do containers enhance application level security
play

Do Containers Enhance Application Level Security? Benjy Portnoy, - PowerPoint PPT Presentation

Jan 21, 2024 •412 likes •960 views

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami BlueCoat-> Symantec Director, DevSecOps @AquaSecTeam I know, Ill use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io > gem install rails

  1. Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP

  2. # whoami BlueCoat-> Symantec Director, DevSecOps @AquaSecTeam

  3. I know, I’ll use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io

  4. > gem install rails

  5. > gem install rails Fetching: i18n-0.7.0.gem (100%) Fetching: json-1.8.3.gem (100%) Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb creating Makefile make sh: 1: make: not found

  6. Ah, I just need to install make

  7. > sudo apt-get install make ... Success!

  8. > gem install rails

  9. > gem install rails Fetching: nokogiri-1.6.7.2.gem (100%) Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts ... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... no zlib is missing; necessary for building libxml2 *** extconf.rb failed ***

  10. Hmm. Time to visit StackOverflow.

  11. > sudo apt-get install zlib1g-dev ... Success!

  12. > gem install rails

  13. > gem install rails Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts ... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... yes checking for iconv... yes Extracting libxml2-2.9.2.tar.gz into tmp/x86_64-pc-linux- gnu/ports/libxml2/2.9.2... OK *** extconf.rb failed ***

  14. Nokogiri, why do you never install correctly?

  15. > gem install rails ... Success!

  16. > rails new my-project > cd my-project > rails start

  17. Finally It Works!

  19. You use the AWS Console to deploy an EC2 instance

  20. > ssh ec2-user@ec2-12-34-56-78.compute-1.amazonaws.com __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| [ec2-user@ip-172-31-61-204 ~]$ gem install rails ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb

  22. Spend 2 hours trying weird & random suggestions Replicate your dev environment in AMI

  24. Now you urgently have to update all your Rails installations

  25. > bundle update rails

  26. > bundle update rails Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts ... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... yes checking for iconv... yes Extracting libxml2-2.9.2.tar.gz into tmp/x86_64-pc-linux- gnu/ports/libxml2/2.9.2... OK *** extconf.rb failed ***

  28. What Are Containers Containers to the rescue? Container [kuhn-TAY-ner] , noun Form of application deployment. Making a process think that it has the complete operating system & Dependencies for itself.

  29. Why Should you care? Docker Hosts Source: Datadog usage stats

  30. Up in Seconds Massive Scale Runs Anywhere

  31. How to create a containerized application? .NET < / >

  32. SECURING CONTAINERS ON THE HOST Control Groups Namespaces CPU Capabilities

  33. Lets deploy our Ruby application as a container

  35. Dockerfile Example < / >

  36. August 16 th 2017

  37. September 7 th 2017 • Exploited Apache Struts Vulnerability • 143 Million customers impacted • Attack occurred from mid May to July prior to detection • Equifax hack shaved $4B, or about 25% of the company market cap

  38. CVE-2017-9805/5638 in a nutshell 1) Apache Struts framework for dynamic web content 2) Arbitrary RCE if REST communication plugin enabled 3) The weakness is caused by how Xstream deserializes untrusted data represented as XML

  39. OWASP #1 Injection is #1 application attack vector

  40. Demo Scenario With Containers Victim Container • Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim as target • Python based exploit • Uploads a simple web shell as a web application to the victim

  42. Demo

  43. What if Equifax were using containers? Attack Success Criteria 1. Compromise server 2. Remain persistent 3. Access additional internal resources 4. Exfiltration of sensitive (PII) data

  44. Container Compromised and Not Host • Container breakout = kernel exploit • Less persistent (Average container life 6 hours!) • Minimal lateral network movement • Micro Service = Reduced Attack Surface •

  46. Shrink Wrapping Container • Each Micro-services should do very little • Learn normal behavior and block anything else ( Shell.war ) • Segment networking on, and between containers on same host File Use Business Volumes Secrets Function Resource Use User Privileges Network Use Executables Image Integrity Lear Le arn an and A Apply ly Le Leas ast P Privile ivileges

