SlideShare a Scribd company logo

Building a Secure App with Docker - Ying Li and David Lawrence, Docker

Docker, Inc., profile picture
Docker, Inc.

The document outlines best practices for building secure Docker applications, emphasizing the importance of user authentication, dependency management, and image signing through Docker Content Trust (DCT). It advocates for proactive security measures, such as vulnerability scanning and the use of least privilege configurations to enhance security in production environments. Key recommendations include validating upstream sources, signing artifacts, and deploying immutably to safeguard sensitive workloads.

Technology
1 of 38
Downloaded 34 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
David Lawrence Sr. Security Engineer Docker Ying Li Security Engineer Docker Building a Secure Docker App
The Pipeline
Docker Content Trust Service
Development
“... tech giant Juniper Networks revealed in a startling announcement that it had found “unauthorized” code embedded in an operating system running on some of its firewalls.” - wired.com
Where did it come from?
User Authentication • Multi-Factor Authentication • Key Based Authentication Sign your commits • Use hardware like Yubikeys Secure your source
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Pin your dependencies • Include the list with the source • (golang) vendor.conf, Godeps.json • (python) requirements.txt • (ruby) Gemfile • (node) package.json Validate your upstreams
Pin your dependencies • Include the list with the source • Use checksums Validate your upstreams requires == 2.13 --hash=sha256:2cf24dba5fb0a30e26e83… golang.org/x/crypto 5bcd134fee4dd1475da17714aac19c0a…
Pin your dependencies • Include the list with the source • Use checksums • Use publisher keys when available Validate your upstreams
Test & Build
Verify everything on ingress • commit signatures • dependency checksums • dependency signatures • Docker Content Trust (DCT) signatures of base images CI is an island
Be minimal, be disciplined • do build minimal images • do not embed secret/ sensitive data in images • do sign built images with Docker Content Trust (DCT) CI is ascetic
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Registry Services
Find Common Vulnerabilities and Exposures (CVEs) • stop being reactive, get proactive • make compliance easier Get notified about new CVEs • automate the auditing of existing applications Docker Security Scanning (DSS)
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Docker Trusted Registry (DTR) and Docker Hub/Cloud come with DCT metadata hosting • you can start signing now • provides trust from publisher to consumer • no need to trust the middleman Docker Content Trust (DCT)
Going to Production
• use Docker Content Trust to only deploy signed artifacts • use Docker EE Signing Policies to guarantee applications meet your acceptance criteria What are you deploying?
Use the absolute minimum privilege set necessary! Don’t: docker run --privileged ... Do: docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ... Least Privileged Microservices
Zero Trust Networks
Defense in Depth • isolate sensitive workloads to their own nodes • use docker secrets Least Privileged Nodes
Mitigate entire classes of compromise • run read-only containers • use Docker Editions for <your platform here> Immutable Infrastructure
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
1. Secure & sign your source 2. Pin & verify your dependencies 3. Sign your artifacts with Docker Content Trust 4. Leverage Docker Security Scanning 5. Deploy onto immutable infrastructure … 6. … with Least Privilege configurations In Summary
Thank You! Questions? @docker #dockercon

More Related Content

PDF
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Docker, Inc.
 
PDF
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Docker, Inc.
 
PDF
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Docker, Inc.
 
PDF
What’s New in Docker - Victor Vieux, Docker
Docker, Inc.
 
PDF
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
PDF
What Have Namespaces Done for you Lately? Liz Rice, Aqua Security
Docker, Inc.
 
PDF
Escape From Your VMs with Image2Docker Jeff Nickoloff, All in Geek Consulting...
Docker, Inc.
 
PDF
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Docker, Inc.
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Docker, Inc.
 
Global Operations with Docker for the Enterprise - Nico Kabar, Docker
Docker, Inc.
 
Automation and Collaboration Across Multiple Swarms Using Docker Cloud - Marc...
Docker, Inc.
 
What’s New in Docker - Victor Vieux, Docker
Docker, Inc.
 
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
What Have Namespaces Done for you Lately? Liz Rice, Aqua Security
Docker, Inc.
 
Escape From Your VMs with Image2Docker Jeff Nickoloff, All in Geek Consulting...
Docker, Inc.
 
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Docker, Inc.
 

What's hot (20)

PDF
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
Docker, Inc.
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
PDF
DockerCon 2017 - General Session Day 1 - Solomon Hykes
Docker, Inc.
 
