do containers enhance application level security
play

Do Containers Enhance Application Level Security? Benjy Portnoy, - PowerPoint PPT Presentation

Jan 21, 2024 •412 likes •960 views

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami BlueCoat-> Symantec Director, DevSecOps @AquaSecTeam I know, Ill use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io > gem install rails

  1. Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP

  2. # whoami BlueCoat-> Symantec Director, DevSecOps @AquaSecTeam

  3. I know, I’ll use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io

  4. > gem install rails

  5. > gem install rails Fetching: i18n-0.7.0.gem (100%) Fetching: json-1.8.3.gem (100%) Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb creating Makefile make sh: 1: make: not found

  6. Ah, I just need to install make

  7. > sudo apt-get install make ... Success!

  8. > gem install rails

  9. > gem install rails Fetching: nokogiri-1.6.7.2.gem (100%) Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts ... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... no zlib is missing; necessary for building libxml2 *** extconf.rb failed ***

  10. Hmm. Time to visit StackOverflow.

  11. > sudo apt-get install zlib1g-dev ... Success!

  12. > gem install rails

  13. > gem install rails Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts ... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... yes checking for iconv... yes Extracting libxml2-2.9.2.tar.gz into tmp/x86_64-pc-linux- gnu/ports/libxml2/2.9.2... OK *** extconf.rb failed ***

  14. Nokogiri, why do you never install correctly?

  15. > gem install rails ... Success!

  16. > rails new my-project > cd my-project > rails start

  17. Finally It Works!

  19. You use the AWS Console to deploy an EC2 instance

  20. > ssh ec2-user@ec2-12-34-56-78.compute-1.amazonaws.com __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| [ec2-user@ip-172-31-61-204 ~]$ gem install rails ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb

  22. Spend 2 hours trying weird & random suggestions Replicate your dev environment in AMI

  24. Now you urgently have to update all your Rails installations

  25. > bundle update rails

  26. > bundle update rails Building native extensions. This could take a while... ERROR: Error installing rails: ERROR: Failed to build gem native extension. /usr/bin/ruby1.9.1 extconf.rb checking if the C compiler accepts ... yes Building nokogiri using packaged libraries. Using mini_portile version 2.0.0.rc2 checking for gzdopen() in -lz... yes checking for iconv... yes Extracting libxml2-2.9.2.tar.gz into tmp/x86_64-pc-linux- gnu/ports/libxml2/2.9.2... OK *** extconf.rb failed ***

  28. What Are Containers Containers to the rescue? Container [kuhn-TAY-ner] , noun Form of application deployment. Making a process think that it has the complete operating system & Dependencies for itself.

  29. Why Should you care? Docker Hosts Source: Datadog usage stats

  30. Up in Seconds Massive Scale Runs Anywhere

  31. How to create a containerized application? .NET < / >

  32. SECURING CONTAINERS ON THE HOST Control Groups Namespaces CPU Capabilities

  33. Lets deploy our Ruby application as a container

  35. Dockerfile Example < / >

  36. August 16 th 2017

  37. September 7 th 2017 • Exploited Apache Struts Vulnerability • 143 Million customers impacted • Attack occurred from mid May to July prior to detection • Equifax hack shaved $4B, or about 25% of the company market cap

  38. CVE-2017-9805/5638 in a nutshell 1) Apache Struts framework for dynamic web content 2) Arbitrary RCE if REST communication plugin enabled 3) The weakness is caused by how Xstream deserializes untrusted data represented as XML

  39. OWASP #1 Injection is #1 application attack vector

  40. Demo Scenario With Containers Victim Container • Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim as target • Python based exploit • Uploads a simple web shell as a web application to the victim

  42. Demo

  43. What if Equifax were using containers? Attack Success Criteria 1. Compromise server 2. Remain persistent 3. Access additional internal resources 4. Exfiltration of sensitive (PII) data

  44. Container Compromised and Not Host • Container breakout = kernel exploit • Less persistent (Average container life 6 hours!) • Minimal lateral network movement • Micro Service = Reduced Attack Surface •

  46. Shrink Wrapping Container • Each Micro-services should do very little • Learn normal behavior and block anything else ( Shell.war ) • Segment networking on, and between containers on same host File Use Business Volumes Secrets Function Resource Use User Privileges Network Use Executables Image Integrity Lear Le arn an and A Apply ly Le Leas ast P Privile ivileges

  47. So... Do Containers Enhance Security?

  49. .NET Read Only < / > Docker Image Docker Host

  51. Container Security Concerns • Developer Controls Full Stack • Unauthorized images Attacker Applicati on Applicatio • Open Source vulnerabilities n • East To West Traffic Authenticate d User Host 1 Host 2 • Privilege escalation (Dirtyc0w?) • Host resource impact :(){ :|:& };: • Secrets Management

  52. Call To Action

  53. Thank You! Benjy@aquasec.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline &amp;&amp; Container

807 views • 57 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in 2011 Containers are eating

954 views • 66 slides
Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
Containers: Design, Application &amp; Hands-on CS 695 - Presentation 2 Getting Your Attention !

