securing docker containers

13
Securing Docker Containers Randy Kilmon VP Engineering Black Duck Software

Upload: black-duck-software

Post on 10-Jan-2017

212 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: Securing Docker Containers

Securing Docker Containers

Randy KilmonVP Engineering

Black Duck Software

Page 2: Securing Docker Containers

How Pervasive is Open Source?

• > 98% of the applications tested used open source

• On average, open source comprised over 30% of the

code base

Open Source

Custom Code

Composition of software tested across

1400 Black Duck customers

Reference: Black Duck Software audits

Page 3: Securing Docker Containers

Building Trust & Confidence is Critical to Adoption of Docker

Security is ranked as the #1 adoption challenge for containers

• 60% of customers are concerned about container security and lack of

certification/image provenance

• 40% of available container images in contain High Priority Vulnerabilities

• 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed,

Shellshock, Venom, Ghost

3Black Duck Customer Conference

Page 4: Securing Docker Containers

Areas of Concern

Docker security issues fall into three main categories

• Docker itself and the infrastructure it uses

• The authenticity and provenance of the images themselves

• The security profile of the content within the containers Docker runs

4Black Duck Customer Conference

Page 5: Securing Docker Containers

Docker Infrastructure

Docker Daemon / Docker Socket

• Docker itself must run as root on the host system

• attacks targeting the host system coming in through Docker would

have root privs

• Many Docker containers run with the –privileged flag set which extends

privileges of the container allowing it to access all devices on the host

system (BAD Idea).

5Black Duck Customer Conference

Page 6: Securing Docker Containers

Responses

Linux adaptations to counter the threat

• Red Hat Atomic Host

• SE linux (multi-tenancy)

• “Locked down” system (read-only /usr)

• Intended to change configurations only in /var & /etc

• No yum package manager

• VMware Photon and Lightwave

• Photon is an optimized and secured Linux host designed for running

containers at scale

• Lightwave used for managing authorization and identity management

6Black Duck Customer Conference

Page 7: Securing Docker Containers

Container Contents

Containers can be vulnerable by virtue of the code that runs inside

them

• OSS components running inside containers represent potential attack

vectors in the same way they can in traditional deployment models

• Could cause problems for the application itself

• Could cause more problems if the container is running with the –

privileged flag set

• Different OS flavors and versions, as well as different module versions

• Based on any one of many Linux distributions

• Patches must be managed carefully

• Security, but also compatibility & supportability

7Black Duck Customer Conference

Page 8: Securing Docker Containers

Responses

Manage and monitor container content carefully

• Dockerfile analysis is insufficient

• .tar, .zip files could have anything inside them

• Other layers are just referenced from other registries

• Asking the package manager is insufficient

• Not all modules are under package manager’s purview

• Application layer code (.jar’s, e.g.) is never managed in this way

• File inspection (scanning) is the only way to be sure about what’s there!!

8Black Duck Customer Conference

Page 9: Securing Docker Containers

Microservices

The more containers you spin up, the larger attack surface you expose

• Speed is critical

• Speed to detection of problems

• Speed to remediation

9Black Duck Customer Conference

Page 10: Securing Docker Containers

The Black Duck Solution

Black Duck key differentiators

• Platform-agnostic support in Hub for analyzing all content (whether

inside containers or not)

• Signature-based file identification

• Automated identification

• Able to show in which layer the component was introduced

• Vulnerability reporting over time / alerting

10Black Duck Customer Conference

Page 11: Securing Docker Containers

Key Integration Points

Many options for workflow

• Scan on any Docker host by accessing images through the Docker

daemon

• Scan on RH Atomic Host with file system level integration

• Scan directly against a Docker registry

• CI tools: Jenkins, Bamboo, etc.

• OpenShift (currently in development)*

11Black Duck Customer Conference

Page 12: Securing Docker Containers

Demo

12Black Duck Customer Conference

Page 13: Securing Docker Containers

Q&A

13Black Duck Customer Conference

Let’s talk about how you are using or plan to use Docker in your

organizations