SlideShare a Scribd company logo

Securing the Container Pipeline at Salesforce by Cem Gurkok

Docker, Inc.
Docker, Inc.

Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment. In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.

Technology
1 of 40
Download to read offline
Securing the Container Pipeline Cem Gürkök Lead InfoSec Engineer (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)
Securing the Container Pipeline Cem Gürkök Lead InfoSec Engineer Salesforce @CGurkok
Agenda •  Threats •  Container pipelines and integrity •  Monitoring containers, hosts, apps, networks •  Digital Forensics •  Vulnerability Management •  Hardening •  Demo
Threats
Container Threats & Challenges ​ Run-time • Container exploit and resource exposure (App) • Breaking out of container • Cross-container attacks • Resource overuse (DoS) ​ At-rest or transport • Tampering of images • Unpatched OS or applications
Mitigations
“As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.” — Donald Rumsfeld
Securing the Pipeline Docker Security Platform Security Access Controls Content Security Monitoring and Response
The Pipeline
Container Pipeline & Security Base OS and Docker File Base OS Image DEV Docker Trusted Registry + Notary Developer RelEng Image DEV Docker Trusted Registry + Notary Continuous Integration PROD Docker Trusted Registry + Notary Running in PROD Monitoring in all steps. 1.  Security Review and Hardening 2.  Signing, Authentication, Image Vulnerability Scans 3.  Authentication, Verification 4.  Signing, Authentication, Image Vulnerability Scans 5.  Authentication 6.  Authentication, Verification 7.  Authentication, Verification, Vulnerability Scans 8.  Incident Response, Digital Forensics, Patching
Access Control: Authentication •  LDAP over SSL for Docker image transactions: •  Users (Devs, RelEng) •  Service accounts •  Mutual TLS Authentication for registry replication Dev Systems Dev Registry Build & Test Master Registry Prod Registry DMZ Services TLS
Container Integrity ​ Docker Trusted Registry (DTR) •  On-premise •  Authenticated transactions with LDAPS authentication •  DEV and PROD user and image separation •  Users will not be able to disable signing validation •  Validation will be transparent to the users
Container Integrity ​ Docker Notary •  Enable Docker Content Trust on consumers •  Can enable signing checks on every managed host •  Signature verification transparent to users Build & Test Notary Master DMZ Services Prod Services Sign Validate Validate
Master Docker Registry DEV DMZ Notary Master LDAPS Auth Notary Signing Dev Docker Registry PROD Mirrored Read-only Registry or Caching Proxy Docker packaged services Mutual TLS Auth HTTPS Pull Validate Dev Systems LDAPS user acct HTTPS Push to Dev Authenticated pulls LDAPS Auth HTTPS Push and Sign HTTPS Pull Sign LDAPS Auth HTTPS Push Already Signed Docker packaged services in DMZ HTTPS No Auth Pull Validate RelEng promotes to DMZ Release case * Andrey Falko, Salesforce Ticketing System
Hardening
Hardening: Host •  Frequent patching •  Install only needed components and libraries (i.e. no gcc or bash) •  Grsecurity/PaX for the kernel •  File system integrity monitoring •  Leverage Linux isolation capabilities!!
Hardening: Container •  Base image and app with latest updates/patches •  Leverage User namespaces (run as low priv user on host) •  Install only needed components and libraries (i.e. no gcc or ssh)
Hardening: Container •  Avoid using Docker with the --privileged flag •  Use --read-only when running containers (immutability) •  Avoid providing access to the docker user and group •  Limit and/or separate host and kernel device access
Hardening: Docker Bench for Security •  Docker Bench for Security to the rescue! • https://github.com/docker/ docker-bench-security •  Checks based on best practices for hosts and containers * https://github.com/docker/docker-bench-security
Hardening: Vulnerability Management ​ Image Scans with tools, such as Docker Security Scanning: • Operating System • Application source code and libraries ​ Network Scans with traditional vuln scanners: • Discovery • Exposed services ​ Auto and Manual source code audits * “Securing the Software Supply Chain with Docker, ” May 2016, Nathan McCauley
Hardening: Vulnerability Management •  Scanning •  Docker Images •  Applications •  Remediation •  Prioritization and SLAs for Patching •  Relaunching containers after patching Δt
Monitoring
Network Infrastructure •  Bridged networking on Host •  Containers assigned VNICs, IP addresses, and hostnames •  Containers isolated via VLANs (i.e. DB, Web App) •  Tap interface for monitoring •  Security Policies per VLANs and Zones
Network Infrastructure
Monitoring: Network ​ Network traffic captured for: • Inter-container communications • Host communications • Resource communications (i.e. DB, Public Internet) ​ Network traffic sent to: • IDS (Intrusion Detection System) • Netflow generator • Output sent to SIEM for analysis
Monitoring: Hosts ​ Logs: • All host logs are saved • SIEM agents consume and forward the logs from hosts • Monitoring, Dashboarding, Alerting at SIEM Host SIEM
Monitoring: Containers & Apps •  Logs are monitored similar to host •  OS + Application logs •  Network activity monitoring •  IP address assignments •  Netflows •  IDS (Intrusion Detection System) •  Raw Network Traffic Capture
Monitoring: Host, Containers & Apps ​ Disk activity monitoring • File system integrity • Run time layer monitoring ​ Memory monitoring • Docker and container process activity • Process integrity: Engine + Container
Digital Forensics
Digital Forensics •  Incident Response Plan/Policies •  Live/Post-mortem Memory Forensics •  Disk Forensics •  Network Monitoring/Forensics
Disk Forensics •  Build supertimeline to have integrated view of events •  Data Sources: •  Raw Disk Image •  Log Files •  Binaries •  Tools •  The Sleuth Kit: File system analysis •  Plaso: Build supertimeline •  dd: Raw disk image dd Sleuth Kit Plaso
Memory Forensics Why Memory Forensics? • Nothing can hide in memory! • Faster artifact discovery vs. disk forensics
Memory Forensics ​ Analyze host memory • Live /dev/*mem • VM memory file • Memory dump/sample ​ Tools: • Analysis (most OS and sample format): • The Volatility Framework • Memory sampling on Linux: LiME, linpmem LiME linpmem
Memory Forensics: Process Hierarchy •  pstree_hash [new]: View Docker processes in a tree view based on the PID hash table vs. linked list •  Use case: Detect rogue or injected child processes/containers
Memory Forensics: Temporary File Systems •  tmpfs: lists and recovers tmpfs file systems from memory •  Use case: monitor file systems
Memory Forensics: Loaded Libraries •  linux_proc_maps: shows process memory maps, their permissions and original file paths (executable and libraries) •  Use case: Detect Shared Library Injections
Memory Forensics: Process Integrity •  process_compare [new]: Detect if user space binary has been tampered with in memory (in memory binary vs. on disk) [5] •  Works when binary symbols can’t be extracted
Summary Platform Security Isolation Hardening Best Practices Vulnerability Scans Content Security Registry Notary Image/Code Signing Image/Code Scanning Access Controls LDAPS User Authentication System Authentication Monitoring and Response IR Plan & Testing Vulnerability Management Network Logs Forensics
thank y u
References 1.  “CIS Docker 1.6 Benchmark,” Center for Internet Security 2.  “Introduction to Container Security,” Docker.com 3.  “Understanding and Hardening Linux Containers,” NCC Group 4.  “The Volatility Framework,” https://github.com/volatilityfoundation/volatility 5.  “Identifying the Unknown in User Space Memory,” Andrew White 6.  “LiME,” https://github.com/504ensicsLabs/LiME 7.  “linpmem,” http://www.rekall-forensic.com/docs/Tools/ 8.  “The Sleuth Kit,” http://www.sleuthkit.org/ 9.  “Plaso,” https://github.com/log2timeline/plaso

