Abstract image of a woman sitting on books and studying on a laptop

ironing out Docker

N
nindustries

The document outlines cybersecurity best practices at IronPeak Services, focusing on various aspects such as client awareness, host hardening, image management, and runtime security for Docker containers. It highlights the significance of using tools, configurations, and benchmarks that enhance security, including the CIS benchmarks and Docker-specific practices. Additionally, it emphasizes the importance of training and awareness in application security, referencing OWASP standards.

Technology
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ironing out Docker at ironPeak services ironpeak.be
1. $ whoami 1 - whoami ironpeak.be Niels Hofmans role Independent Cybersecurity Consultant work Code Security, App Security, Hardening, F5 BIG-IP interest Go, Docker, Cloud, Media contact hello@ironpeak.be github github.com/HazCod
2. $ tree 2 - tree ironpeak.be user host image Runtime
3. $ client 3 - client ironpeak.be The Client (you!) - Hidden attack surface - Several attack vectors - Phishing - Hardware - Software - Open-Source - Social Networks - Reused/shared Passwords
3. $ client 3 - client ironpeak.be The Client (you!) - Awareness - Phishing - Common Sense - E-mail headers, content, DMARC - Hardware - Disk encryption - Lock-down BIOS/SMC - Trustless with 2FA - Lock your session
3. $ client 3 - client ironpeak.be The Client (you!) - Software - OS Hardening - Non-privileged User - Firewall - Patching - Verify & Tag Open-Source - Additional - Information leakage: e.g. LinkedIn, Github - Password manager with 2FA
4. $ host 4 - host ironpeak.be Host hardening - CIS Benchmarks - Firewall Daemon hardening - CIS Benchmarks, docker-bench-security, kube-bench - User Namespace Remapping - Live Restore - No experimental features - Swarm autolock - Kernel hardening: github.com/google/gvisor - Enable SELinux/AppArmor + seccomp
4. $ host 4 - host ironpeak.be Daemon Access - UNIX Socket over SSH - HTTP+TLS auth Host Auditing - Off-site log server over TLS/SSH - Log forging / Denial of Service - Audit tracing
 e.g. sysdig.org + falco.org, github.com/netdata/netdata Private Registry - client: DOCKER_CONTENT_TRUST=1 - daemon: content_trust: enforced
5. $ image 5 - image ironpeak.be - DIY & Commercial - Base images: alpine (!), minideb, centos github.com/GoogleContainerTools/distroless - docker-slim - Image Signing - Leakage - .dockerignore - docker secrets/vault - Remove defaults - Network: bridge - Storage: AUFS
5. $ image 5 - image ironpeak.be Dockerfile - Linters; hadolint, … - Pin package versions - Least Privilege - users $user & root without shells - strict permissions - remove unnecessary tooling - security-opt=no-new-privileges - read-only (+ tmpfs) - COPY --chown=x:x instead of ADD - Scan for package vulnerabilities
5. $ image.findWally() 5 - image ironpeak.be
5. $ image.findWally() 5 - image ironpeak.be USER?
5. $ image.getFixed() 5 - image ironpeak.be
6. $ runtime: container 6 - runtime ironpeak.be Container Runtime Properties - Read-Only filesystem - mounts: noexec, nodev, nosuid, mode, size, uid/gid - cgroup limits - restart: on-failure:5 - cap_drop: ALL - security_opt: - no_new_privileges - SELinux/AppArmor + seccomp - Environment vs. Secrets
6. $ runtime: app 6 - runtime ironpeak.be Application Security - OWASP ASVS: Level 1 - Level 3 - web: github.com/OWASP/ASVS - mobile: github.com/OWASP/owasp-masvs - Static Application Security Testing (SAST) - linters - OSS + commercial - Dynamic Application Security Testing (DAST) - OpenVAS, OWASP ZAP, … - Training & Awareness!
7. $ exit 7 - exit ironpeak.be https://ironpeak.be/slides/190319-ironing-out-docker.pdf

More Related Content

PPT
Personal Portfolio
Paul Fritz
 
PDF
SSH how to 2011
Chris Hales
 
PDF
DSpace Manual for BALID Trainee
Nur Ahammad
 
PDF
First fare 2011 website 101 for frc teams
Oregon FIRST Robotics
 
ODP
Introduction to Pelican
Chengjen Lee
 
TXT
Hosts
Cuwam Ohyee
 
ODP
Embedded Systems
OSU Open Source Lab
 
PPT
Astricon 2013: "Asterisk and Database"
Francesco Prior
 
Personal Portfolio
Paul Fritz
 
SSH how to 2011
Chris Hales
 
DSpace Manual for BALID Trainee
Nur Ahammad
 
First fare 2011 website 101 for frc teams
Oregon FIRST Robotics
 
Introduction to Pelican
Chengjen Lee
 
Hosts
Cuwam Ohyee
 
Embedded Systems
OSU Open Source Lab
 
Astricon 2013: "Asterisk and Database"
Francesco Prior
 

What's hot (9)

ODP
Linux basics (part 1)
OSU Open Source Lab
 
PPT
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Larry Cashdollar
 
PDF
Integrate Hue with your Hadoop cluster - Yahoo! Hadoop Meetup
gethue
 
PPT
Raspberry zero usb in linux
GSHCO
 
KEY
Web server local for smarties
cubecolour
 
PPTX
Fun with exploits old and new
Larry Cashdollar
 
PDF
Przemysław Iwanek - ABC AWS, budowanie infrastruktury przy pomocy Terraform
jzielinski_pl
 
PPTX
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
PPTX
Netmiko login
selvajegansanthagruz
 
Linux basics (part 1)
OSU Open Source Lab
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Larry Cashdollar
 
Integrate Hue with your Hadoop cluster - Yahoo! Hadoop Meetup
gethue
 
Raspberry zero usb in linux
GSHCO
 
Web server local for smarties
cubecolour
 
Fun with exploits old and new
Larry Cashdollar
 
Przemysław Iwanek - ABC AWS, budowanie infrastruktury przy pomocy Terraform
jzielinski_pl
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Netmiko login
selvajegansanthagruz
 
Ad

Similar to ironing out Docker (20)

PDF
Docker security
Janos Suto
 
ODP
Continuous Security
Sysdig
 
PDF
Thotcon - All aboard the Fail Whale
Erin Willingham
 
PDF
Docker Security Deep Dive by Ying Li and David Lawrence
Docker, Inc.
 
PDF
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
PDF
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
PDF
Hide and seek - interesting uses of forensics and covert channels.
tkisason
 
PPTX
Accumulo Summit 2015: Attempting to answer unanswerable questions: Key manage...
Accumulo Summit
 
PDF
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
PDF
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Puppet
 
PDF
Using filesystem capabilities with rsync
Hazel Smith
 
PPTX
Exploring the Future of Helm
Matthew Farina
 
PPTX
Helm @ Orchestructure
Matthew Farina
 
PPT
Unix Security
replay21
 
PDF
Webinar: Automate IBM Connections Installations and more
panagenda
 
PDF
Foxtrot C2: A Journey of Payload Delivery
Dimitry Snezhkov
 
PDF
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
PDF
Building and Customizing CoreOS
雄也 日下部
 
PPTX
CEHv10 M0 Introduction.pptx
YasserOuda2
 
Docker security
Janos Suto
 
Continuous Security
Sysdig
 
Thotcon - All aboard the Fail Whale
Erin Willingham
 
Docker Security Deep Dive by Ying Li and David Lawrence
Docker, Inc.
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
Hide and seek - interesting uses of forensics and covert channels.
tkisason
 
Accumulo Summit 2015: Attempting to answer unanswerable questions: Key manage...
Accumulo Summit
 
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Puppet
 
Using filesystem capabilities with rsync
Hazel Smith
 
Exploring the Future of Helm
Matthew Farina
 
Helm @ Orchestructure
Matthew Farina
 
Unix Security
replay21
 
Webinar: Automate IBM Connections Installations and more
panagenda
 
Foxtrot C2: A Journey of Payload Delivery
Dimitry Snezhkov
 
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Building and Customizing CoreOS
雄也 日下部
 
