Establishing Technology Trust in a Containerised World

Transcription

1 Tim Mackey Senior Technology Evangelist Black Duck by Synopsys Establishing Technology Trust in a ised World

2 Operations Development Design is Like Designing a New Car Engineers Design using internal and external components Production Assembles components into a vehicle Vehicle safety and assembly Tests ensure compliance Vehicle Delivery occurs using trusted carriers to dealerships Vehicle Deployment occurs at time of purchase Repair occurs using validated components

3 Security Service Abstracting Infra Means Reliance on Infra Security Control Domain VM VM Minimal OS Minimal OS Hypervisor Compute Networking Storage

4 Compromised Security Service Compromised Vulnerable But Doesn t Remove Responsibility For Security Control Domain VM VM VM Minimal OS Minimal OS Hypervisor Compute Minimal Networking OS Storage

5 Question Everything and Continually Reevaluate Trust Where does your base image actually come from? What is the health of that base image? You re updating it at build time, but from what cache? You trust your build servers, but who controls them? Is there any way a foreign container can start in your environment? Who has rights to modify container images? What happens if base image registry goes away? What happens if base image tag goes away? When a security disclosure happens what s the process to determine impact? How are images updated and deployed in the face of new security disclosures?

6 Example How Image Layer Cache Impacts Security project]# docker history scanner_base:4.2.0 IMAGE CREATED CREATED BY SIZE COMMENT 395dfd09d6d7 16 hours ago /bin/sh -c #(nop) EXPOSE 9036/tcp 0 B 6ccb88892a15 16 hours ago /bin/sh -c #(nop) ENTRYPOINT ["/scanner" 0 B 604fcdb13b57 16 hours ago /bin/sh -c #(nop) LABEL name=base scanner 0 B 5bf60b days ago /bin/sh -c #(nop) COPY file:0319ebe1148b5cefa 682 B fe23aeab7fcc 2 days ago /bin/sh -c #(nop) COPY file:e822182ba43798ba kb 9cdc179735ad 2 days ago /bin/sh -c #(nop) COPY file:e822182ba43798ba kb 57bd5e62be14 2 days ago /bin/sh -c #(nop) COPY dir:d9dc3b c MB a1cb8fd37a68 2 days ago /bin/sh -c #(nop) COPY file:98c69c969ee05b51b 6.14 MB 13855a218a3e 7 days ago /bin/sh -c #(nop) ENV PATH=/scan.cli-4.2.0/b 0 B 885efab8f9b5 7 days ago /bin/sh -c #(nop) ENV APP_HOME=/scan.cli B 1ed791e999b5 7 days ago /bin/sh -c #(nop) ARG BUILD 0 B 9dcb95a5ceb4 7 days ago /bin/sh -c #(nop) ARG BUILDTIME 0 B 8ada27a4da06 7 days ago /bin/sh -c #(nop) ARG LASTCOMMIT 0 B 7461b836791f 7 days ago /bin/sh -c #(nop) ARG bds_ver 0 B 4020be54fb0f 7 days ago /bin/sh -c yum -y update-minimal --security MB 208a012b6fe4 7 days ago /bin/sh -c #(nop) MAINTAINER Black Duck 0 B 196e0ce0c9fb 6 weeks ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B <missing> 6 weeks ago /bin/sh -c #(nop) LABEL name=centos Base Ima 0 B <missing> 6 weeks ago /bin/sh -c #(nop) ADD file:1ed4d1a29d09a636dd MB

7 latest latest Sha256:12345 Sha256:12345 latest latest Sha256:12345 Sha256: Example - Image Consistency and Pull Specifications 1. Pull and run latest 2. Scale to 2 replicas 3. Pull and run tag Scale to 2 replicas 5. Pull and run pull spec sha256: Scale to 2 replicas 7. Delete tag in registry 8. Scale to 3 replicas 9. Add node Down node 1 Cluster Node 1 Cluster Node 2

8 Why all this matters

9 Commercial Software Rules Don t Apply to Open Source CLOSED SOURCE COMMERCIAL CODE TRADITIONAL PROCUREMENT PROCESS ALERTING AND NOTIFICATION INFRASTRUCTURE SUPPORT AVAILABLE THROUGH EOL STAFFED WITH SECURITY RESEARCHERS REGULAR PATCH UPDATES DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE AD-HOC ADOPTION MODEL MONITOR NEWSFEEDS YOURSELF EOL MAY CREATE DEADEND COMMUNITY -BASED CODE ANALYSIS NO STANDARD PATCHING MECHANISM ULTIMATELY, YOU ARE RESPONSIBLE

10 Security Analysis Isn't Only SAST/IAST/DAST Static, Interactive and Dynamic Analysis - Discover common security patterns - Challenged by nuanced bugs - Focuses on your code; not upstream All possible security vulnerabilities Vulnerability Analysis - Identifies vulnerable dependencies disclosures in disclosures in ,000+ disclosures in Most vulnerabilities found by researchers

11 Example - The Tale of CVE and Equifax August 2012 November 2012 May 2016 March March March May July Code Bug Introduce d Struts 2.3 Released Struts 2.5 Released Patches Available Disclosur e Published NVD Details Hacks Successfu l Hacks Discovere d 1649 Days 7 Days 144 Days

12 Example - Don t Give Attackers Opportunities OpenSSH Apache Struts (CVE ): (CVE ): Heartbleed: AllowTCPForwarding Vulnerability Why 2017? 2018? response creates open time matters IoT proxy

13 Make information flow your friend

14 Focus on Factors Impacting Risk Use of vulnerable open source components What are my dependencies and where are they coming from? Is component a fork or dependency? How is component linked? Impact of Point in Time Decisions Can you differentiate between stable and dead? Is there a significant change set in your future? API versioning Security response process for project Commit velocity and contributors

15 We Don t Patch s But Should Question Patching

16 Support Gating of Artifact Builds for Risk Elements BUG TRACKING DEVELOP BUILD PACKAGE RISK ASSESSMENT

17 Support Ongoing Monitoring for Changes in Risk BUG TRACKING TEST DEVELOP BUILD PACKAGE DEPLOY PRODUCTION AUTOMATION RISK ASSESSMENT

18 5 KEY TAKE AWAYS

19 Create an inventory of dependent components Map the components to their origin and patch channel Identify and remediate risks with actionable information Alert for new risks in real-time Automate identification and remediation of risks

20 Thank you! ( ) SlideShare: slideshare.net/timmackey LinkedIn: