SlideShare a Scribd company logo

Container Security Mmanagement

S
Suresh Thivanka Rupasinghe

The document details container security management, focusing on the use of container runtimes like Docker and Kubernetes for automating application deployment and scaling. It outlines various attack vectors, security practices, and tools for securing CI/CD pipelines and runtime environments. Key best practices from OWASP for maintaining container security and managing secrets in Kubernetes are also highlighted.

Technology
Related topics:
Cloud Computing Insights Information Security
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Container Security Management Suresh Rupasinghe Associate Tech Lead - WSO2
Cloud Native Technologies
What is a Container? A standardized unit of software ● Lightweight ● Standalone Cloud Native Security Container Runtimes: ● Docker ● rkt
Comparing Containers and Virtual Machines Container Virtual Machine
What is Kubernetes? K8s is an open-source system for automating deployment, scaling, and management of containerized applications. Cloud Native Security
Traditional Approach vs. Modern Application Approach Cloud Native Security
Demo
Containers & K8s Attack Vectors Poisoned ImagesKernel Attack Denial of Service Cloud Native Security Container Breakouts Sniffing Secrets
The Attack Kill Chain 1. Recon 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control 7. Exfiltration Cloud Native Security
Recent Attacks…!!! Cloud Native Security
Container Security Stack Container Security Infrastructure Pod Security Policies Network Filtering Secrets Management Build Code Analysis Image Scanning Deployment Check Runtime Anomaly Detection Forensics Run-Time Vulnerability Scanning Cloud Native Security
Securing CI/CD Pipeline
Securing CI/CD Pipeline Cloud Native Security Docker Hub
Sample Dockerfile & K8s Deployment file Cloud Native Security
Securing CI/CD Pipeline 1. Image Scanning ● Clair by CoreOS ● Anchore 2. Code Analysis 3. Deployment Checks ● Kubesec.io Cloud Native SecurityCloud Native Security
Infrastructure Layer Security
Infrastructure Layer Security 1. Pod Security Policies ● Kubernetes Pod Security Policy Advisor 2. Network Filtering ● Cilium Cloud Native SecurityCloud Native Security
Run-time Security
Run-time Security 1. Anomalous Behavior Detection ■ Falco 2. Runtime Vulnerability Scanning 3. Security Auditing Cloud Native Security
OWASP Best Practices RULE #0 - Keep Host and Docker up to date RULE #1 - Do not expose the Docker daemon socket RULE #2 - Set a user RULE #3 - Limit capabilities (Grant only specific capabilities, needed by a container) RULE #4 - Add –no-new-privileges flag Cloud Native Security
OWASP Best Practices - RULE #5 - Disable inter-container communication (--icc=false) RULE #6- Use Linux Security Module (seccomp, AppArmor, or SELinux) RULE #7 - Limit resources (memory, CPU, file descriptors, processes, restarts) RULE #8 - Set filesystem and volumes to read-only RULE #9 - Use static analysis tools RULE #10 - Set the logging level to at least INFO Cloud Native Security
Secret Management Kubernetes Level ● Kubernetes secret ● HashiCorp Vault Source Code Level ● Helm Secrets ● Sealed Secrets Cloud Native Security
References: ● https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1---do-n ot-expose-the-docker-daemon-socket-even-to-the-containers ● https://www.youtube.com/channel/UCvqbFHwN-nwalWPjPUKpvTA ● https://istio.io/ ● https://www.youtube.com/watch?v=Jbqxsli2tRw ● https://www.youtube.com/watch?v=15bsTualHnA ● https://www.youtube.com/watch?v=Uocf67aD5QQ ● https://www.openpolicyagent.org/ ● https://spiffe.io/
Q&A
THANK YOU

More Related Content

PDF
Securing your Kubernetes applications
Néstor Salceda
 
PDF
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
PDF
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
PPT
Container security
Anthony Chow
 
PDF
Container Security Deep Dive & Kubernetes
Aqua Security
 
PDF
Incident Response in Cyber-Relevant Time - OpenC2
Vasileios Mavroeidis
 
PPTX
Equifax cyber attack contained by containers
Aqua Security
 
PPTX
Hug #9 who's keeping your secrets
Cameron More
 
Securing your Kubernetes applications
Néstor Salceda
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Container security
Anthony Chow
 
