Why should developers care about container security?
- 1. Why should developers care
about container security?
Eric Smalling | Sr. Developer Advocate @ Snyk
@ericsmalling
- 4. Eric Smalling
● Senior Developer Advocate @ Snyk
● Based in Dallas/Fort Worth, Texas
● 20+ years enterprise software development
● 10+ years build/test/deploy automation (CI/CD)
● Docker user since 2013 (v0.6)
● 2018 Jenkins Ambassador
● Docker Captain
● CKA, CKAD & CKS Certified
@ericsmalling
- 7. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Ge public & private artifacts
SDLC Pipeline
- 9. Container Challenges
Historically, developers have owned
the security posture of their own
code and the libraries used.
Containers add security concerns
at the operating-system level such
as base-image selection, package
installation, user and file
permissions, and more.
Increased Scope of
Responsibility
These additional technologies used
to be owned by other teams such
as system engineers or middleware
teams. Many developers have
never had to deal with securing
these layers of the stack.
Lack of Expertise
While shifting security left adds
responsibilities to developer teams,
the business owners have
expectations that pipeline velocity
will not be negatively impacted.
Maintaining Velocity
- 11. The financial giant said the
intruder exploited a
configuration vulnerability
“
“
-- https://www.theregister.com/2019/07/30/capital_one_hacked/
Configuration is a security risk
- 13. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Ge public & private artifacts
SDLC Pipeline
- 16. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Minimize Footprint
Don’t give hackers more tools to expand their exploits
Layer Housekeeping
Understand how layers work at build and run-time
Build strategies
Multi-Stage, repeatable builds, standardized labeling,
alternative tools
Secure Supply Chain
Know where images come from.
Only CI should push to registries.
- 17. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Don’t run as root
You probably don’t need it.
Privileged Containers
You almost definitely don’t need it.
Drop capabilities
Most apps don’t need even Linux capabilities;
dropping all and allow only what’s needed.
Read Only Root Filesystem
Immutability makes exploiting your container harder.
Deploy from known sources
Pull from known registries only.
- 18. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Secrets
Use them but make sure they’re encrypted and have
RBAC applied
RBAC
Hopefully everybody is using this.
SecurityContext
Much of the Runtime practices mentioned can be
enforced via SC
Network Policy
Start with zero-trust and add allow rules only as
necessary.
Enforcement
Use OPA (Gatekeeper), Kyverno, etc
- 19. Key Takeaways
Just like unit tests, fast, actionable
security feedback is critical.
Working security into a developer’s
workflow without slowing them
down drives adoption.
Feedback Loop
Giving developers tools that
provide actionable information can
allow them to deal with security
issues as they are introduced.
Empower developers
to be proactive
Implementing known secure
practices for building and running
your container images and IaC
configurations can mitigate
vulnerabilities that slip into
deployments as well as zero-day
vulnerabilities that may exist.
Defence in depth
- 20. References:
● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K
● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices
● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build
● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs
● Kyverno: https://kyverno.io
● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future
● CNCF Certification Curriculum: https://github.com/cncf/curriculum
● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g-
Thank you!
@ericsmalling