T THIS JUST LIKE CHROOT?
  • 19. “If a developer has to choose between being productive or being secure, more or less she/he will chose being productive - Something I should have said!
  • 20. WHAT CAN WE DO NOW TO GET ON THE BANDWAGON? ➤ Depends on how you do application security ➤ For testing applications ➤ We usually need the setup running somewhere (testing) ➤ Being able to get the complete setup by just running a simple command, makes all of us “productive” ➤ For secure development ➤ Pre-configured dockerfiles with selective containers which allow for secure configuration by default ➤ For secure operations ➤ Running docker in secured, isolated instances
  • 21. DOES DOCKER PROVIDE ISOLATION FROM THE HOST? ➤ Yes if you practice defence in depth ➤ Follow the CIS Docker Benchmark to get a checklist of things to do on ➤ Host Configuration (15 list items) ➤ Docker Daemon Configuration (13 list items) ➤ Files, Permissions and configuration files for Docker Daemon (20 list items) ➤ Container Images (5 list items) ➤ Container Runtime (25 list items) ➤ Follow Docker Security Operations Best Practices
  • 22. DOCKER HOST AND CONTAINER SECURITY GETTING STARTED Start by reading Understanding docker security and best practices https://blog.docker.com/2015/05/understanding-docker-security-and- best-practices/ Use the Docker Bench Security script to automatically check best practices as outlined by the CIS Docker Benchmark version 1.11 https:// github.com/docker/docker-bench-security Play this awesome game to break out of docker containers in your browser https://contained.af/ Read the full CIS Docker 1.11.0 Benchmark report https:// benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf Definitely read if you plan to run docker in prod or are guiding someone who does http://container-solutions.com/is-docker-safe-for-production/
  • 23. NEW TOOLS, APPROACHES AND OPPORTUNITIES The configuration for docker containers will need to be tested in a continuous manner Auditing of existing deployments against security benchmarks like the CIS Docker Benchmark Following agile practices, dockers build built using CI/CD tools like Jenkins based on pre-commit and post-commit hooks Bring in your SAST, DAST, *ST analysis at any point in this pipeline Setting up and managing private registries Also setting up private repositories for nom etc.
  • 24. TO START WITH, THIS IS WHAT YOU SHOULD DO Test the application as you normally would If you find appsec issues report these Do white box assessment with the docker security checklists You already have a roadmap as mentioned in slide 21 & 22 Keep track of any privilege escalation bugs in docker daemon or the underlying hypervisor/VM tech you are using Understand what is the software supply chain for the application & pick secure alternatives for orchestration itself Application containers make it simple for everyone so use them for training, best practices etc.
  • 25. DOCKER FAILS Couple of #devoops moments
  • 26. TWITTER’S VINE SOURCE CODE DUMP BY @AVICODER ➤ @avicoder a bug bounty hunter, he spoke about this bug at a null/ OWASP/G4H Bangalore meet in June 2016 ➤ He found an interesting sub domain for Vine ( A twitter video app) ➤ He had stumbled upon a private docker registry being used ➤ He realised that the version being used didn’t use any authentication and by querying the API he determined the docker files being hosted ➤ He did a docker pull of an image that contained the source code for the Vine App and got $$$$$ bounty ➤ https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
  • 27. DOCKER IMAGE INSECURITY ➤ This has been fixed now! Especially from docker version 1.10 ➤ Earlier if an image had been compressed with xz (in C so not safety for memory) ➤ Docker Daemon would exec the xz binary as root user ➤ If there was a single vulnerability in xz, a docker pull could result in complete compromise ➤ Read more about the vulnerability https://titanous.com/ posts/docker-insecurity ➤ Read more about how this was fixed https://titanous.com/ posts/docker-insecurity