SlideShare a Scribd company logo

ATO 2022 - Why should devs care about container security.pdf

E
Eric Smalling

The document discusses the importance of container security for developers, highlighting the new security challenges and responsibilities introduced by containerization, such as operating-system level concerns. It emphasizes the need for developers to adopt secure practices throughout the development process to mitigate vulnerabilities while maintaining pipeline velocity. The document also provides actionable strategies for securing container images and infrastructure as code, alongside relevant resources and references for further reading.

Technology
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Why should developers care about container security? Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling
Agenda Devops vs Security Container Challenges Demo 01 02 03 04 Conclusions
DevOps
Coding Test & Fix Branch Repo Test, Fix Monitor CI/CD Test & Fix Production Test, Fix Monitor Test Registry Build Deploy Get artifacts Get public & private artifacts SDLC Pipeline
DevSecOps
Container Challenges Historically, developers have owned the security posture of their own code and the libraries used. Containers add security concerns at the operating-system level such as base-image selection, package installation, user and file permissions, and more. Increased Scope of Responsibility These additional technologies used to be owned by other teams such as system engineers or middleware teams. Many developers have never had to deal with securing these layers of the stack. Lack of Expertise While shifting security left adds responsibilities to developer teams, the business owners have expectations that pipeline velocity will not be negatively impacted. Maintaining Velocity
Ownership of developers What does my service contain? ● Source code of my app ● 3rd party dependencies ● Dockerfile ● IaC files (eg. Terraform) ● K8s files
The financial giant said the intruder exploited a configuration vulnerability “ “ -- https://www.theregister.com/2019/07/30/capital_one_hacked/ Configuration is a security risk
Enough Slides. Demo Time!
Coding Test & Fix Branch Repo Test, Fix Monitor CI/CD Test & Fix Production Test, Fix Monitor Test Registry Build Deploy Get artifacts Get public & private artifacts SDLC Pipeline
DevOps Feedback Loop Empowering developers to build applications securely within the entire development process
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Minimize Footprint Don’t give hackers more tools to expand their exploits Layer Housekeeping Understand how layers work at build and run-time Build strategies Multi-Stage, repeatable builds, standardized labeling, alternative tools Secure Supply Chain Know where images come from. Only CI should push to registries.
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Don’t run as root You probably don’t need it. Privileged Containers You almost definitely don’t need it. Drop capabilities Most apps don’t need even Linux capabilities; dropping all and allow only what’s needed. Read Only Root Filesystem Immutability makes exploiting your container harder. Deploy from known sources Pull from known registries only.
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Secrets Use them but make sure they’re encrypted and have RBAC applied RBAC Hopefully everybody is using this. SecurityContext Much of the Runtime practices mentioned can be enforced via SC Network Policy Start with zero-trust and add allow rules only as necessary. Enforcement Use OPA (Gatekeeper), Kyverno, etc
Key Takeaways Just like unit tests, fast, actionable security feedback is critical. Working security into a developer’s workflow without slowing them down drives adoption. Feedback Loop Giving developers tools that provide actionable information can allow them to deal with security issues as they are introduced. Empower developers to be proactive Implementing known secure practices for building and running your container images and IaC configurations can mitigate vulnerabilities that slip into deployments as well as zero-day vulnerabilities that may exist. Defence in depth
References: ● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K ● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices ● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build ● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs ● Kyverno: https://kyverno.io ● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future ● CNCF Certification Curriculum: https://github.com/cncf/curriculum ● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g- Thank you! @ericsmalling

More Related Content

PDF
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
PDF
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
PDF
Why should developers care about container security?
Eric Smalling
 
PDF
Hacking into your containers, and how to stop it!
Eric Smalling
 
PDF
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
PDF
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
Why should developers care about container security?
Eric Smalling
 
Hacking into your containers, and how to stop it!
Eric Smalling
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 

Similar to ATO 2022 - Why should devs care about container security.pdf (20)

PDF
Docker Containers Security
Stephane Woillez
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
PDF
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PDF
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
How to Secure Your Kubernetes Software Supply Chain at Scale
Anchore
 
PDF
Shift Right Security for EKS Webinar Slides
Anchore
 
PPTX
10 tips for Cloud Native Security
Karthik Gaekwad
 
PDF
Cncf checkov and bridgecrew
LibbySchulze
 
PDF
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
PDF
DockerCon SF 2015: Faster, Cheaper, Safer
Docker, Inc.
 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
PPT
2011 NASA Open Source Summit - Forge.mil
NASA Open Government Initiative
 
PDF
Terrascan - Cloud Native Security Tool
sangam biradar
 
PDF
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
PPTX
Docker best Practices
jeetendra mandal
 
PDF
Introduction to DevSecOps
Setu Parimi
 
Docker Containers Security
Stephane Woillez
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Scale security for a dollar or less
Mohammed A. Imran
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Kubernetes and container security
Volodymyr Shynkar
 