Recommended

Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker, Inc.
 
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker, Inc.
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Docker, Inc.
 
Production Ready Containers from IBM and Docker
Production Ready Containers from IBM and DockerProduction Ready Containers from IBM and Docker
Production Ready Containers from IBM and Docker
Docker, Inc.
 
Automated hardware testing using docker for space
Automated hardware testing using docker for spaceAutomated hardware testing using docker for space
Automated hardware testing using docker for space
Docker, Inc.
 
Proactive ops for container orchestration environments
Proactive ops for container orchestration environmentsProactive ops for container orchestration environments
Proactive ops for container orchestration environments
Docker, Inc.
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Docker, Inc.
 
Building a Docker Swarm cluster on ARM by Dieter Reuter and Stefan Scherer
Building a Docker Swarm cluster on ARM by Dieter Reuter and Stefan Scherer Building a Docker Swarm cluster on ARM by Dieter Reuter and Stefan Scherer
Building a Docker Swarm cluster on ARM by Dieter Reuter and Stefan Scherer
Docker, Inc.
 

Recommended

Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker for Ops: Docker Networking Deep Dive, Considerations and Troubleshooti...
Docker, Inc.
 
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker for Ops: Docker Storage and Volumes Deep Dive and Considerations by Br...
Docker, Inc.
 
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Journey to Docker Production: Evolving Your Infrastructure and Processes - Br...
Docker, Inc.
 
Production Ready Containers from IBM and Docker
Production Ready Containers from IBM and DockerProduction Ready Containers from IBM and Docker
Production Ready Containers from IBM and Docker
Docker, Inc.
 
Automated hardware testing using docker for space
Automated hardware testing using docker for spaceAutomated hardware testing using docker for space
Automated hardware testing using docker for space
Docker, Inc.
 
Proactive ops for container orchestration environments
Proactive ops for container orchestration environmentsProactive ops for container orchestration environments
Proactive ops for container orchestration environments
Docker, Inc.
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Docker, Inc.
 
Building a Docker Swarm cluster on ARM by Dieter Reuter and Stefan Scherer
Building a Docker Swarm cluster on ARM by Dieter Reuter and Stefan Scherer Building a Docker Swarm cluster on ARM by Dieter Reuter and Stefan Scherer
Building a Docker Swarm cluster on ARM by Dieter Reuter and Stefan Scherer
Docker, Inc.
 
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
Docker, Inc.
 
Docker on Docker
Docker on DockerDocker on Docker
Docker on Docker
Docker, Inc.
 
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveThe Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
Docker, Inc.
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Docker, Inc.
 
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Docker, Inc.
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
Docker, Inc.
 
DockerCon EU 2015: Monitoring Docker
DockerCon EU 2015: Monitoring DockerDockerCon EU 2015: Monitoring Docker
DockerCon EU 2015: Monitoring Docker
Docker, Inc.
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Docker, Inc.
 
Tupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FBTupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FB
Docker, Inc.
 
So Easy, A Ten Year Old Can Do It by Zeph Gardler
So Easy, A Ten Year Old Can Do It by Zeph GardlerSo Easy, A Ten Year Old Can Do It by Zeph Gardler
So Easy, A Ten Year Old Can Do It by Zeph Gardler
Docker, Inc.
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Docker, Inc.
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
Docker, Inc.
 
DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General Session
Docker, Inc.
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
DockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker EngineDockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker Engine
Docker, Inc.
 
Monitoring docker container and dockerized applications
Monitoring docker container and dockerized applicationsMonitoring docker container and dockerized applications
Monitoring docker container and dockerized applications
Ananth Padmanabhan
 
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Docker, Inc.
 
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
Docker, Inc.
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
Docker, Inc.
 
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Docker, Inc.
 
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Docker, Inc.
 
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Docker, Inc.
 

More Related Content

What's hot

The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveThe Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
Docker, Inc.
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
Docker, Inc.
 
Tupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FBTupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FB
Docker, Inc.
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Docker, Inc.
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
Docker, Inc.
 
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Docker, Inc.
 
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
Docker, Inc.
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
Docker, Inc.
 

What's hot (20)

Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
 
Docker on Docker
Docker on DockerDocker on Docker
Docker on Docker
 
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth RushgroveThe Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
Getting Deep on Orchestration: APIs, Actors, and Abstractions in a Distribute...
 
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
You Don't Have to Start Over! A Practical Guide for Adopting Docker in the En...
 
