Securing Containers on the High Seas
Abdullah Munawar, Jack Mannino at AppSec EU 2018
It can be a difficult challenge for most organizations to migrate to containers and develop a secure strategy for implementation and management. Making the shift from legacy virtualization and monolithic deployments to containers requires a solid strategy for securely making the jump. Containers offer many security benefits but it’s important to adopt controls and good practices throughout the lifecycle, across all of the systems and interfaces with which they interact. From container registries, through development and deployment, it’s important to enforce security and eliminate risks as they’re easily introduced.
A robust enterprise container strategy requires focusing on infrastructure, architecture, tooling, policies, and processes. Hardening your containers and ensuring they remain free of known vulnerabilities is important, but this is not a comprehensive approach. Containers, their runtime behavior, and capabilities are influenced by other systems such as container orchestration platforms and schedulers. While organizations are focused on hardening individual containers and services, they also need to think about how to limit lateral movement and post-exploitation steps by attackers through sound architectural choices.
This presentation will focus on scaling container security within an enterprise and building security controls at different layers to provide comprehensive coverage. We will discuss the modern container landscape including multiple container runtimes and standards such as Open Container Initiative (OCI) and Container Storage Interface (OSI) as well as their their impact on security moving forward. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate. By the end of the presentation the audience should confidently be able to develop a secure approach to their organization’s container strategy.
A robust enterprise container strategy requires focusing on infrastructure, architecture, tooling, policies, and processes. Hardening your containers and ensuring they remain free of known vulnerabilities is important, but this is not a comprehensive approach. Containers, their runtime behavior, and capabilities are influenced by other systems such as container orchestration platforms and schedulers. While organizations are focused on hardening individual containers and services, they also need to think about how to limit lateral movement and post-exploitation steps by attackers through sound architectural choices.
This presentation will focus on scaling container security within an enterprise and building security controls at different layers to provide comprehensive coverage. We will discuss the modern container landscape including multiple container runtimes and standards such as Open Container Initiative (OCI) and Container Storage Interface (OSI) as well as their their impact on security moving forward. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate. By the end of the presentation the audience should confidently be able to develop a secure approach to their organization’s container strategy.