SlideShare a Scribd company logo

Why should developers care about container security?

E
Eric Smalling

The document discusses the importance of container security for developers, highlighting the increased responsibilities and security challenges they face due to container technologies. It emphasizes the need for developers to adopt secure practices and integrate security feedback into their workflows without compromising pipeline velocity. Key takeaways include implementing known security practices, minimizing container risks, and empowering developers to proactively address vulnerabilities.

Technology
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Why should developers care about container security? Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
Stranger Danger! Container Edition Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
DevOps Container Security Challenges Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling
Agenda Devops vs Security Container Challenges Demo 01 02 03 04 Conclusions
DevOps
Coding Test & Fix Branch Repo Test, Fix Monitor CI/CD Test & Fix Production Test, Fix Monitor Test Registry Build Deploy Get artifacts Ge public & private artifacts SDLC Pipeline
DevSecOps
Container Challenges Historically, developers have owned the security posture of their own code and the libraries used. Containers add security concerns at the operating-system level such as base-image selection, package installation, user and file permissions, and more. Increased Scope of Responsibility These additional technologies used to be owned by other teams such as system engineers or middleware teams. Many developers have never had to deal with securing these layers of the stack. Lack of Expertise While shifting security left adds responsibilities to developer teams, the business owners have expectations that pipeline velocity will not be negatively impacted. Maintaining Velocity
Ownership of developers What does my service contain? ● Source code of my app ● 3rd party dependencies ● Dockerfile ● IaC files (eg. Terraform) ● K8s files
The financial giant said the intruder exploited a configuration vulnerability “ “ -- https://www.theregister.com/2019/07/30/capital_one_hacked/ Configuration is a security risk
Enough Slides. Demo Time!
Coding Test & Fix Branch Repo Test, Fix Monitor CI/CD Test & Fix Production Test, Fix Monitor Test Registry Build Deploy Get artifacts Ge public & private artifacts SDLC Pipeline
DevOps Feedback Loop Empowering developers to build applications securely within the entire development process
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Minimize Footprint Don’t give hackers more tools to expand their exploits Layer Housekeeping Understand how layers work at build and run-time Build strategies Multi-Stage, repeatable builds, standardized labeling, alternative tools Secure Supply Chain Know where images come from. Only CI should push to registries.
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Don’t run as root You probably don’t need it. Privileged Containers You almost definitely don’t need it. Drop capabilities Most apps don’t need even Linux capabilities; dropping all and allow only what’s needed. Read Only Root Filesystem Immutability makes exploiting your container harder. Deploy from known sources Pull from known registries only.
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Secrets Use them but make sure they’re encrypted and have RBAC applied RBAC Hopefully everybody is using this. SecurityContext Much of the Runtime practices mentioned can be enforced via SC Network Policy Start with zero-trust and add allow rules only as necessary. Enforcement Use OPA (Gatekeeper), Kyverno, etc
Key Takeaways Just like unit tests, fast, actionable security feedback is critical. Working security into a developer’s workflow without slowing them down drives adoption. Feedback Loop Giving developers tools that provide actionable information can allow them to deal with security issues as they are introduced. Empower developers to be proactive Implementing known secure practices for building and running your container images and IaC configurations can mitigate vulnerabilities that slip into deployments as well as zero-day vulnerabilities that may exist. Defence in depth
References: ● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K ● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices ● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build ● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs ● Kyverno: https://kyverno.io ● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future ● CNCF Certification Curriculum: https://github.com/cncf/curriculum ● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g- Thank you! @ericsmalling

More Related Content

PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PPTX
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
PDF
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
PPT
Code Quality - Security
sedukull
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PPTX
AllDayDevOps 2019 AppSensor
jtmelton
 
DevSecOps | DevOps Sec
Rubal Jain
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Code Quality - Security
sedukull
 
DevSecOps : an Introduction
Prashanth B. P.
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
AllDayDevOps 2019 AppSensor
jtmelton
 

What's hot (20)

PPTX
Integrating security into Continuous Delivery
Tom Stiehm
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
PDF
Dev seccon london 2016 intelliment security
DevSecCon
 
PPTX
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
PPTX
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
PPTX
How to Get Started with DevSecOps
CYBRIC
 
PPTX
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
PPTX
A journey from dev ops to devsecops
Veritis Group, Inc
 
PDF
Dos and Don'ts of DevSecOps
Priyanka Aash
 
PDF
Talk DevSecOps to me
Michelle Ribeiro
 
PDF
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
Secure Your Code Implement DevSecOps in Azure
kloia
 
PDF
SecDevOps
Peter Lamar
 
PPTX
Application security meetup - cloud security best practices 24062021
lior mazor
 
PDF
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
Integrating security into Continuous Delivery
Tom Stiehm
 
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Dev seccon london 2016 intelliment security
DevSecCon
 
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
How to Get Started with DevSecOps
CYBRIC
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
A journey from dev ops to devsecops
Veritis Group, Inc
 
Dos and Don'ts of DevSecOps
Priyanka Aash
 
Talk DevSecOps to me
Michelle Ribeiro
 
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Introduction to DevSecOps
Setu Parimi
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Secure Your Code Implement DevSecOps in Azure
kloia
 
SecDevOps
Peter Lamar
 
Application security meetup - cloud security best practices 24062021
lior mazor
 
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
Ad

Similar to Why should developers care about container security? (20)

PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Why Should Developers Care About Container Security?
All Things Open
 
PDF
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
PDF
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
PDF
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
PDF
Hacking into your containers, and how to stop it!
Eric Smalling
 
PDF
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
PPTX
Container security Familiar problems in new technology
Frank Victory
 
PDF
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Codemotion
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
PPTX
10 tips for Cloud Native Security
Karthik Gaekwad
 
PDF
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
PDF
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Juan Vicente Herrera Ruiz de Alejo
 
PDF
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
PPTX
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
PDF
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
PDF
Docker Enterprise Deployment Planning
Stephane Woillez
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
Hacking into your containers, and how to stop it!
Eric Smalling
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
Container security Familiar problems in new technology
Frank Victory
 
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Codemotion
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
10 tips for Cloud Native Security
Karthik Gaekwad
 
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Juan Vicente Herrera Ruiz de Alejo
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Docker Enterprise Deployment Planning
Stephane Woillez
 
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Ad

More from Eric Smalling (11)

PDF
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
Eric Smalling
 
PDF
KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf
Eric Smalling
 
PDF
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
Eric Smalling
 
PDF
Look Ma' - Building Java and Go based container images without Dockerfiles
Eric Smalling
 
PDF
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
Eric Smalling
 
PDF
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
PDF
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
Eric Smalling
 
PDF
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
Eric Smalling
 
PDF
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
PDF
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
PPTX
Simply your Jenkins Projects with Docker Multi-Stage Builds
Eric Smalling
 
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
Eric Smalling
 
KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf
Eric Smalling
 
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
Eric Smalling
 
Look Ma' - Building Java and Go based container images without Dockerfiles
Eric Smalling
 
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
Eric Smalling
 
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
Eric Smalling
 
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
Eric Smalling
 
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
Simply your Jenkins Projects with Docker Multi-Stage Builds
Eric Smalling
 

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Cloud computing and distributed systems.
kkkkkhan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Teaching material agriculture food technology
LiaRayya
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 

Why should developers care about container security?

  • 1. Why should developers care about container security? Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
  • 2. Stranger Danger! Container Edition Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
  • 3. DevOps Container Security Challenges Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
  • 4. Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling
  • 5. Agenda Devops vs Security Container Challenges Demo 01 02 03 04 Conclusions
  • 7. Coding Test & Fix Branch Repo Test, Fix Monitor CI/CD Test & Fix Production Test, Fix Monitor Test Registry Build Deploy Get artifacts Ge public & private artifacts SDLC Pipeline
  • 9. Container Challenges Historically, developers have owned the security posture of their own code and the libraries used. Containers add security concerns at the operating-system level such as base-image selection, package installation, user and file permissions, and more. Increased Scope of Responsibility These additional technologies used to be owned by other teams such as system engineers or middleware teams. Many developers have never had to deal with securing these layers of the stack. Lack of Expertise While shifting security left adds responsibilities to developer teams, the business owners have expectations that pipeline velocity will not be negatively impacted. Maintaining Velocity
  • 10. Ownership of developers What does my service contain? ● Source code of my app ● 3rd party dependencies ● Dockerfile ● IaC files (eg. Terraform) ● K8s files
  • 11. The financial giant said the intruder exploited a configuration vulnerability “ “ -- https://www.theregister.com/2019/07/30/capital_one_hacked/ Configuration is a security risk
  • 13. Coding Test & Fix Branch Repo Test, Fix Monitor CI/CD Test & Fix Production Test, Fix Monitor Test Registry Build Deploy Get artifacts Ge public & private artifacts SDLC Pipeline
  • 14. DevOps Feedback Loop Empowering developers to build applications securely within the entire development process
  • 15. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes
  • 16. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Minimize Footprint Don’t give hackers more tools to expand their exploits Layer Housekeeping Understand how layers work at build and run-time Build strategies Multi-Stage, repeatable builds, standardized labeling, alternative tools Secure Supply Chain Know where images come from. Only CI should push to registries.
  • 17. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Don’t run as root You probably don’t need it. Privileged Containers You almost definitely don’t need it. Drop capabilities Most apps don’t need even Linux capabilities; dropping all and allow only what’s needed. Read Only Root Filesystem Immutability makes exploiting your container harder. Deploy from known sources Pull from known registries only.
  • 18. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Secrets Use them but make sure they’re encrypted and have RBAC applied RBAC Hopefully everybody is using this. SecurityContext Much of the Runtime practices mentioned can be enforced via SC Network Policy Start with zero-trust and add allow rules only as necessary. Enforcement Use OPA (Gatekeeper), Kyverno, etc
  • 19. Key Takeaways Just like unit tests, fast, actionable security feedback is critical. Working security into a developer’s workflow without slowing them down drives adoption. Feedback Loop Giving developers tools that provide actionable information can allow them to deal with security issues as they are introduced. Empower developers to be proactive Implementing known secure practices for building and running your container images and IaC configurations can mitigate vulnerabilities that slip into deployments as well as zero-day vulnerabilities that may exist. Defence in depth
  • 20. References: ● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K ● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices ● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build ● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs ● Kyverno: https://kyverno.io ● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future ● CNCF Certification Curriculum: https://github.com/cncf/curriculum ● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g- Thank you! @ericsmalling