DockerCon EU 2015: Monitoring Docker
DockerCon EU 2015: Monitoring DockerDockerCon EU 2015: Monitoring Docker
DockerCon EU 2015: Monitoring Docker
 
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
Proof of Concept: Serverless with Swarm by Nirmal Mehta, Booz Allen Hamilton
 
Tupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FBTupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FB
 
So Easy, A Ten Year Old Can Do It by Zeph Gardler
So Easy, A Ten Year Old Can Do It by Zeph GardlerSo Easy, A Ten Year Old Can Do It by Zeph Gardler
So Easy, A Ten Year Old Can Do It by Zeph Gardler
 
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
 
DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General Session
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
DockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker EngineDockerCon EU 2015: The Latest in Docker Engine
DockerCon EU 2015: The Latest in Docker Engine
 
Monitoring docker container and dockerized applications
Monitoring docker container and dockerized applicationsMonitoring docker container and dockerized applications
Monitoring docker container and dockerized applications
 
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...Take an Analytics-driven Approach to Container Performance with Splunk for Co...
Take an Analytics-driven Approach to Container Performance with Splunk for Co...
 
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
 
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
Highly Available Persistent Applications in Containers by Kendrick Coleman, E...
 

Viewers also liked

Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Docker, Inc.
 
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Docker, Inc.
 
Build Fast, Deploy Fast: Innovating in the Enterprise by Imran Raja and Andy Lim
Build Fast, Deploy Fast: Innovating in the Enterprise by Imran Raja and Andy LimBuild Fast, Deploy Fast: Innovating in the Enterprise by Imran Raja and Andy Lim
Build Fast, Deploy Fast: Innovating in the Enterprise by Imran Raja and Andy Lim
Docker, Inc.
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Docker, Inc.
 
Fully Orchestrating Applications, Microservices and Enterprise Services with ...
Fully Orchestrating Applications, Microservices and Enterprise Services with ...Fully Orchestrating Applications, Microservices and Enterprise Services with ...
Fully Orchestrating Applications, Microservices and Enterprise Services with ...
Docker, Inc.
 
Use Docker to Deliver Cognitive Services Running Cross Platform and Multi Clo...
Use Docker to Deliver Cognitive Services Running Cross Platform and Multi Clo...Use Docker to Deliver Cognitive Services Running Cross Platform and Multi Clo...
Use Docker to Deliver Cognitive Services Running Cross Platform and Multi Clo...
Docker, Inc.
 
Netflix0SS Services on Docker
Netflix0SS Services on DockerNetflix0SS Services on Docker
Netflix0SS Services on Docker
Docker, Inc.
 
Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...
Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...
Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...
Docker, Inc.
 
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Docker, Inc.
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
Docker, Inc.
 

Viewers also liked (20)

Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
 
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
 
Docker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott Coulton
 
Build Fast, Deploy Fast: Innovating in the Enterprise by Imran Raja and Andy Lim
Build Fast, Deploy Fast: Innovating in the Enterprise by Imran Raja and Andy LimBuild Fast, Deploy Fast: Innovating in the Enterprise by Imran Raja and Andy Lim
Build Fast, Deploy Fast: Innovating in the Enterprise by Imran Raja and Andy Lim
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
 
Fully Orchestrating Applications, Microservices and Enterprise Services with ...
Fully Orchestrating Applications, Microservices and Enterprise Services with ...Fully Orchestrating Applications, Microservices and Enterprise Services with ...
Fully Orchestrating Applications, Microservices and Enterprise Services with ...
 
Use Docker to Deliver Cognitive Services Running Cross Platform and Multi Clo...
Use Docker to Deliver Cognitive Services Running Cross Platform and Multi Clo...Use Docker to Deliver Cognitive Services Running Cross Platform and Multi Clo...
Use Docker to Deliver Cognitive Services Running Cross Platform and Multi Clo...
 
Netflix0SS Services on Docker
Netflix0SS Services on DockerNetflix0SS Services on Docker
Netflix0SS Services on Docker
 
Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...
Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...
Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...
 
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor BrownDockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
 
Efficient Parallel Testing with Docker by Laura Frank
Efficient Parallel Testing with Docker by Laura FrankEfficient Parallel Testing with Docker by Laura Frank
Efficient Parallel Testing with Docker by Laura Frank
 
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
Docker for Mac and Windows: The Insider's Guide by Justin CormackDocker for Mac and Windows: The Insider's Guide by Justin Cormack
Docker for Mac and Windows: The Insider's Guide by Justin Cormack
 
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...
 
