Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Size: px

Start display at page:

Download "Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?"

Alexandra Warren
5 years ago
Views:

1 Murray Goldschmidt Chief Operating Officer Sense of Security Pty Ltd Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

2 A G E N D A Serverless, Microservices and Container Security Key Implications for Penetration Testing Programs Key Security features for Container Deployments 4 CI/CD Integration for Automated Security End to End Vulnerability Management Continuous Monitoring, Governance & Compliance Reporting Page 2

3 14-Sep-18 Are Containers As Good as it Gets? Cloud containers are designed to virtualize a single application *** Modified *** Page 3

4 As Good as it Gets? e.g., you have a MySQL container and that's all it does, provide a virtual instance of that application. *** Modified *** Page 4

5 As Good as it Gets? Containers ***SHOULD*** create an isolation boundary at the application level rather than at the server level. *** Modified *** Page 5

6 As Good as it Gets? This isolation ***SHOULD*** mean that if anything goes wrong in that single container (e.g., excessive consumption of resources by a process) it only affects that individual container and not the whole VM or whole server. *** Modified *** Page 6

7 Page 7

8 Container Security Tech Neutral Security Requirements Intrinsic Security of the Kernel Attack Surface Reduction Container Configuration Hardening of the Kernel and how it interacts with Containers Addressed By Supply Chain Risk Mgt/ Vuln Mgt/ CaaS Hardening/Config Mgt/Vuln Mgt Configuration Management Hardening Page 8

9 Monolithic vs Microservices Architecture Page 9

10 Monolithic vs Microservices Architecture Page 9

11 Monolithic vs Microservices Architecture Page 9

12 Monolithic vs Micro Services (API Centric) Page 10

13 Monolithic vs Micro Services (API Centric) Page 10

14 Example: Microsoft eshop Reference Architecture Page 11

15 Example: Microsoft eshop Reference Architecture Page 12

c o n t. C o n t. C o n t. C o n t. C o n t N c o n t.

M V M Hardware Host OS V M V M V M V M V M

t 2 C o n t 3 C o n t 4 C o n t N Container

16 VM vs. Containers (where the abstraction occurs) VM c o n t. C o n t. C o n t. C o n t. C o n t N c o n t. C o n t. C o n t. C o n t. C o n t N Hardware Hypervisor 1 V M V M V M V M V M Hardware Host OS V M V M V M V M V M Hypervisor 2 Hardware Host OS c o n t 1 C o n t 2 C o n t 3 C o n t 4 C o n t N Container Engine Dep 1 Dep 2 Guest OS Dependencies Application Container App. Deps. Application ABC Virtualisation Containerisation Type1 Bare Metal Type 2

17 Page 15

18 Page 16

19 Page 17

20 Page 18

21 Page 18

22 Page 18

23 Page 18

24 Page 18

25 Page 18

26 Page 18

27 Page 18

28 Page 18

29 Page 18

30 Page 18

31 Page 20

32 Developers Page 21

33 Hackers Page 22

34 Hooking Lowest Wins Page 23

35 North-South & East-West Attacks and Pivots Page 24

36 Break-In Page 25

37 Entry Point is usually a Pin Hole issue For example a known application issue Page 25

38 Page 26

39 Containers The Contained Challenge IF you can Break-In You then Need to Break-Out Page 27

40 Break-Out <gowest goeast> Page 28

41 Either Find a Container Vuln & Exploit Page 29

42 Or - Living off the Land Relying on misconfiguration, ability to use native tools, or download new and execute Page 30

43 Page 31

44 Page 32

45 Page 33

46 Page 36

47 Page 37

48 Container TTL Page 37

49 09-Oct-18 Sense of Security Content Slide Layout Page 38

50 09-Oct-18 Sense of Security Content Slide Layout Page 38

51 09-Oct-18 Sense of Security Content Slide Layout Page 39

52 How to Upgrade your Vuln Mgt Program What to expect from a Pen Test Supply Chain Risk Implications for CaaS DevSecOps Page 41

53 Pen Test Mechanical Attack vs Knowledge & Finesse Page 42

54 Monolithic vs Microservices Architecture Page 9

55 Sense of Security Page 45

56 Sense of Security Page 45

57 Page 9

58 09-Oct-18 Sense of Security Page 46

59 09-Oct-18 Sense of Security Page 46

60 Page 47

61 Page 48

62 Page 48

63 Page 49

64 Load Balancing Perimeter Public Functions Page 9

65 09-Oct-18 Sense of Security Page 53

66 09-Oct-18 Sense of Security Page 53

67 09-Oct-18 Sense of Security Page 53

68 09-Oct-18 Sense of Security Page 53

69 09-Oct-18 Sense of Security Page 53

70 09-Oct-18 Sense of Security Hack Transformation Page 54

71 09-Oct-18 Sense of Security Hack Transformation Page 54

72 09-Oct-18 Sense of Security Hack Transformation Page 54

73 09-Oct-18 Sense of Security Hack Transformation Page 54

74 -security/next-generationfirewall-vs-container-firewall/ Page 54

75 Security Testing Needs to Go Down The Stack

76 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s)

77 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET)

78 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET)

79 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx)

80 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer)

81 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing)

82 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing) Process BackEnd (Container, database)

83 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing) Process BackEnd (Container, database) Operating System (Linux, Windows)

