Upload
devopsdays-tel-aviv
View
35
Download
3
Embed Size (px)
Citation preview
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Securing your codewhen you don’t even know where it is
Liz Rice
@lizrice | @aquasecteam
2@lizrice
3@lizrice
4@lizrice
Traditional process
Create software
Deploy Patch
Provision servers
5@lizrice
Server drift
time
state
6@lizrice
DevOps happened!
■ Infrastructure as code
■ Containers
■ CI / CD
7@lizrice
Cattle not pets
8@lizrice
Pipeline process builds “cattle”
Create software
Build images
Deploy
9@lizrice
Security is a concern when deploying containers
88% agreeSonatype 2017 DevSecOps Survey
10@lizrice
Hundreds of microservicesThousands of containersAverage container life ~ 2.5 days
11@lizrice
/bin/lib/usr/opt/var
/bin/lib/usr/var
/bin/opt/usr/var
Dependencies in every container
13@lizrice
Applying patches to containers?
14@lizrice
15@lizrice
Pipeline process
Create software
Build images
Deploy
Immutable Never modify
Always move in this direction
16@lizrice
Scan for vulnerabilities
Create software
Build images
Deploy
17@lizrice
Image policies
Create software
Build images
Deploy
✓ ✓
18@lizrice
What about the hosts?
19@lizrice
Hosts
Host OSAutomated
testing
Recycling
Intrusiondetection
20@lizrice
Wait, there’s more!
Reducing images
22@lizrice
Reducing image size
■ Few tools needed in
containers
■ Smaller attack surface
FROM scratch
EXPOSE 8080
COPY hello /
COPY templates templates
CMD ["/hello"]
23@lizrice
Microservice network segmentation
■ Restrict communication
between microservices
■ Encrypted connections
24@lizrice
Runtime protection
■ Restrict container activity
■ Prevent anomalous /
suspicious behaviour
Shellshock demo
What about Serverless?
27@lizrice
Serverless security
■ If you don’t have to worry about the servers
do you have to worry about server security?
28@lizrice
Serverless
■ Managed services
■ Functions
29@lizrice
Functions in containers
Cloud Native Security Advantages
31@lizrice
Container security advantages
■ Decomposition of the problem
■ Additional layers of defence
■ Continuous deployment
■ Shorter attack window
■ Community best practices
■ Dedicated container security tools
32@lizrice
Room for improvement incontainer security
80% agreeAqua Security 2017 Survey
33@lizrice
“Containers … require a more collaborative
approach by security and DevOps teams.”
34@lizrice
“Organizations would do well to embed
security early into the process”
35@lizrice
Continuous integrationContinuous deployment
Continuous security
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
@lizrice | @aquasecteam
aquasec.com/survey
github.com/aquasecurity/kube-bench