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Driving containerd operations with gRPC
Driving containerd operations with gRPCDriving containerd operations with gRPC
Driving containerd operations with gRPC
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 
English Nukleus - FUNCTION AND ABILITY
English Nukleus - FUNCTION AND ABILITY English Nukleus - FUNCTION AND ABILITY
English Nukleus - FUNCTION AND ABILITY
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 

Similar to Securing the Container Pipeline at Salesforce by Cem Gurkok

Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 

Similar to Securing the Container Pipeline at Salesforce by Cem Gurkok (20)

Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Container Security
Container SecurityContainer Security
Container Security
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoring
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
SANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceSANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a Service
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Containers and security
Containers and securityContainers and security
Containers and security
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
 
Using Docker in production: Get started today!
Using Docker in production: Get started today!Using Docker in production: Get started today!
Using Docker in production: Get started today!
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 

More from Docker, Inc.

Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
Docker, Inc.
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
Docker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
Docker, Inc.
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
Docker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
Docker, Inc.
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
Docker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
Docker, Inc.
 

More from Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and Compose
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Securing the Container Pipeline at Salesforce by Cem Gurkok

  • 1. Securing the Container Pipeline Cem Gürkök Lead InfoSec Engineer (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)
  • 2. Securing the Container Pipeline Cem Gürkök Lead InfoSec Engineer Salesforce @CGurkok
  • 3. Agenda •  Threats •  Container pipelines and integrity •  Monitoring containers, hosts, apps, networks •  Digital Forensics •  Vulnerability Management •  Hardening •  Demo
  • 5. Container Threats & Challenges ​ Run-time • Container exploit and resource exposure (App) • Breaking out of container • Cross-container attacks • Resource overuse (DoS) ​ At-rest or transport • Tampering of images • Unpatched OS or applications
  • 7. “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.” — Donald Rumsfeld
  • 10. Container Pipeline & Security Base OS and Docker File Base OS Image DEV Docker Trusted Registry + Notary Developer RelEng Image DEV Docker Trusted Registry + Notary Continuous Integration PROD Docker Trusted Registry + Notary Running in PROD Monitoring in all steps. 1.  Security Review and Hardening 2.  Signing, Authentication, Image Vulnerability Scans 3.  Authentication, Verification 4.  Signing, Authentication, Image Vulnerability Scans 5.  Authentication 6.  Authentication, Verification 7.  Authentication, Verification, Vulnerability Scans 8.  Incident Response, Digital Forensics, Patching
  • 11. Access Control: Authentication •  LDAP over SSL for Docker image transactions: •  Users (Devs, RelEng) •  Service accounts •  Mutual TLS Authentication for registry replication Dev Systems Dev Registry Build & Test Master Registry Prod Registry DMZ Services TLS
  • 12. Container Integrity ​ Docker Trusted Registry (DTR) •  On-premise •  Authenticated transactions with LDAPS authentication •  DEV and PROD user and image separation •  Users will not be able to disable signing validation •  Validation will be transparent to the users
  • 13. Container Integrity ​ Docker Notary •  Enable Docker Content Trust on consumers •  Can enable signing checks on every managed host •  Signature verification transparent to users Build & Test Notary Master DMZ Services Prod Services Sign Validate Validate
  • 14. Master Docker Registry DEV DMZ Notary Master LDAPS Auth Notary Signing Dev Docker Registry PROD Mirrored Read-only Registry or Caching Proxy Docker packaged services Mutual TLS Auth HTTPS Pull Validate Dev Systems LDAPS user acct HTTPS Push to Dev Authenticated pulls LDAPS Auth HTTPS Push and Sign HTTPS Pull Sign LDAPS Auth HTTPS Push Already Signed Docker packaged services in DMZ HTTPS No Auth Pull Validate RelEng promotes to DMZ Release case * Andrey Falko, Salesforce Ticketing System
