Over the past few years, more and more companies are turning to containerized environments to scale their applications. However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools. This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely. Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses: The top challenges to security in containerized environments How DevSecOps addresses security in containerized environments Tips and tricks for successfully incorporating security into the container lifecycle

1. 1
Barriers to Container Security
and How to Overcome Them
How to approach security when most of your
software comes from the community
Jeffrey Martin
Senior Director of Product at WhiteSource

2. 2
THE CONTAINER LIFECYCLE
Build RunShip

3. 3
THE CONTAINER IMAGES LAYERS

4. 4
LET’S START WITH THE OBVIOUS QUESTIONS
▪ Do you use a private registry?
▪ When using a public registry, are the images signed?
▪ Are you running the containers with a root user?

5. THE CHALLENGES OF OPEN SOURCE USAGE
Reported Vulnerabilities
Are Rising
Less Time To Fix

6. 6
SECURITY SHOULD BE A BIG CONSIDERATION

7. 7
WHAT CAN HELP YOU GAIN VISIBILITY?

8. 8
THE QUESTION IS, HOW SOON IN THE SDLC?
PLAN CODE BUILD MAINT.DEPLOY

9. 9
THE EARLIER, THE CHEAPER AND EASIER TO FIX
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
The cost of fixing security and quality issues is rising significantly, as the development cycle advances.

10. 10
66% of companies have already implemented application testing during or even pre-build stage.
In what stage of the SDLC do you spend most of your time implementing security
measures?
HOW ARE OTHER COMPANIES HANDLING IT?

11. 11
Barriers
Step 1: Control
Step 2: Sources
Step 3: Hygiene
Step 4: Deploying

12. 12
Step 1: Control = CI/CD Gates
Scan across the lifecycle:

13. 13
Barriers
Step 1: Control
Step 2: Sources
Step 3: Hygiene
Step 4: Deploying

14. 14
Step 2: Source = Knowing and Labeling Trusted
Sources
Use private registries and sign images from public registries

15. 15
Barriers
Step 1: Control
Step 2: Sources
Step 3: Hygiene
Step 4: Deploying

16. 16
Step 3: Hygiene = Don’t Use Defaults
Enable Role-Based Access Control (RBAC) in your container
orchestration

17. 17
Step 3: Hygiene = Don’t Use Defaults
Use Namespaces to establish
Security Boundaries

18. 18
Barriers
Step 1: Control
Step 2: Sources
Step 3: Hygiene
Step 4: Deploying

19. 19
Step 4: Deploying = Prevent and Monitor
Prevent deployment of images with
known vulnerabilities

20. 20
Step 4: Deploying = Prevent and Monitor
Validate image signatures

21. 21
Step 4: Manage Deployments
Monitor for new vulnerabilities
(Bad actors are!)

22. Thank You!
22