Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

Securing your codewhen you don’t even know where it is

Liz Rice

@lizrice | @aquasecteam

2@lizrice

3@lizrice

4@lizrice

Traditional process

Create software

Deploy Patch

Provision servers

5@lizrice

Server drift

time

state

6@lizrice

DevOps happened!

■ Infrastructure as code

■ Containers

■ CI / CD

7@lizrice

Cattle not pets

8@lizrice

Pipeline process builds “cattle”

Create software

Build images

Deploy

9@lizrice

Security is a concern when deploying containers

88% agreeSonatype 2017 DevSecOps Survey

10@lizrice

Hundreds of microservicesThousands of containersAverage container life ~ 2.5 days

11@lizrice

/bin/lib/usr/opt/var

/bin/lib/usr/var

/bin/opt/usr/var

Dependencies in every container

13@lizrice

Applying patches to containers?

14@lizrice

15@lizrice

Pipeline process

Create software

Build images

Deploy

Immutable Never modify

Always move in this direction

16@lizrice

Scan for vulnerabilities

Create software

Build images

Deploy

17@lizrice

Image policies

Create software

Build images

Deploy

✓ ✓

18@lizrice

What about the hosts?

19@lizrice

Hosts

Host OSAutomated

testing

Recycling

Intrusiondetection

20@lizrice

Wait, there’s more!

Reducing images

22@lizrice

Reducing image size

■ Few tools needed in

containers

■ Smaller attack surface

FROM scratch

EXPOSE 8080

COPY hello /

COPY templates templates

CMD ["/hello"]

23@lizrice

Microservice network segmentation

■ Restrict communication

between microservices

■ Encrypted connections

24@lizrice

Runtime protection

■ Restrict container activity

■ Prevent anomalous /

suspicious behaviour

Shellshock demo

What about Serverless?

27@lizrice

Serverless security

■ If you don’t have to worry about the servers

do you have to worry about server security?

28@lizrice

Serverless

■ Managed services

■ Functions

29@lizrice

Functions in containers

Cloud Native Security Advantages

31@lizrice

Container security advantages

■ Decomposition of the problem

■ Additional layers of defence

■ Continuous deployment

■ Shorter attack window

■ Community best practices

■ Dedicated container security tools

32@lizrice

Room for improvement incontainer security

80% agreeAqua Security 2017 Survey

33@lizrice

“Containers … require a more collaborative

approach by security and DevOps teams.”

34@lizrice

“Organizations would do well to embed

security early into the process”

35@lizrice

Continuous integrationContinuous deployment

Continuous security

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

@lizrice | @aquasecteam

aquasec.com/survey

github.com/aquasecurity/kube-bench