  • 16. Hardening: Host •  Frequent patching •  Install only needed components and libraries (i.e. no gcc or bash) •  Grsecurity/PaX for the kernel •  File system integrity monitoring •  Leverage Linux isolation capabilities!!
  • 17. Hardening: Container •  Base image and app with latest updates/patches •  Leverage User namespaces (run as low priv user on host) •  Install only needed components and libraries (i.e. no gcc or ssh)
  • 18. Hardening: Container •  Avoid using Docker with the --privileged flag •  Use --read-only when running containers (immutability) •  Avoid providing access to the docker user and group •  Limit and/or separate host and kernel device access
  • 19. Hardening: Docker Bench for Security •  Docker Bench for Security to the rescue! • https://github.com/docker/ docker-bench-security •  Checks based on best practices for hosts and containers * https://github.com/docker/docker-bench-security
  • 20. Hardening: Vulnerability Management ​ Image Scans with tools, such as Docker Security Scanning: • Operating System • Application source code and libraries ​ Network Scans with traditional vuln scanners: • Discovery • Exposed services ​ Auto and Manual source code audits * “Securing the Software Supply Chain with Docker, ” May 2016, Nathan McCauley
  • 21. Hardening: Vulnerability Management •  Scanning •  Docker Images •  Applications •  Remediation •  Prioritization and SLAs for Patching •  Relaunching containers after patching Δt
  • 23. Network Infrastructure •  Bridged networking on Host •  Containers assigned VNICs, IP addresses, and hostnames •  Containers isolated via VLANs (i.e. DB, Web App) •  Tap interface for monitoring •  Security Policies per VLANs and Zones
  • 25. Monitoring: Network ​ Network traffic captured for: • Inter-container communications • Host communications • Resource communications (i.e. DB, Public Internet) ​ Network traffic sent to: • IDS (Intrusion Detection System) • Netflow generator • Output sent to SIEM for analysis
  • 26. Monitoring: Hosts ​ Logs: • All host logs are saved • SIEM agents consume and forward the logs from hosts • Monitoring, Dashboarding, Alerting at SIEM Host SIEM
  • 27. Monitoring: Containers & Apps •  Logs are monitored similar to host •  OS + Application logs •  Network activity monitoring •  IP address assignments •  Netflows •  IDS (Intrusion Detection System) •  Raw Network Traffic Capture
  • 28. Monitoring: Host, Containers & Apps ​ Disk activity monitoring • File system integrity • Run time layer monitoring ​ Memory monitoring • Docker and container process activity • Process integrity: Engine + Container
  • 30. Digital Forensics •  Incident Response Plan/Policies •  Live/Post-mortem Memory Forensics •  Disk Forensics •  Network Monitoring/Forensics
  • 31. Disk Forensics •  Build supertimeline to have integrated view of events •  Data Sources: •  Raw Disk Image •  Log Files •  Binaries •  Tools •  The Sleuth Kit: File system analysis •  Plaso: Build supertimeline •  dd: Raw disk image dd Sleuth Kit Plaso
  • 32. Memory Forensics Why Memory Forensics? • Nothing can hide in memory! • Faster artifact discovery vs. disk forensics
  • 33. Memory Forensics ​ Analyze host memory • Live /dev/*mem • VM memory file • Memory dump/sample ​ Tools: • Analysis (most OS and sample format): • The Volatility Framework • Memory sampling on Linux: LiME, linpmem LiME linpmem
  • 34. Memory Forensics: Process Hierarchy •  pstree_hash [new]: View Docker processes in a tree view based on the PID hash table vs. linked list •  Use case: Detect rogue or injected child processes/containers
  • 35. Memory Forensics: Temporary File Systems •  tmpfs: lists and recovers tmpfs file systems from memory •  Use case: monitor file systems
  • 36. Memory Forensics: Loaded Libraries •  linux_proc_maps: shows process memory maps, their permissions and original file paths (executable and libraries) •  Use case: Detect Shared Library Injections
  • 37. Memory Forensics: Process Integrity •  process_compare [new]: Detect if user space binary has been tampered with in memory (in memory binary vs. on disk) [5] •  Works when binary symbols can’t be extracted
  • 40. References 1.  “CIS Docker 1.6 Benchmark,” Center for Internet Security 2.  “Introduction to Container Security,” Docker.com 3.  “Understanding and Hardening Linux Containers,” NCC Group 4.  “The Volatility Framework,” https://github.com/volatilityfoundation/volatility 5.  “Identifying the Unknown in User Space Memory,” Andrew White 6.  “LiME,” https://github.com/504ensicsLabs/LiME 7.  “linpmem,” http://www.rekall-forensic.com/docs/Tools/ 8.  “The Sleuth Kit,” http://www.sleuthkit.org/ 9.  “Plaso,” https://github.com/log2timeline/plaso