SlideShare a Scribd company logo

DevSecCon Lightning 2021- Container defaults are a hackers best friend

E
Eric Smalling

The document discusses the security challenges associated with container technology, emphasizing the responsibilities that developers now face in ensuring security at the operating system level. It highlights the importance of practices such as minimizing footprints, using multi-stage builds, and implementing secrets management to enhance container security. Various tools and strategies for enforcement, including zero-trust networks and security contexts in Kubernetes, are also mentioned.

Technology
1 of 11
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
Container defaults A hackers best friend! Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling
Micro-Agenda Show the app Hack the app Prevention techniques 01 02 03 04 Conclusions
Container Challenges Historically, developers have owned the security posture of their own code and the libraries used. Containers add security concerns at the operating-system level such as base-image selection, package installation, user and file permissions, and more. Increased Scope of Responsibility These additional technologies used to be owned by other teams such as system engineers or middleware teams. Many developers have never had to deal with securing these layers of the stack. Lack of Expertise While shifting security left adds responsibilities to developer teams, the business owners have expectations that pipeline velocity will not be negatively impacted. Maintaining Velocity
Get to the demo already! https://tenor.com/view/hurry-hurry-up-go-go-on-gif-10089177
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes https://gifer.com/en/4L6N
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Minimize Footprint Don’t give hackers more tools to expand their exploits Layer Housekeeping Understand how layers work at build and run-time Build strategies Multi-Stage, repeatable builds, standardized labeling, alternative tools Secure Supply Chain Know where images come from. Only CI should push to registries.
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Don’t run as root You probably don’t need it. Privileged Containers You almost definitely don’t need it. Drop capabilities Most apps don’t need even Linux capabilities; dropping all and allow only what’s needed. Read Only Root Filesystem Immutability makes exploiting your container harder. Deploy from known sources Pull from known registries only.
Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Secrets Use them but make sure they’re encrypted and have RBAC applied RBAC Hopefully everybody is using this. SecurityContext (https://snyk.co/udUTc) Much of the Runtime practices mentioned can be enforced via SC Network Policy Start with zero-trust and add allow rules only as necessary. Enforcement Use OPA (Gatekeeper), Kyverno, etc
● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K ● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices ● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build ● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs ● Kyverno: https://kyverno.io ● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future ● CNCF Certification Curriculum: https://github.com/cncf/curriculum ● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g- References @ericsmalling
Thank you! @ericsmalling 15.00 We Made It! https://www.vox.com/2016/8/15/12495316/allyson-felix-shaunae-miller-400-meter-olympics-rio

More Related Content

What's hot (20)

PDF
App sec in the time of docker containers
Akash Mahajan
 
PPTX
DevSecOps OWASP
Priyanka Raghavan
 
PDF
Practical Approaches to Container Security
Shea Stewart
 
PPTX
What it feels like to live in a Security Enabled DevOps World
Karun Chennuri
 
PPT
Securing the Cloud
John Kinsella
 
PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
PDF
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
PPTX
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
PDF
Hybrid Cloud Networking
SVForum Cloud SIG
 
PDF
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
VMware Tanzu
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PDF
From Monolith to K8s - Spring One 2020
Mauricio (Salaboy) Salatino
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PDF
Container Security Essentials
DNIF
 
PDF
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
PDF
Create Disposable Test Environments with Vagrant and Puppet
Gene Gotimer
 
PPTX
Bandit and Gosec - Security Linters
EricBrown328
 
PDF
Kubernetes security
Thomas Fricke
 
PDF
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
App sec in the time of docker containers
Akash Mahajan
 
DevSecOps OWASP
Priyanka Raghavan
 
Practical Approaches to Container Security
Shea Stewart
 
What it feels like to live in a Security Enabled DevOps World
Karun Chennuri
 
Securing the Cloud
John Kinsella
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
Hybrid Cloud Networking
SVForum Cloud SIG
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
VMware Tanzu
 
Scale security for a dollar or less
Mohammed A. Imran
 
From Monolith to K8s - Spring One 2020
Mauricio (Salaboy) Salatino
 
Kubernetes and container security
Volodymyr Shynkar
 
Container Security Essentials
DNIF
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
Create Disposable Test Environments with Vagrant and Puppet
Gene Gotimer
 
Bandit and Gosec - Security Linters
EricBrown328
 
Kubernetes security
Thomas Fricke
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 

Similar to DevSecCon Lightning 2021- Container defaults are a hackers best friend (20)

PDF
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
PDF
Why Should Developers Care About Container Security?
All Things Open
 
PDF
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Why should developers care about container security?
Eric Smalling
 
PDF
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
PDF
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PDF
Docker Containers Security
Stephane Woillez
 