84 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing) Process BackEnd (Container, database) Operating System (Linux, Windows) Clustering/Orchestration (CaaS, Swarm, Kubernetes)

85 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing) Process BackEnd (Container, database) Operating System (Linux, Windows) Clustering/Orchestration (CaaS, Swarm, Kubernetes) Networking (SDN, SecGroups)

86 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing) Process BackEnd (Container, database) Operating System (Linux, Windows) Clustering/Orchestration (CaaS, Swarm, Kubernetes) Networking (SDN, SecGroups) Cloud Platform

87 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing) Process BackEnd (Container, database) Operating System (Linux, Windows) Clustering/Orchestration (CaaS, Swarm, Kubernetes) Networking (SDN, SecGroups) Cloud Platform Core Infrastructure

88 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing) Process BackEnd (Container, database) Operating System (Linux, Windows) Clustering/Orchestration (CaaS, Swarm, Kubernetes) Networking (SDN, SecGroups) Cloud Platform Core Infrastructure

89 Security Testing Needs to Go Down The Stack User Interface (WebApps, forms, logons, API s) Framework (Struts, Spring,.NET) Language (Java, PHP,.NET) AppServer (IIS, Apache, Nginx) Process UI (Container, presentation layer) Process App (Container, application processing) Process BackEnd (Container, database) Operating System (Linux, Windows) Clustering/Orchestration (CaaS, Swarm, Kubernetes) Networking (SDN, SecGroups) Cloud Platform Core Infrastructure

90 Finesse Page 56

91 Page 58

92 Page 58

93 Page 59

94 There are Pen Tests & There are Pen Tests! Lower Cost Predictable Even if a Web App/Service Pen Test not suitable for current technologies Doesn t really assess the threats More North-South than East-West Check Box More considered Requires expert capability, R&D Requires understanding of the full stack incl implications of -aas Requires persistence in an ephemeral setting Yes it will cost more Assurance, Validation & Compliance Page 60

95 Blue Team: Key Steps to App Container Security 1 End-to-End Vulnerability Management 2 Container Attack Surface Reduction 3 User Access Control 4 Hardening the Host OS & the Container 5 SDLC Automation (DevOps)

96 Automated Vuln Mgt SHIFT LEFT Build API s & Plug-ins Third Party Components Vuln Mgt Automation Registry Automated Scan of Pub/Priv Registry Image adapted from Qualys materials Host Compliance Scanning OS CaaS Runtime Audit logging Event logging

97 Container Security Lifecycle Management & Compliance Summary Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers, by Amy DeMartine and Dave Bartoletti April 14, 2017

98 Container Security Lifecycle Management & Compliance Summary Develop / Build Test / Modify Release / Production Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers, by Amy DeMartine and Dave Bartoletti April 14, 2017

99 Container Security Lifecycle Management & Compliance Summary Develop / Build Test / Modify Release / Production Use Trusted Images Reduce Attack Surface Third Party Components Mgt (SCA) Sign & Verify Images Privileged Access & Auth Mgt Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers, by Amy DeMartine and Dave Bartoletti April 14, 2017

100 Container Security Lifecycle Management & Compliance Summary Develop / Build Test / Modify Release / Production Use Trusted Images Reduce Attack Surface Third Party Components Mgt (SCA) Sign & Verify Images Privileged Access & Auth Mgt Network Segmentation User Authentication Vulnerability Scanning Harden the OS Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers, by Amy DeMartine and Dave Bartoletti April 14, 2017

101 Container Security Lifecycle Management & Compliance Summary Develop / Build Test / Modify Release / Production Use Trusted Images Reduce Attack Surface Third Party Components Mgt (SCA) Sign & Verify Images Privileged Access & Auth Mgt Network Segmentation User Authentication Vulnerability Scanning Harden the OS Ongoing SecOps Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers, by Amy DeMartine and Dave Bartoletti April 14, 2017

102 Container Security Lifecycle Management & Compliance Summary Develop / Build Test / Modify Release / Production Use Trusted Images Reduce Attack Surface Third Party Components Mgt (SCA) Sign & Verify Images Privileged Access & Auth Mgt Network Segmentation User Authentication Vulnerability Scanning Harden the OS Ongoing SecOps Advanced Security Controls Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers, by Amy DeMartine and Dave Bartoletti April 14, 2017

Sign & Verify Images Privileged Access & Auth Mgt Network Segmentation User Authentication

Management Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For

103 Container Security Lifecycle Management & Compliance Summary Develop / Build Test / Modify Release / Production Use Trusted Images Reduce Attack Surface Third Party Components Mgt (SCA) Sign & Verify Images Privileged Access & Auth Mgt Network Segmentation User Authentication Vulnerability Scanning Harden the OS Ongoing SecOps Advanced Security Controls Vulnerability Management Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers, by Amy DeMartine and Dave Bartoletti April 14, 2017

104 Recap 1 Serverless, Microservices and Container Security CI/CD Integration for Automated Security 2 Key Implications for Penetration Testing Programs 4 End to End Vulnerability Management 3 Key Security features for Container Deployments Continuous Monitoring, Governance & Compliance Reporting Page 64

105

Overcoming the Challenges of Automating Security in a DevOps Environment

SESSION ID: LAB-W02 Overcoming the Challenges of Automating Security in a DevOps Environment Murray Goldschmidt Chief Operating Officer Sense of Security @ITsecurityAU Michael McKinnon Director, Commercial