Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP

Size: px

Start display at page:

Download "Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP"

Beverly Barton
6 years ago
Views:

1 Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP

2 # whoami BlueCoat-> Symantec Director,

3 I know, I ll use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io

4 > gem install rails

5 > gem install rails Fetching: i18n gem (100%) Fetching: json gem (100%) Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb creating Makefile make sh: 1: make: not found

6 Ah, I just need to install make

7 > sudo apt-get install make... Success!

8 > gem install rails

9 > gem install rails Fetching: nokogiri gem (100%) Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts... yes Building nokogiri using packaged libraries. Using mini_portile version rc2 checking for gzdopen() in -lz... no zlib is missing; necessary for building libxml2 *** extconf.rb failed ***

10 Hmm. Time to visit StackOverflow.

11 > sudo apt-get install zlib1g-dev... Success!

12 > gem install rails

13 > gem install rails Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts... yes Building nokogiri using packaged libraries. Using mini_portile version rc2 checking for gzdopen() in -lz... yes checking for iconv... yes Extracting libxml tar.gz into tmp/x86_64-pc-linuxgnu/ports/libxml2/ OK *** extconf.rb failed ***

14 okogiri, why do you never install correctly?

15 > gem install rails... Success!

16 > rails new my-project > cd my-project > rails start

17 Finally It Works!

19 You use the AWS Console to deploy an EC2 instance

20 > ssh _ ) _ ( / Amazon Linux AMI \ [ec2-user@ip ~]$ gem install rails ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb

22 Spend 2 hours trying weird & random suggestions Replicate your dev environment in AMI

24 Now you urgently have to update all your Rails installations

25 > bundle update rails

26 > bundle update rails Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts... yes Building nokogiri using packaged libraries. Using mini_portile version rc2 checking for gzdopen() in -lz... yes checking for iconv... yes Extracting libxml tar.gz into tmp/x86_64-pc-linuxgnu/ports/libxml2/ OK *** extconf.rb failed ***

28 What Are Containers Containers to the rescue? Container [kuhn-tay-ner], noun Form of application deployment. Making a process think that it has the complete operating system & Dependencies for itself.

29 Why Should you care? Docker Hosts Source: Datadog usage stats

30 Up in Seconds Massive Scale Runs Anywhere

31 How to create a containerized application?.net < / >

32 SECURING CONTAINERS ON THE HOST Control Groups Namespaces CPU Capabilities

33 Lets deploy our Ruby application as a container

35 Dockerfile Example < / >

36 August 16 th 2017

37 September 7 th 2017 Exploited Apache Struts Vulnerability 143 Million customers impacted Attack occurred from mid May to July prior to detection Equifax hack shaved $4B, or about 25% of the company market cap

38 CVE /5638 in a nutshell 1) Apache Struts framework for dynamic web content 2) Arbitrary RCE if REST communication plugin enabled 3) The weakness is caused by how Xstream deserializes untrusted data represented as XML

39 OWASP #1 Injection is #1 application attack vector

40 Demo Scenario With Containers Victim Container Apache Struts server using vulnerable struts Attacker Container exploit CVE using the victim as target Python based exploit Uploads a simple web shell as a web application to the victim

42 Demo

43 What if Equifax were using containers? Attack Success Criteria 1. Compromise server 2. Remain persistent 3. Access additional internal resources 4. Exfiltration of sensitive (PII) data

44 Container Compromised and Not Host Container breakout = kernel exploit Less persistent (Average container life 6 hours!) Minimal lateral network movement Micro Service = Reduced Attack Surface

46 Shrink Wrapping Container Each Micro-services should do very little Learn normal behavior and block anything else (Shell.war) Segment networking on, and between containers on same host Secrets File Use Volumes Business Function User Privileges Resource Use Network Use Image Integrity Executables Learn and Apply Least Privileges

47 So... Do Containers Enhance Security?

49 .NET < / > Read Only Docker Image Docker Host

Container Security Concerns Developer Controls

vulnerabilities East To West Traffic Privilege

) Host resource impact :(){ : :& };: Secrets

51 Container Security Concerns Developer Controls Full Stack Unauthorized images Open Source vulnerabilities East To West Traffic Privilege escalation (Dirtyc0w?) Host resource impact :(){ : :& };: Secrets Management Authenticate d User Applicati on Attacker Applicatio n Host 1 Host 2

52 Call To Action

53 Thank You!

Waratek Runtime Protection Platform

Waratek Runtime Protection Platform Cirosec TrendTage - March 2018 Waratek Solves the Application Security Problems That No One Else Can Prateep Bandharangshi Director of Client Security Solutions March,