If it’s in a container it’s secure right ?

A guide to container security by @scottcoulton

About me. Platform engineering lead @

Does the traditional infosectoolchain work efficiently in a world where a container’s average lifespan is 2 days?

1. IntroWhat we will cover

➔ How is container security different ?Does traditional security fit ?

➔ How to protect our containerProtecting from the inside out

➔ Security and CD Can the 2 worlds live together

➔ Live demo

The way that traditional infosec works is

ReactiveContainers allow you to be

Proactive in your approach to infosec

2. ExamplesHere are a few comparable examples:

➔ Traditional Nessus, AV, HIDS

➔ New schoolAppArmor, Clair, Notary

The risks.● DoS the host (CPU, Memory or Disk)● Fork Bomb● Kernel modification● Privilege Escalation

Let’s look @ protecting the engine.

Docker 1.12 Benchmark

Some sane defaults.● Don’t run --pid host or --net host (without knowing the

risks)● Don’t bind your daemon to tcp://0.0.0.0:4243● Don’t use aufs as your storage driver● Use TLS for all daemon traffic

Just one! That’s all you need. (I am talking about process inside your container !!!)

If you know the process then apply AppArmor.

AppArmor example.

Infosec and continuous delivery. The myth ...

Add security to the pipelineEnter

Sign our images with Notary.

The full continuous delivery pipeline.

3. Live DemoWe are going to test what we have learnt today and run a standard Nginx image

We will them use the Dirtyc0w vulnerability to write to a file owned by root, then privilege escalate to root for a standard user :

➔ Without AppArmorAll exploits will work

➔ With AppArmorOur container will be safe

The code from the live demo is available @ https://github.com/scotty-c

Any Questions ?