CEHv10 M0 Introduction.pptx
YasserOuda2
 
Ad

Recently uploaded (20)

PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
August Patch Tuesday
Ivanti
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Five Habits of High-Impact Board Members
OnBoard
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Modernising the Digital Integration Hub
Daniel Toomey
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
August Patch Tuesday
Ivanti
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
What is a Computer? Input Devices /output devices
GulJan8
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 

ironing out Docker

  • 1. ironing out Docker at ironPeak services ironpeak.be
  • 2. 1. $ whoami 1 - whoami ironpeak.be Niels Hofmans role Independent Cybersecurity Consultant work Code Security, App Security, Hardening, F5 BIG-IP interest Go, Docker, Cloud, Media contact hello@ironpeak.be github github.com/HazCod
  • 3. 2. $ tree 2 - tree ironpeak.be user host image Runtime
  • 4. 3. $ client 3 - client ironpeak.be The Client (you!) - Hidden attack surface - Several attack vectors - Phishing - Hardware - Software - Open-Source - Social Networks - Reused/shared Passwords
  • 5. 3. $ client 3 - client ironpeak.be The Client (you!) - Awareness - Phishing - Common Sense - E-mail headers, content, DMARC - Hardware - Disk encryption - Lock-down BIOS/SMC - Trustless with 2FA - Lock your session
  • 6. 3. $ client 3 - client ironpeak.be The Client (you!) - Software - OS Hardening - Non-privileged User - Firewall - Patching - Verify & Tag Open-Source - Additional - Information leakage: e.g. LinkedIn, Github - Password manager with 2FA
  • 7. 4. $ host 4 - host ironpeak.be Host hardening - CIS Benchmarks - Firewall Daemon hardening - CIS Benchmarks, docker-bench-security, kube-bench - User Namespace Remapping - Live Restore - No experimental features - Swarm autolock - Kernel hardening: github.com/google/gvisor - Enable SELinux/AppArmor + seccomp
  • 8. 4. $ host 4 - host ironpeak.be Daemon Access - UNIX Socket over SSH - HTTP+TLS auth Host Auditing - Off-site log server over TLS/SSH - Log forging / Denial of Service - Audit tracing
 e.g. sysdig.org + falco.org, github.com/netdata/netdata Private Registry - client: DOCKER_CONTENT_TRUST=1 - daemon: content_trust: enforced
  • 9. 5. $ image 5 - image ironpeak.be - DIY & Commercial - Base images: alpine (!), minideb, centos github.com/GoogleContainerTools/distroless - docker-slim - Image Signing - Leakage - .dockerignore - docker secrets/vault - Remove defaults - Network: bridge - Storage: AUFS
  • 10. 5. $ image 5 - image ironpeak.be Dockerfile - Linters; hadolint, … - Pin package versions - Least Privilege - users $user & root without shells - strict permissions - remove unnecessary tooling - security-opt=no-new-privileges - read-only (+ tmpfs) - COPY --chown=x:x instead of ADD - Scan for package vulnerabilities
  • 11. 5. $ image.findWally() 5 - image ironpeak.be
  • 12. 5. $ image.findWally() 5 - image ironpeak.be USER?
  • 13. 5. $ image.getFixed() 5 - image ironpeak.be
  • 14. 6. $ runtime: container 6 - runtime ironpeak.be Container Runtime Properties - Read-Only filesystem - mounts: noexec, nodev, nosuid, mode, size, uid/gid - cgroup limits - restart: on-failure:5 - cap_drop: ALL - security_opt: - no_new_privileges - SELinux/AppArmor + seccomp - Environment vs. Secrets
  • 15. 6. $ runtime: app 6 - runtime ironpeak.be Application Security - OWASP ASVS: Level 1 - Level 3 - web: github.com/OWASP/ASVS - mobile: github.com/OWASP/owasp-masvs - Static Application Security Testing (SAST) - linters - OSS + commercial - Dynamic Application Security Testing (DAST) - OpenVAS, OWASP ZAP, … - Training & Awareness!
  • 16. 7. $ exit 7 - exit ironpeak.be https://ironpeak.be/slides/190319-ironing-out-docker.pdf