Containers: Design, Application &amp; Hands-on CS 695 - Presentation 2 Getting Your Attention !

Containers: Design, Application &amp; Hands-on CS 695 - Presentation 2 Getting Your Attention ! Todays talk will be applicable to many domains in CS Cloud providers IAAS, PAAS HPC and Big Data Support for heavy compute in

543 views • 40 slides
Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

649 views • 41 slides
Application Delivery and Release Management Honestbee @vincentdesmet with Containers, Kubernetes

Application Delivery and Release Management Honestbee @vincentdesmet with Containers, Kubernetes

Application Delivery and Release Management Honestbee @vincentdesmet with Containers, Kubernetes and Helm Grocery and Food delivery Honestbee We are Hiring DevOps! Overview Context &amp; overview of Containers (Docker) - Container

658 views • 55 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
CS 4803 Network Computer and Network Security Lower level Alexandra (Sasha) Boldyreva

CS 4803 Network Computer and Network Security Lower level Alexandra (Sasha) Boldyreva

Network layers Application Transport CS 4803 Network Computer and Network Security Lower level Alexandra (Sasha) Boldyreva IPsec 1 2 Roughly Examples Application layer: the communicating processes themselves and

415 views • 5 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin

Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin

Existing game infrastructures Docker Container-based game infrastructure Evaluation Future work Conclusion Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin Alangot, Seshagiri Prabhu and

400 views • 38 slides
EVALUATING OPENSTACK CONTAINERS AS A SERVICE MAGNUM FOR PRODUCTION Rosario Di Somma WHY

EVALUATING OPENSTACK CONTAINERS AS A SERVICE MAGNUM FOR PRODUCTION Rosario Di Somma WHY

EVALUATING OPENSTACK CONTAINERS AS A SERVICE MAGNUM FOR PRODUCTION Rosario Di Somma WHY CONTAINERS? Rapid application deployment Portability across machines Version control and component reuse Sharing Lightweight footprint

623 views • 12 slides
Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark

Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark

Rc 2 Server Rc 2 Client Introduction RStudio Summary Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark Lilback Department of Statistics West Virginia University June 11, 2014 Rc 2 Server Rc 2

443 views • 21 slides
How the RSS Mentoring Scheme benefited me? Mr Apostolos Fakis Head of Medical Statistics and

How the RSS Mentoring Scheme benefited me? Mr Apostolos Fakis Head of Medical Statistics and

How the RSS Mentoring Scheme benefited me? Mr Apostolos Fakis Head of Medical Statistics and Data Management Research, Development &amp; Innovation Department Derby Clinical Trials Support Unit 23 rd May 2017 START FOCUS &amp; MOTIVATION

355 views • 8 slides
SEGUE-2* SDSS-III Collaboration Meeting Paris July, 2010 *Sloan Extension for Galactic

SEGUE-2* SDSS-III Collaboration Meeting Paris July, 2010 *Sloan Extension for Galactic

SEGUE-2* SDSS-III Collaboration Meeting Paris July, 2010 *Sloan Extension for Galactic Understanding and Exploration Survey Description Old Milky Way stellar populations, Galactic archaeology: see science talks this meeting Use

560 views • 11 slides
A 20 Year Perspective Christine Crofton Agency for Healthcare Research and Quality Susan

A 20 Year Perspective Christine Crofton Agency for Healthcare Research and Quality Susan

The Evolution of CAHPS: A 20 Year Perspective Christine Crofton Agency for Healthcare Research and Quality Susan Edgman-Levitan John D. Stoeckle Center for Primary Care Innovations, Massachusetts General Hospital Caren Ginsberg Agency for

765 views • 48 slides
d 1 g g = . d d 2 x d d AND Use indices , , etc.,

d 1 g g = . d d 2 x d d AND Use indices , , etc.,

Alan Guth, Black-Body Radiation and the Early History of the Universe, 8.286 Lecture 15, October 31, 2013, p. 1. Summary of Leture 14: 8.286 Leture 15 THE SPACETIME GEODESIC EQUATION Otober 31, 2013 d x d x BLACK-BODY

262 views • 3 slides
Proving resistance against invariant attacks: How to choose the round constants Christof Beierle,

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle,

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle, Anne Canteaut, Gregor Leander, Yann Rotella Ruhr-Universitt Bochum, Germany Inria Paris, France BFA 2017, July 2017 Outline A new condition

442 views • 27 slides
Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph

Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph

Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph jason@thinkrelevance.com Published under the Creative Commons Attribution Noncommercial Share Alike License Version 2.5. (Please see

758 views • 59 slides
GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens

GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens

GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens equation Lensing potential From last lecture DEFLECTION OF LIGHT IN GENERAL RELATIVITY How to define the effective diffraction index? DEFLECTION

807 views • 28 slides

More recommend