PDF
Hardening Kubernetes by Securing Pods
Suraj Deshmukh
 
PDF
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
PDF
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
PDF
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
PDF
Shift Right Security for EKS Webinar Slides
Anchore
 
PDF
How to Secure Your Kubernetes Software Supply Chain at Scale
Anchore
 
PDF
Tampere Docker meetup - Happy 5th Birthday Docker
Sakari Hoisko
 
PPTX
Tips and best practices for Docker
Calidad Infotech
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
PDF
Security Patterns for Microservice Architectures
VMware Tanzu
 
PPTX
Docker best Practices
jeetendra mandal
 
PDF
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Why should developers care about container security?
Eric Smalling
 
GDG SLK - Why should devs care about container security.pdf
James Anderson
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Docker Containers Security
Stephane Woillez
 
Hardening Kubernetes by Securing Pods
Suraj Deshmukh
 
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
Shift Right Security for EKS Webinar Slides
Anchore
 
How to Secure Your Kubernetes Software Supply Chain at Scale
Anchore
 
Tampere Docker meetup - Happy 5th Birthday Docker
Sakari Hoisko
 
Tips and best practices for Docker
Calidad Infotech
 
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Security Patterns for Microservice Architectures
VMware Tanzu
 
Docker best Practices
jeetendra mandal
 
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 

More from Eric Smalling (10)

PDF
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
Eric Smalling
 
PDF
KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf
Eric Smalling
 
PDF
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
Eric Smalling
 
PDF
Look Ma' - Building Java and Go based container images without Dockerfiles
Eric Smalling
 
PDF
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
Eric Smalling
 
PDF
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
PDF
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
Eric Smalling
 
PDF
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
PDF
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
PPTX
Simply your Jenkins Projects with Docker Multi-Stage Builds
Eric Smalling
 
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
Eric Smalling
 
KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf
Eric Smalling
 
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
Eric Smalling
 
Look Ma' - Building Java and Go based container images without Dockerfiles
Eric Smalling
 
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
Eric Smalling
 
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
Eric Smalling
 
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
Simply your Jenkins Projects with Docker Multi-Stage Builds
Eric Smalling
 

Recently uploaded (20)

PDF
July Patch Tuesday
Ivanti
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
July Patch Tuesday
Ivanti
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 

DevSecCon Lightning 2021- Container defaults are a hackers best friend

  • 1. Container defaults A hackers best friend! Eric Smalling | Sr. Developer Advocate @ Snyk @ericsmalling
  • 2. Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling
  • 3. Micro-Agenda Show the app Hack the app Prevention techniques 01 02 03 04 Conclusions
  • 4. Container Challenges Historically, developers have owned the security posture of their own code and the libraries used. Containers add security concerns at the operating-system level such as base-image selection, package installation, user and file permissions, and more. Increased Scope of Responsibility These additional technologies used to be owned by other teams such as system engineers or middleware teams. Many developers have never had to deal with securing these layers of the stack. Lack of Expertise While shifting security left adds responsibilities to developer teams, the business owners have expectations that pipeline velocity will not be negatively impacted. Maintaining Velocity
  • 5. Get to the demo already! https://tenor.com/view/hurry-hurry-up-go-go-on-gif-10089177
  • 6. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes https://gifer.com/en/4L6N
  • 7. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Minimize Footprint Don’t give hackers more tools to expand their exploits Layer Housekeeping Understand how layers work at build and run-time Build strategies Multi-Stage, repeatable builds, standardized labeling, alternative tools Secure Supply Chain Know where images come from. Only CI should push to registries.
  • 8. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Don’t run as root You probably don’t need it. Privileged Containers You almost definitely don’t need it. Drop capabilities Most apps don’t need even Linux capabilities; dropping all and allow only what’s needed. Read Only Root Filesystem Immutability makes exploiting your container harder. Deploy from known sources Pull from known registries only.
  • 9. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Secrets Use them but make sure they’re encrypted and have RBAC applied RBAC Hopefully everybody is using this. SecurityContext (https://snyk.co/udUTc) Much of the Runtime practices mentioned can be enforced via SC Network Policy Start with zero-trust and add allow rules only as necessary. Enforcement Use OPA (Gatekeeper), Kyverno, etc
  • 10. ● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K ● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices ● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build ● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs ● Kyverno: https://kyverno.io ● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future ● CNCF Certification Curriculum: https://github.com/cncf/curriculum ● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g- References @ericsmalling
  • 11. Thank you! @ericsmalling 15.00 We Made It! https://www.vox.com/2016/8/15/12495316/allyson-felix-shaunae-miller-400-meter-olympics-rio