Container security
0 likes37 views
This document summarizes best practices for container security. It begins with case studies and hygiene factors like fully patching images and scanning images before pushing them to a registry. It then discusses DevSecOps practices like architectural reviews, automation, and training. Recommendations are provided for tools to address image vulnerability scanning, source code scanning, run-time security, compliance, and comprehensive security. Finally, it discusses platform-specific considerations for AWS, Azure, DockerHub and others regarding registry access control, vulnerability scanning, and run-time protection tools.
Container security
- 2. One of the main cyber-risks is to think they dont exist. The other is to try to treat all potential risks. It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. -Stephane Nappo, CISO
- 3. Agenda Case Studies Hygiene factors DevSecOps (Best Practices) Tools Platform Specific (AWS, Azure)
- 5. Case Studies
- 6. Hygiene Factors Images Fully patched SELinux or AppArmor Least number of user accounts Scan before pushing into registry
- 7. DevSecOps Best Practices ProcessPeople Technology - Architectural reviews - Automation (SAST/DAST, freq) - Security breakpoints - Management buy-in - Shift-left philosophy - Training (time & resources) - Static code analyzers (CVE intergated) - Logging, monitoring & auditing - Vulnerability scanners - Threat Modelling
- 8. Purpose Recommendations Image Vulnerability Scanning Source-code Scanning Run-time Security Compliance & Audit Comprehensive Security Tools
- 9. Platform-specific (AWS / Azure) Registry EC2 Container Registry DockerHub* Azure Registry DockerHub Quay Access Control IAM STS IAM Vulnerability Scanning Clair Qualys Run-time protection Aqua AlertLogic PaloAlto Aqua#