#RSAC
SESSION ID: ASD-R11
Containers:
The Dr. Jekyll and Mr. Hyde of Security
Tsvi Korren
Director, Technical Services
Aqua
@aquasecteam
#RSAC
What is a container?
Container
[kuhn-TAY-ner] , noun
New form of application deployment.
Making a process tree think that it has a
complete operating system for itself.
2
#RSAC
Why Should You Care?
Percentage of Monitored Hosts Running Docker
Source: Datadog usage stats
#RSAC
Container lifecycle
Prereqs
Base
OS
App
CPU
BUILD
SHIP
4
RUN
#RSAC
Linux Containers building-blocks
Archive of files in an IMAGE
Managed by CONTAINER ENGINE
Runs as a PROCESS TREE
With a FILE SUBSYSTEM
Isolated by NAMESPACES
Container Engine
Limited by CGROUPS
CPU
VM / Physical Server
#RSAC
Business, Dev and Ops
Up in Seconds
Containers
Massive Scale
Run Anywhere
#RSAC
Security professionals…. Not so much
Prepackaged images
Run as-is with no modification
Heavily influenced by Dev
Invisible to most security tools
Container Engine
Automated, fast-moving
CPU
Can’t patch them in place
Host 1
Internal host networking
7
Container Engine
CPU
Host 2
#RSAC
Containers are not really contained
8
#RSAC
The risks are real
Exploited vulnerabilities
Unauthorized images
Attacker
Insecure configuration
Application
Privilege escalation
Application
Host resource impact
Network attacks
Lack of accountability
Container Engine
Container Engine
Authenticated
User
Host 1
Host 2
#RSAC
It’s also a new opportunity
STOP
Shift Left
Automate
11
Prevent
#RSAC
Shift Left
Build
Test
Run
 

•
•
•
•
Secure

Make sure base images are secure
Register trusted images as approved for use
Scan for vulnerabilities on the finished product
Inform Developers, so they can fix it
12
#RSAC
Automate
File Use
Secrets
Behavioral
Whitelisting
Volumes
Resource Use
User Privileges
Network Use
Executables
Image Integrity
Least Privileges
13
#RSAC
Prevent
Permitted processes:
/usr/bin/curl
/usr/bin/bash
/usr/bin/basename
/usr/bin/tr
/usr/bin/grep
/usr/bin/uname
/usr/bin/dirname
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el7_2.x86_64/bin/java
Permitted users:
1000 - jboss
Permitted volumes:
/var/log
14
#RSAC
Don’t get steamrolled by the container ship
Find where containers are running
Do not freak out when you find them
Understand the business imperative
Support the effort
Develop an image build and use policy
Gain visibility into the CI cycle
Implement existing controls in a new way
16