PDF
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
PPTX
How to be successful running Docker in Production
Docker, Inc.
 
PDF
DockerCon SF 2015: Docker Security
Docker, Inc.
 
PPTX
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
Docker, Inc.
 
PDF
Browser Testing with Docker - Craig Huber
Docker, Inc.
 
PDF
Networking Overview for Docker Platform
Aditya Patawari
 
PDF
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
Docker, Inc.
 
PDF
DCSF19 CMD and Conquer: Containerizing the Monolith
Docker, Inc.
 
PPTX
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
PDF
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
Docker, Inc.
 
PDF
It takes a Village to do the Impossible - Jeff Lindsay
Docker, Inc.
 
PDF
Securing your Containers
Riyaz Faizullabhoy
 
PDF
Secure Substrate: Least Privilege Container Deployment
Docker, Inc.
 
PDF
DockerCon EU 2015: The Latest in Docker Engine
Docker, Inc.
 
PDF
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
Docker, Inc.
 
PPTX
Docker Bday #5, SF Edition: Introduction to Docker
Docker, Inc.
 
PDF
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Docker, Inc.
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
Docker, Inc.
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
DockerCon 2017 - General Session Day 1 - Solomon Hykes
Docker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
How to be successful running Docker in Production
Docker, Inc.
 
DockerCon SF 2015: Docker Security
Docker, Inc.
 
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
Docker, Inc.
 
Browser Testing with Docker - Craig Huber
Docker, Inc.
 
Networking Overview for Docker Platform
Aditya Patawari
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
Docker, Inc.
 
DCSF19 CMD and Conquer: Containerizing the Monolith
Docker, Inc.
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
Docker, Inc.
 
It takes a Village to do the Impossible - Jeff Lindsay
Docker, Inc.
 
Securing your Containers
Riyaz Faizullabhoy
 
Secure Substrate: Least Privilege Container Deployment
Docker, Inc.
 
DockerCon EU 2015: The Latest in Docker Engine
Docker, Inc.
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
Docker, Inc.
 
Docker Bday #5, SF Edition: Introduction to Docker
Docker, Inc.
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Docker, Inc.
 
Ad

Similar to Building a Secure App with Docker - Ying Li and David Lawrence, Docker (20)

PDF
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
PPTX
DockerCon EU 2015 Barcelona
Roman Dembitsky
 
PDF
DCEU 18: Docker Container Security
Docker, Inc.
 
PDF
Docker Containers Security
Stephane Woillez
 
PDF
Docker Introduction
Peng Xiao
 
PPTX
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PDF
Orchestrating Distributed Apps with Docker
Carl Su
 
PDF
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Docker, Inc.
 
PPTX
Devoxx 2016 - Docker Nuts and Bolts
Patrick Chanezon
 
PDF
Docker at and with SignalFx
SignalFx
 
PDF
Docker {at,with} SignalFx
Maxime Petazzoni
 
PDF
Dockercon 2015 Recap
ehazlett
 
PPTX
OpenStack Summit
Docker, Inc.
 
PPTX
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
dotCloud
 
PDF
Docker Introduction
Jeffrey Ellin
 
PDF
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
PPTX
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
PPTX
Docker Security
antitree
 
PDF
Docker Security and Content Trust
ehazlett
 
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
DockerCon EU 2015 Barcelona
Roman Dembitsky
 
DCEU 18: Docker Container Security
Docker, Inc.
 
Docker Containers Security
Stephane Woillez
 
Docker Introduction
Peng Xiao
 
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Kubernetes and container security
Volodymyr Shynkar
 
Orchestrating Distributed Apps with Docker
Carl Su
 
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Docker, Inc.
 
Devoxx 2016 - Docker Nuts and Bolts
Patrick Chanezon
 
Docker at and with SignalFx
SignalFx
 
Docker {at,with} SignalFx
Maxime Petazzoni
 
Dockercon 2015 Recap
ehazlett
 
OpenStack Summit
Docker, Inc.
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
dotCloud
 
Docker Introduction
Jeffrey Ellin
 
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Docker Security
antitree
 
Docker Security and Content Trust
ehazlett
 
Ad

More from Docker, Inc. (20)

PDF
Containerize Your Game Server for the Best Multiplayer Experience
Docker, Inc.
 
PDF
How to Improve Your Image Builds Using Advance Docker Build
Docker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
PDF
Securing Your Containerized Applications with NGINX
Docker, Inc.
 
PDF
How To Build and Run Node Apps with Docker and Compose
Docker, Inc.
 