Container Security Deep Dive & Kubernetes
Aqua Security
 
Incident Response in Cyber-Relevant Time - OpenC2
Vasileios Mavroeidis
 
Equifax cyber attack contained by containers
Aqua Security
 
Hug #9 who's keeping your secrets
Cameron More
 

What's hot (20)

PDF
All Your Containers Are Belong To Us
Lacework
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
PDF
Stop disabling SELinux!
Maciej Lasyk
 
PPTX
Kali presentation
Zain Ul abadin
 
PDF
Secure and Simple Sandboxing in SELinux
James Morris
 
PDF
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
PDF
(03 2013) guide to kali linux
julius77
 
PPTX
Kali Linux - Falconer
Tony Godfrey
 
PDF
Principles of Monitoring Microservices
Michael Ducy
 
PDF
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
PDF
Are Your Containers as Secure as You Think?
DevOps.com
 
PDF
penetration test using Kali linux ppt
AbhayNaik8
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PDF
What is Google Cloud Good For at DevFestInspire 2021
Robert John
 
PPTX
Lacework | Top 10 Cloud Security Threats
Lacework
 
PPTX
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
PDF
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
PDF
Kubernetes - Security Journey
Jerry Jalava
 
PDF
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Edureka!
 
PPTX
Shamsa altayer 10bg kali linux
shamsaot
 
All Your Containers Are Belong To Us
Lacework
 
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
Stop disabling SELinux!
Maciej Lasyk
 
Kali presentation
Zain Ul abadin
 
Secure and Simple Sandboxing in SELinux
James Morris
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
(03 2013) guide to kali linux
julius77
 
Kali Linux - Falconer
Tony Godfrey
 
Principles of Monitoring Microservices
Michael Ducy
 
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
Are Your Containers as Secure as You Think?
DevOps.com
 
penetration test using Kali linux ppt
AbhayNaik8
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
What is Google Cloud Good For at DevFestInspire 2021
Robert John
 
Lacework | Top 10 Cloud Security Threats
Lacework
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
Kubernetes - Security Journey
Jerry Jalava
 
Parrot Security OS | Introduction to Parrot Security OS | Cybersecurity Train...
Edureka!
 
Shamsa altayer 10bg kali linux
shamsaot
 
Ad

Similar to Container Security Mmanagement (20)

PDF
Cloud-Native Security
VMware Tanzu
 
PDF
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
PDF
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
PDF
Securing Microservices in Containerized Environments
DevOps.com
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PDF
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
PDF
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
PDF
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
PPTX
Security for cloud native workloads
Runcy Oommen
 
PPTX
Understanding container security
John Kinsella
 
PDF
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Why Should Developers Care About Container Security?
All Things Open
 
PDF
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
PDF
Bridging The Cloud and Application Security Gaps Meetup 15102024
lior mazor
 
PPTX
Containers and workload security an overview
Krishna-Kumar
 
PDF
Chaos engineering for cloud native security - Chaos Carninval 2021
Kennedy
 
PDF
Container Security
Salman Baset
 
PDF
Here Be Dragons: Security Maps of the Container New World
C4Media
 
Cloud-Native Security
VMware Tanzu
 
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
Securing Microservices in Containerized Environments
DevOps.com
 
Kubernetes and container security
Volodymyr Shynkar
 
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
Security for cloud native workloads
Runcy Oommen
 
Understanding container security
John Kinsella
 
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Bridging The Cloud and Application Security Gaps Meetup 15102024
lior mazor
 
Containers and workload security an overview
Krishna-Kumar
 
Chaos engineering for cloud native security - Chaos Carninval 2021
Kennedy
 
Container Security
Salman Baset
 
Here Be Dragons: Security Maps of the Container New World
C4Media
 
Ad

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
A Presentation on Artificial Intelligence
memembruh336
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Cloud computing and distributed systems.
kkkkkhan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

Container Security Mmanagement