  47. So... Do Containers Enhance Security?

  49. .NET Read Only < / > Docker Image Docker Host

  51. Container Security Concerns • Developer Controls Full Stack • Unauthorized images Attacker Applicati on Applicatio • Open Source vulnerabilities n • East To West Traffic Authenticate d User Host 1 Host 2 • Privilege escalation (Dirtyc0w?) • Host resource impact :(){ :|:& };: • Secrets Management

  52. Call To Action

  53. Thank You! Benjy@aquasec.com

Recommend

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline &amp;&amp; Container

807 views • 57 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in 2011 Containers are eating

954 views • 66 slides
Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
Containers: Design, Application &amp; Hands-on CS 695 - Presentation 2 Getting Your Attention !

Containers: Design, Application &amp; Hands-on CS 695 - Presentation 2 Getting Your Attention !

Containers: Design, Application &amp; Hands-on CS 695 - Presentation 2 Getting Your Attention ! Todays talk will be applicable to many domains in CS Cloud providers IAAS, PAAS HPC and Big Data Support for heavy compute in

543 views • 40 slides
Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

649 views • 41 slides
Application Delivery and Release Management Honestbee @vincentdesmet with Containers, Kubernetes

Application Delivery and Release Management Honestbee @vincentdesmet with Containers, Kubernetes

Application Delivery and Release Management Honestbee @vincentdesmet with Containers, Kubernetes and Helm Grocery and Food delivery Honestbee We are Hiring DevOps! Overview Context &amp; overview of Containers (Docker) - Container

658 views • 55 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
CS 4803 Network Computer and Network Security Lower level Alexandra (Sasha) Boldyreva

CS 4803 Network Computer and Network Security Lower level Alexandra (Sasha) Boldyreva

Network layers Application Transport CS 4803 Network Computer and Network Security Lower level Alexandra (Sasha) Boldyreva IPsec 1 2 Roughly Examples Application layer: the communicating processes themselves and

415 views • 5 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin

Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin

Existing game infrastructures Docker Container-based game infrastructure Evaluation Future work Conclusion Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin Alangot, Seshagiri Prabhu and

400 views • 38 slides
EVALUATING OPENSTACK CONTAINERS AS A SERVICE MAGNUM FOR PRODUCTION Rosario Di Somma WHY

EVALUATING OPENSTACK CONTAINERS AS A SERVICE MAGNUM FOR PRODUCTION Rosario Di Somma WHY

EVALUATING OPENSTACK CONTAINERS AS A SERVICE MAGNUM FOR PRODUCTION Rosario Di Somma WHY CONTAINERS? Rapid application deployment Portability across machines Version control and component reuse Sharing Lightweight footprint

623 views • 12 slides
Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson &lt;ian.jackson@eu.citrix.com&gt; FOSDEM 2015 originally based on a talk and research by George Dunlap &quot;Some people make the mistake of thinking

328 views • 6 slides
Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers

Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers

Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers and Lightweight Multi-kernels Balazs Gerofi , Yutaka Ishikawa , Rolf Riesen , Robert W. Wisniewski bgerofi@riken.jp RIKEN Advanced

485 views • 29 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at BlaBlaCar pgDay Paris, Mar 15, 2018 BlaBlaCar Overview Todays agenda PostgreSQL usage at BlaBlaCar Switching to a new implementation

844 views • 40 slides
General Services Administration Contractor Procurement of GSA-Approved Security Containers

General Services Administration Contractor Procurement of GSA-Approved Security Containers

General Services Administration Contractor Procurement of GSA-Approved Security Containers Procurement Steps 6/15/2020 2 1. Authorization to store classified information GSA Order OGP 4100.21 allows for contractors to procure through the

180 views • 17 slides
Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have become popular replacing many Physical / Virtual Machine use cases But: The persistent storage problem for containers is still not fully solved

1.01k views • 17 slides

More recommend