PDF
Hands-on Helm
Docker, Inc.
 
PDF
Distributed Deep Learning with Docker at Salesforce
Docker, Inc.
 
PDF
The First 10M Pulls: Building The Official Curl Image for Docker Hub
Docker, Inc.
 
PDF
Monitoring in a Microservices World
Docker, Inc.
 
PDF
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
Docker, Inc.
 
PDF
Predicting Space Weather with Docker
Docker, Inc.
 
PDF
Become a Docker Power User With Microsoft Visual Studio Code
Docker, Inc.
 
PDF
How to Use Mirroring and Caching to Optimize your Container Registry
Docker, Inc.
 
PDF
Monolithic to Microservices + Docker = SDLC on Steroids!
Docker, Inc.
 
PDF
Kubernetes at Datadog Scale
Docker, Inc.
 
PDF
Labels, Labels, Labels
Docker, Inc.
 
PDF
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Docker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
PDF
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
Docker, Inc.
 
PDF
Developing with Docker for the Arm Architecture
Docker, Inc.
 
Containerize Your Game Server for the Best Multiplayer Experience
Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
Docker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
Securing Your Containerized Applications with NGINX
Docker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
Docker, Inc.
 
Hands-on Helm
Docker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Docker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
Docker, Inc.
 
Monitoring in a Microservices World
Docker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
Docker, Inc.
 
Predicting Space Weather with Docker
Docker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
Docker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
Docker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Docker, Inc.
 
Kubernetes at Datadog Scale
Docker, Inc.
 
Labels, Labels, Labels
Docker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Docker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
Docker, Inc.
 
Developing with Docker for the Arm Architecture
Docker, Inc.
 

Recently uploaded (20)

PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Approach and Philosophy of On baking technology
30anthuong17
 

Building a Secure App with Docker - Ying Li and David Lawrence, Docker

  • 1. David Lawrence Sr. Security Engineer Docker Ying Li Security Engineer Docker Building a Secure Docker App
  • 5. “... tech giant Juniper Networks revealed in a startling announcement that it had found “unauthorized” code embedded in an operating system running on some of its firewalls.” - wired.com
  • 6. Where did it come from?
  • 7. User Authentication • Multi-Factor Authentication • Key Based Authentication Sign your commits • Use hardware like Yubikeys Secure your source
  • 9. Pin your dependencies • Include the list with the source • (golang) vendor.conf, Godeps.json • (python) requirements.txt • (ruby) Gemfile • (node) package.json Validate your upstreams
  • 10. Pin your dependencies • Include the list with the source • Use checksums Validate your upstreams requires == 2.13 --hash=sha256:2cf24dba5fb0a30e26e83… golang.org/x/crypto 5bcd134fee4dd1475da17714aac19c0a…
  • 11. Pin your dependencies • Include the list with the source • Use checksums • Use publisher keys when available Validate your upstreams
  • 13. Verify everything on ingress • commit signatures • dependency checksums • dependency signatures • Docker Content Trust (DCT) signatures of base images CI is an island
  • 14. Be minimal, be disciplined • do build minimal images • do not embed secret/ sensitive data in images • do sign built images with Docker Content Trust (DCT) CI is ascetic
  • 22. Find Common Vulnerabilities and Exposures (CVEs) • stop being reactive, get proactive • make compliance easier Get notified about new CVEs • automate the auditing of existing applications Docker Security Scanning (DSS)
  • 25. Docker Trusted Registry (DTR) and Docker Hub/Cloud come with DCT metadata hosting • you can start signing now • provides trust from publisher to consumer • no need to trust the middleman Docker Content Trust (DCT)
  • 27. • use Docker Content Trust to only deploy signed artifacts • use Docker EE Signing Policies to guarantee applications meet your acceptance criteria What are you deploying?
  • 28. Use the absolute minimum privilege set necessary! Don’t: docker run --privileged ... Do: docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ... Least Privileged Microservices
  • 30. Defense in Depth • isolate sensitive workloads to their own nodes • use docker secrets Least Privileged Nodes
  • 31. Mitigate entire classes of compromise • run read-only containers • use Docker Editions for <your platform here> Immutable Infrastructure
  • 37. 1. Secure & sign your source 2. Pin & verify your dependencies 3. Sign your artifacts with Docker Content Trust 4. Leverage Docker Security Scanning 5. Deploy onto immutable infrastructure … 6. … with Least Privilege configurations In Summary