SlideShare a Scribd company logo

Securing the Socks Shop

J
Jason Smith

This document discusses securing microservices by exploring security in the open source Sock Shop application. It covers container security concepts like restraint, immutability and provenance. It demonstrates adding a user to container Dockerfiles and making the filesystem read-only. It also discusses network segmentation and limiting network access between internal services and externally. The document encourages exploring security failures and limiting attack surfaces.

Related slideshows

Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route Integrity
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H Meet
 
1 of 44
Download to read offline
SECURING THE SOCKS SHOP Exploring Microservice Security in an Open Source Sock Shop
Jason Smith Senior Software Engineer @jasonrichardsmi
Phil Winder Freelance Engineer @DrPhilWinder Winder Research
1. Context Simple Security Measures
Top Tip Limit the surface area
Limiting the surface area Large surface area Small surface area
SECURITY IS HARD Failure exploration is the beginning Icon by http://www.flaticon.com/authors/dave-gandy
One example Failure Exploration Network segmentation and policy, Container security, Orchestrator Security Application Security, External threats Backup security, Organisational issues, Responsibility issues, ... If you read this then you’ve read too far
Today ○ Container security ○ Network segmentation
SOCK SHOP An open source reference microservices architecture Icon by http://www.flaticon.com/authors/freepik
Securing the Socks Shop
git.io/sock-shop github.com/microservices-demo/microservices-demo
2. Container Security
Container-level security aspects ○ Restraint ○ Immutability ○ Provenance ○ Hardened OS’s, modules and policies
MD front-end Dockerfile FROM mhart/alpine-node:6.3 RUN mkdir -p /usr/src/app WORKDIR /usr/src/app COPY . /usr/src/app RUN npm install ENV NODE_ENV "production" ENV PORT 8079 EXPOSE 8079 CMD ["npm", "start"]
MD front-end docker-compose services: front-end: image: weaveworksdemos/front-end:9093ed8f9be68d2497b cb92587b01db6ac8197fe hostname: front-end restart: always environment: - reschedule=on-node-failure networks: - mynetwork
CONTAINER USER So you haven’t set a USER? Icon by http://www.flaticon.com/authors/elias-bikbulatov
MD front-end Dockerfile FROM mhart/alpine-node:6.3 RUN mkdir -p /usr/src/app WORKDIR /usr/src/app COPY . /usr/src/app RUN npm install ENV NODE_ENV "production" ENV PORT 8079 EXPOSE 8079 CMD ["npm", "start"]
Let’s add some nasties docker-compose exec front-end sh apk add sl --update-cache --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ --allow-untrust && export TERM=xterm && sl
READ-ONLY So you’re filesystem isn’t read only? Icon by http://flaticons.net/
MD front-end docker-compose services: front-end: image: weaveworksdemos/front-end:9093ed8f9be68d2497b cb92587b01db6ac8197fe hostname: front-end restart: always environment: - reschedule=on-node-failure networks: - mynetwork
Let’s add some nasties docker-compose exec front-end sh echo "<h1>Phil, you’re such a good presenter. Everyone is loving the talk. Even those at the back sleeping. They’re dreaming about you...</h1><img src="http://www.mememaker.net/static/images/memes/4395158.jpg"/>" > public/index.html
Capabilities Kernel level operation permissions Icon by http://freepik.com/
Securing the Socks Shop
Where haz caps? KernelContainer Orchestrator
MD catalogue Dockerfile FROM busybox:1 EXPOSE 80 COPY app / CMD ["/app", "-port=80"]
MD catalogue Dockerfile FROM busybox:1 RUN addgroup mygroup && adduser -D -G mygroup myuser USER myuser EXPOSE 80 COPY app / CMD ["/app", "-port=80"]
MD catalogue Dockerfile FROM alpine:3.4 RUN addgroup mygroup && adduser -D -G mygroup myuser && apk add --update libcap EXPOSE 80 COPY app / RUN chmod +x /app && chown -R myuser:mygroup /app && setcap 'cap_net_bind_service=+ep' /app USER myuser CMD ["/app", "-port=80"]
MD docker-compose services: catalogue: ... cap_drop: - all cap_add: - NET_BIND_SERVICE read_only: true ...
The result? apk add sl --update-cache --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ --allow-untrust && export TERM=xterm && sl echo "This won’t work" > public/index.html grep Cap /proc/self/status
Top Tip User, read-only, caps.
11,788 People taken to hospital following accidents while putting on socks, tights or stockings in the UK, 2003
5-10 People die each year putting on socks in the UK
3. Network Segmentation
Image by Remember To Play
Securing the Socks Shop
Securing the Socks Shop
Trump’s Firewall Machine-levelfirewall
Securing the Socks Shop
Network Segmentation External Internal Back-Office
Shipping docker-compose shipping: image: weaveworksdemos/shipping hostname: shipping ... networks: - backoffice
4. Wrap up
Let’s review some concepts User Set a user in your Dockerfiles so they don’t run as root Immutable Make the root container file system read only Restraint Prevent unauthorised execution Network Segmentation Prevent inter-network access Global firewall Block everything, minimise the surface area Network Policy Be a bouncer, tell your containers who’s allowed access
WHERE? git.io/sock-shop github.com/microservices-demo/microservices-demo Go, try, star, contribute Place your screenshot here

More Related Content

Securing the Socks Shop