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
How to Secure Your Kubernetes Software Supply Chain at Scale
Anchore
 
Shift Right Security for EKS Webinar Slides
Anchore
 
10 tips for Cloud Native Security
Karthik Gaekwad
 
Cncf checkov and bridgecrew
LibbySchulze
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
DockerCon SF 2015: Faster, Cheaper, Safer
Docker, Inc.
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
2011 NASA Open Source Summit - Forge.mil
NASA Open Government Initiative
 
Terrascan - Cloud Native Security Tool
sangam biradar
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
Docker best Practices
jeetendra mandal
 
Introduction to DevSecOps
Setu Parimi
 
Ad

More from Eric Smalling (13)

PDF
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
Eric Smalling
 
PDF
KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf
Eric Smalling
 
PDF
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
Eric Smalling
 
PDF
Look Ma' - Building Java and Go based container images without Dockerfiles
Eric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
PDF
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
Eric Smalling
 
PDF
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
Eric Smalling
 
PDF
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
Eric Smalling
 
PDF
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
PDF
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
PPTX
Simply your Jenkins Projects with Docker Multi-Stage Builds
Eric Smalling
 
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
Eric Smalling
 
KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf
Eric Smalling
 
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
Eric Smalling
 
Look Ma' - Building Java and Go based container images without Dockerfiles
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
Eric Smalling
 
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
Eric Smalling
 
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
Eric Smalling
 
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
Simply your Jenkins Projects with Docker Multi-Stage Builds
Eric Smalling
 
Ad

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
A Presentation on Artificial Intelligence
memembruh336
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Approach and Philosophy of On baking technology
30anthuong17
 

ATO 2022 - Why should devs care about container security.pdf

  • 1. Why should developers care about container security? Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
  • 2. Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling
  • 3. Agenda Devops vs Security Container Challenges Demo 01 02 03 04 Conclusions
  • 5. Coding Test & Fix Branch Repo Test, Fix Monitor CI/CD Test & Fix Production Test, Fix Monitor Test Registry Build Deploy Get artifacts Get public & private artifacts SDLC Pipeline
  • 7. Container Challenges Historically, developers have owned the security posture of their own code and the libraries used. Containers add security concerns at the operating-system level such as base-image selection, package installation, user and file permissions, and more. Increased Scope of Responsibility These additional technologies used to be owned by other teams such as system engineers or middleware teams. Many developers have never had to deal with securing these layers of the stack. Lack of Expertise While shifting security left adds responsibilities to developer teams, the business owners have expectations that pipeline velocity will not be negatively impacted. Maintaining Velocity
  • 8. Ownership of developers What does my service contain? ● Source code of my app ● 3rd party dependencies ● Dockerfile ● IaC files (eg. Terraform) ● K8s files
  • 9. The financial giant said the intruder exploited a configuration vulnerability “ “ -- https://www.theregister.com/2019/07/30/capital_one_hacked/ Configuration is a security risk
  • 11. Coding Test & Fix Branch Repo Test, Fix Monitor CI/CD Test & Fix Production Test, Fix Monitor Test Registry Build Deploy Get artifacts Get public & private artifacts SDLC Pipeline
  • 12. DevOps Feedback Loop Empowering developers to build applications securely within the entire development process
  • 13. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes
  • 14. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Minimize Footprint Don’t give hackers more tools to expand their exploits Layer Housekeeping Understand how layers work at build and run-time Build strategies Multi-Stage, repeatable builds, standardized labeling, alternative tools Secure Supply Chain Know where images come from. Only CI should push to registries.
  • 15. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Don’t run as root You probably don’t need it. Privileged Containers You almost definitely don’t need it. Drop capabilities Most apps don’t need even Linux capabilities; dropping all and allow only what’s needed. Read Only Root Filesystem Immutability makes exploiting your container harder. Deploy from known sources Pull from known registries only.
  • 16. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Secrets Use them but make sure they’re encrypted and have RBAC applied RBAC Hopefully everybody is using this. SecurityContext Much of the Runtime practices mentioned can be enforced via SC Network Policy Start with zero-trust and add allow rules only as necessary. Enforcement Use OPA (Gatekeeper), Kyverno, etc
  • 17. Key Takeaways Just like unit tests, fast, actionable security feedback is critical. Working security into a developer’s workflow without slowing them down drives adoption. Feedback Loop Giving developers tools that provide actionable information can allow them to deal with security issues as they are introduced. Empower developers to be proactive Implementing known secure practices for building and running your container images and IaC configurations can mitigate vulnerabilities that slip into deployments as well as zero-day vulnerabilities that may exist. Defence in depth
  • 18. References: ● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K ● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices ● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build ● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs ● Kyverno: https://kyverno.io ● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future ● CNCF Certification Curriculum: https://github.com/cncf/curriculum ● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g- Thank you! @ericsmalling