Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP

Similar documents
Waratek Runtime Protection Platform

Automating Security Practices for the DevOps Revolution

/ Cloud Computing. Recitation 5 September 27 th, 2016

AWS Integration Guide

Securing Microservices Containerized Security in AWS

PVS Deployment in the Cloud. Last Updated: June 17, 2016

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

DevOps Course Content

Netflix OSS Spinnaker on the AWS Cloud

Index. Bessel function, 51 Big data, 1. Cloud-based version-control system, 226 Containerization, 30 application, 32 virtualize processes, 30 31

OBSERVEIT CLOUDTHREAT GUIDE

Bitnami JRuby for Huawei Enterprise Cloud

Securing Serverless Architectures

HTTP request proxying vulnerability

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

IEEE Sec Dev Conference

Amazon Web Services Hands On S3 January, 2012

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

Managing Deep Learning Workflows

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Running MESA on Amazon EC2 Instances: A Guide

Framework for Application Security Testing. September 11th, 2018

Orchestration Ownage: Exploiting Container-Centric Datacenter Platforms

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

/ Cloud Computing. Recitation 5 September 26 th, 2017

/ Cloud Computing. Recitation 5 February 14th, 2017

Operating System Security

Copyright

Exam Questions AWS-Certified- Developer-Associate

DEPLOYMENT MADE EASY!

Immersion Day. Getting Started with Linux on Amazon EC2

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Verteego VDS Documentation

About Me. Rohit Salecha

Introductions. Jack Katie

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Homework #7 Amazon Elastic Compute Cloud Web Services

DevOps Technologies. for Deployment

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Vulnerability Management From B Movie to Blockbuster Rahim Jina

Hacking and Hardening Kubernetes

Move Amazon RDS MySQL Databases to Amazon VPC using Amazon EC2 ClassicLink and Read Replicas

Lab 2 Third Party API Integration, Cloud Deployment & Benchmarking

Docker and Security. September 28, 2017 VASCAN Michael Irwin

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Homework 9: Stock Search Android App with Facebook Post A Mobile Phone Exercise

Containers: Exploits, Surprises, And Security

Monitoring MySQL Performance with Percona Monitoring and Management

Kubernetes Integration Guide

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

Training: Pentesting the Modern Application Stack

Zero to Microservices in 5 minutes using Docker Containers. Mathew Lodge Weaveworks

Protect your apps and your customers against application layer attacks

KubeNow Documentation

Swift Web Applications on the AWS Cloud

Bitnami Ruby for Huawei Enterprise Cloud

Configuring a Palo Alto Firewall in AWS

Web Application Security Payloads. Andrés Riancho SecTor 2010, Toronto, Canada.

Contents in Detail. Foreword by Xavier Noria

Code: Slides:

C1: Define Security Requirements

CPW AutoGrader. CSCI 370 Field Session 2016 June 20, Client: Christopher Painter Wakefield

Attacking Next- Generation Firewalls

Securing the Modern Data Center with Trend Micro Deep Security

Amazon Web Services Hands on EC2 December, 2012

OWASP. The OWASP Foundation Shake Hands With BeEF

Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory CONTAINERS IN HPC WITH SINGULARITY

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

CLOUD WORKLOAD SECURITY

Important DevOps Technologies (3+2+3days) for Deployment

Exploiting and Defending: Common Web Application Vulnerabilities

Chef Server on the AWS Cloud

6 Cloud/Grid Computing

Creating a Multi-Container Pod

Russ McRee Bryan Casper

Installing Oxwall completely in Amazon Cloud

Surrogate Dependencies (in

Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via

IoT Vulnerabilities. By Troy Mattessich, Raymond Fradella, and Arsh Tavi. Contribution Distribution

Growth of Docker hub pulls

I run a Linux server, so we re secure

Using The Hortonworks Virtual Sandbox Powered By Apache Hadoop

How to go serverless with AWS Lambda

Puppet on the AWS Cloud

Advanced Systems Security: Ordinary Operating Systems

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Runtime Application Self-Protection (RASP) Performance Metrics

MANAGING MESOS, DOCKER, AND CHRONOS WITH PUPPET

Midterm Presentation Schedule

MCAFEE FOUNDSTONE FSL UPDATE

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

datapusher Documentation

Introduction to containers

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

TIBCO Cloud Integration Security Overview

Installing and Using Docker Toolbox for Mac OSX and Windows

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

BUILDING A GPU-FOCUSED CI SOLUTION

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Transcription:

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP

# whoami BlueCoat-> Symantec Director, DevSecOps @AquaSecTeam

I know, I ll use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io

> gem install rails

> gem install rails Fetching: i18n-0.7.0.gem (100%) Fetching: json-1.8.3.gem (100%) Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb creating Makefile make sh: 1: make: not found

Ah, I just need to install make

> sudo apt-get install make... Success!

> gem install rails

> gem install rails Fetching: nokogiri-1.6.7.2.gem (100%) Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... no zlib is missing; necessary for building libxml2 *** extconf.rb failed ***

Hmm. Time to visit StackOverflow.

> sudo apt-get install zlib1g-dev... Success!

> gem install rails

> gem install rails Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... yes checking for iconv... yes Extracting libxml2-2.9.2.tar.gz into tmp/x86_64-pc-linuxgnu/ports/libxml2/2.9.2... OK *** extconf.rb failed ***

okogiri, why do you never install correctly?

> gem install rails... Success!

> rails new my-project > cd my-project > rails start

Finally It Works!

You use the AWS Console to deploy an EC2 instance

> ssh ec2-user@ec2-12-34-56-78.compute-1.amazonaws.com _ ) _ ( / Amazon Linux AMI \ [ec2-user@ip-172-31-61-204 ~]$ gem install rails ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb

Spend 2 hours trying weird & random suggestions Replicate your dev environment in AMI

Now you urgently have to update all your Rails installations

> bundle update rails

> bundle update rails Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... yes checking for iconv... yes Extracting libxml2-2.9.2.tar.gz into tmp/x86_64-pc-linuxgnu/ports/libxml2/2.9.2... OK *** extconf.rb failed ***

What Are Containers Containers to the rescue? Container [kuhn-tay-ner], noun Form of application deployment. Making a process think that it has the complete operating system & Dependencies for itself.

Why Should you care? Docker Hosts Source: Datadog usage stats

Up in Seconds Massive Scale Runs Anywhere

How to create a containerized application?.net < / >

SECURING CONTAINERS ON THE HOST Control Groups Namespaces CPU Capabilities

Lets deploy our Ruby application as a container

Dockerfile Example < / >

August 16 th 2017

September 7 th 2017 Exploited Apache Struts Vulnerability 143 Million customers impacted Attack occurred from mid May to July prior to detection Equifax hack shaved $4B, or about 25% of the company market cap

CVE-2017-9805/5638 in a nutshell 1) Apache Struts framework for dynamic web content 2) Arbitrary RCE if REST communication plugin enabled 3) The weakness is caused by how Xstream deserializes untrusted data represented as XML

OWASP #1 Injection is #1 application attack vector

Demo Scenario With Containers Victim Container Apache Struts server using vulnerable struts-2.3.24 Attacker Container exploit CVE-2017-9805 using the victim as target Python based exploit Uploads a simple web shell as a web application to the victim

Demo

What if Equifax were using containers? Attack Success Criteria 1. Compromise server 2. Remain persistent 3. Access additional internal resources 4. Exfiltration of sensitive (PII) data

Container Compromised and Not Host Container breakout = kernel exploit Less persistent (Average container life 6 hours!) Minimal lateral network movement Micro Service = Reduced Attack Surface

Shrink Wrapping Container Each Micro-services should do very little Learn normal behavior and block anything else (Shell.war) Segment networking on, and between containers on same host Secrets File Use Volumes Business Function User Privileges Resource Use Network Use Image Integrity Executables Learn and Apply Least Privileges

So... Do Containers Enhance Security?

.NET < / > Read Only Docker Image Docker Host

Container Security Concerns Developer Controls Full Stack Unauthorized images Open Source vulnerabilities East To West Traffic Privilege escalation (Dirtyc0w?) Host resource impact :(){ : :& };: Secrets Management Authenticate d User Applicati on Attacker Applicatio n Host 1 Host 2

Call To Action

Thank You! Benjy@aquasec.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback