SlideShare a Scribd company logo

App sec in the time of docker containers

Akash Mahajan
Akash Mahajan

A look at how application security needs to evolve to keep up with applications that are containerised. Delivered first at c0c0n 2016, the audience got a ready checklist to go with the talk.

Technology
1 of 28
Download to read offline
APP SEC IN THE TIME OF DOCKER CONTAINERS Akash Mahajan - Director Appsecco C0C0N 2016
SOMETHING ABOUT ME ➤ Director of Appsecco ➤ Appsecco is a specialist application security company ➤ Author of ‘Burp Suite Essentials’ ➤ Burp Suite is the most popular software for security testing applications ➤ Community Champion ➤ OWASP Bangalore Chapter Leader ➤ n|u Co-Founder and Community Manager ➤ Co-Trainer of Xtreme Web Hacking Class ➤ Links ➤ @makash | https://linkd.in/webappsecguy | akashm.com
“There is space for only 5 types of security approaches in this world -Said no one ever
HOW WE DO APPSEC CURRENTLY?
AUTOMATED WEB APPLICATION SCANNERS
BUG BOUNTY BEGINNERS - WIN SOME - LOSE SOME
BUG BOUNTY/PENTESTERS & EXPERTS MAKE IT LOOK SIMPLE
SECURITY TESTERS PLOD AWAY USING CHECKLISTS & TOOLS
WHAT IS A DOCKER CONTAINER?
A DOCKER CONTAINER? ➤ A container allows a developer to package up and application and all of its dependent parts in a box ➤ This box is basically an isolated environment and the application has everything it needs to run inside of this environment
CONTAINERS ARE COMING A value of 100 is the peak popularity for a term DOCKER IN GOOGLE TRENDS SINCE JUL 2013-PRESENT
IF THE DRY GRAPH WASN’T ENOUGH TO CONVINCE YOU
“Why has this change to docker become imminent? -Me, when I started noticing how quickly the developer world was moving to docker
REPEAT AFTER ME DEVELOPER PRODUCTIVITY DEVELOPER PRODUCTIVITY DEVELOPER PRODUCTIVITY
“Regardless of how much security folks think their opinion matters, most of the developers don’t give a fish about what we think - Akash Mahajan, learning the truth the hard way
THIS IS WHAT DEVELOPERS WANT - AN IT FREE WORLD Attribution pending. Will update the slides once I know where I nicked this from!
BUT ISN’T THIS JUST LIKE CHROOT?
INSTALLING MUTILLIDAE (PHP+APACHE+MYSQL APP)
“If a developer has to choose between being productive or being secure, more or less she/he will chose being productive - Something I should have said!
WHAT CAN WE DO NOW TO GET ON THE BANDWAGON? ➤ Depends on how you do application security ➤ For testing applications ➤ We usually need the setup running somewhere (testing) ➤ Being able to get the complete setup by just running a simple command, makes all of us “productive” ➤ For secure development ➤ Pre-configured dockerfiles with selective containers which allow for secure configuration by default ➤ For secure operations ➤ Running docker in secured, isolated instances
DOES DOCKER PROVIDE ISOLATION FROM THE HOST? ➤ Yes if you practice defence in depth ➤ Follow the CIS Docker Benchmark to get a checklist of things to do on ➤ Host Configuration (15 list items) ➤ Docker Daemon Configuration (13 list items) ➤ Files, Permissions and configuration files for Docker Daemon (20 list items) ➤ Container Images (5 list items) ➤ Container Runtime (25 list items) ➤ Follow Docker Security Operations Best Practices
DOCKER HOST AND CONTAINER SECURITY GETTING STARTED Start by reading Understanding docker security and best practices https://blog.docker.com/2015/05/understanding-docker-security-and- best-practices/ Use the Docker Bench Security script to automatically check best practices as outlined by the CIS Docker Benchmark version 1.11 https:// github.com/docker/docker-bench-security Play this awesome game to break out of docker containers in your browser https://contained.af/ Read the full CIS Docker 1.11.0 Benchmark report https:// benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf Definitely read if you plan to run docker in prod or are guiding someone who does http://container-solutions.com/is-docker-safe-for-production/
NEW TOOLS, APPROACHES AND OPPORTUNITIES The configuration for docker containers will need to be tested in a continuous manner Auditing of existing deployments against security benchmarks like the CIS Docker Benchmark Following agile practices, dockers build built using CI/CD tools like Jenkins based on pre-commit and post-commit hooks Bring in your SAST, DAST, *ST analysis at any point in this pipeline Setting up and managing private registries Also setting up private repositories for nom etc.
TO START WITH, THIS IS WHAT YOU SHOULD DO Test the application as you normally would If you find appsec issues report these Do white box assessment with the docker security checklists You already have a roadmap as mentioned in slide 21 & 22 Keep track of any privilege escalation bugs in docker daemon or the underlying hypervisor/VM tech you are using Understand what is the software supply chain for the application & pick secure alternatives for orchestration itself Application containers make it simple for everyone so use them for training, best practices etc.
DOCKER FAILS Couple of #devoops moments
TWITTER’S VINE SOURCE CODE DUMP BY @AVICODER ➤ @avicoder a bug bounty hunter, he spoke about this bug at a null/ OWASP/G4H Bangalore meet in June 2016 ➤ He found an interesting sub domain for Vine ( A twitter video app) ➤ He had stumbled upon a private docker registry being used ➤ He realised that the version being used didn’t use any authentication and by querying the API he determined the docker files being hosted ➤ He did a docker pull of an image that contained the source code for the Vine App and got $$$$$ bounty ➤ https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
DOCKER IMAGE INSECURITY ➤ This has been fixed now! Especially from docker version 1.10 ➤ Earlier if an image had been compressed with xz (in C so not safety for memory) ➤ Docker Daemon would exec the xz binary as root user ➤ If there was a single vulnerability in xz, a docker pull could result in complete compromise ➤ Read more about the vulnerability https://titanous.com/ posts/docker-insecurity ➤ Read more about how this was fixed https://titanous.com/ posts/docker-insecurity
QUESTIONS @makash | https://linkd.in/webappsecguy | akashm.com

Recommended

Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud NetworkingSVForum Cloud SIG
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Red Hat multi-cluster management & what's new in OpenShift
Red Hat multi-cluster management & what's new in OpenShiftRed Hat multi-cluster management & what's new in OpenShift
Red Hat multi-cluster management & what's new in OpenShiftKangaroot
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 

Recommended

Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud NetworkingSVForum Cloud SIG
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Red Hat multi-cluster management & what's new in OpenShift
Red Hat multi-cluster management & what's new in OpenShiftRed Hat multi-cluster management & what's new in OpenShift
Red Hat multi-cluster management & what's new in OpenShiftKangaroot
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsJames Wickett
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Redefining cloud native debugging
Redefining cloud native debugging Redefining cloud native debugging
Redefining cloud native debugging LibbySchulze
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your AppsDon’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your AppsDocker, Inc.
 
DevOps Spain 2019. Beatriz Martínez-IBM
DevOps Spain 2019. Beatriz Martínez-IBMDevOps Spain 2019. Beatriz Martínez-IBM
DevOps Spain 2019. Beatriz Martínez-IBMatSistemas
 
Secure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultSecure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultDavide Benvegnù
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins SecurityMark Waite
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, GcpPriyanka Aash
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
Webinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformWebinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformKiratech
 
Introduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVTIntroduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVTCisco DevNet
 
Networking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmNetworking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmAbhinandan P.b
 
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...Docker, Inc.
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Security Issues in Cloud Computing
Security Issues in Cloud ComputingSecurity Issues in Cloud Computing
Security Issues in Cloud ComputingJyotika Pandey
 

More Related Content

What's hot

Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsJames Wickett
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Redefining cloud native debugging
Redefining cloud native debugging Redefining cloud native debugging
Redefining cloud native debugging LibbySchulze
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your AppsDon’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your AppsDocker, Inc.
 
DevOps Spain 2019. Beatriz Martínez-IBM
DevOps Spain 2019. Beatriz Martínez-IBMDevOps Spain 2019. Beatriz Martínez-IBM
DevOps Spain 2019. Beatriz Martínez-IBMatSistemas
 
Secure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultSecure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultDavide Benvegnù
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins SecurityMark Waite
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, GcpPriyanka Aash
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
Webinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformWebinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformKiratech
 
Introduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVTIntroduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVTCisco DevNet
 
Networking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmNetworking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmAbhinandan P.b
 
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...Docker, Inc.
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 

What's hot (20)

Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Redefining cloud native debugging
Redefining cloud native debugging Redefining cloud native debugging
Redefining cloud native debugging
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your AppsDon’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your Apps
 
DevOps Spain 2019. Beatriz Martínez-IBM
DevOps Spain 2019. Beatriz Martínez-IBMDevOps Spain 2019. Beatriz Martínez-IBM
DevOps Spain 2019. Beatriz Martínez-IBM
 
Secure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultSecure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key Vault
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing Kubernetes
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
Webinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformWebinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins Platform
 
Introduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVTIntroduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVT
 
Networking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and SwarmNetworking in Docker EE 2.0 with Kubernetes and Swarm
Networking in Docker EE 2.0 with Kubernetes and Swarm
 
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 

Viewers also liked

Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Security Issues in Cloud Computing
Security Issues in Cloud ComputingSecurity Issues in Cloud Computing
Security Issues in Cloud ComputingJyotika Pandey
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
Hybrid Cloud Computing - Seccurity Aspects and Challanges
Hybrid Cloud Computing - Seccurity Aspects and ChallangesHybrid Cloud Computing - Seccurity Aspects and Challanges
Hybrid Cloud Computing - Seccurity Aspects and ChallangesRoman Nedzelsky
 
Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10Rugby7277
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. Shubham Mittal
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Antifragile, Microservices and DevOps - A Study
Antifragile, Microservices and DevOps - A StudyAntifragile, Microservices and DevOps - A Study
Antifragile, Microservices and DevOps - A StudyWilliam Yang
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owaspShannon Lietz
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSAShannon Lietz
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 

Viewers also liked (20)

Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Security Issues in Cloud Computing
Security Issues in Cloud ComputingSecurity Issues in Cloud Computing
Security Issues in Cloud Computing
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Hybrid Cloud Computing - Seccurity Aspects and Challanges
Hybrid Cloud Computing - Seccurity Aspects and ChallangesHybrid Cloud Computing - Seccurity Aspects and Challanges
Hybrid Cloud Computing - Seccurity Aspects and Challanges
 
Startups Security
Startups SecurityStartups Security
Startups Security
 
What is cloud ?
What is cloud ?What is cloud ?
What is cloud ?
 
Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet.
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Antifragile, Microservices and DevOps - A Study
Antifragile, Microservices and DevOps - A StudyAntifragile, Microservices and DevOps - A Study
Antifragile, Microservices and DevOps - A Study
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 

Similar to App sec in the time of docker containers

DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline Docker, Inc.
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
Better Operations into the Cloud
Better Operations into the CloudBetter Operations into the Cloud
Better Operations into the CloudFabio Ferrari
 
What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...
What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...
What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...Edureka!
 
Testing as a container
Testing as a containerTesting as a container
Testing as a containerIrfan Ahmad
 
Tecnologias Oracle em Docker Containers On-premise e na Nuvem
Tecnologias Oracle em Docker Containers On-premise e na NuvemTecnologias Oracle em Docker Containers On-premise e na Nuvem
Tecnologias Oracle em Docker Containers On-premise e na NuvemBruno Borges
 
Getting started with docker
Getting started with dockerGetting started with docker
Getting started with dockerSaim Safder
 
Deliver Python Apps with Docker
Deliver Python Apps with DockerDeliver Python Apps with Docker
Deliver Python Apps with DockerAnton Egorov
 
Locally it worked! virtualizing docker
Locally it worked! virtualizing dockerLocally it worked! virtualizing docker
Locally it worked! virtualizing dockerSascha Brinkmann
 
JavaScript All The Things
JavaScript All The ThingsJavaScript All The Things
JavaScript All The ThingsJordan Yaker
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for DockerCalidad Infotech
 
Containers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsContainers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsJules Pierre-Louis
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!Anthony Dahanne
 
Operating Docker
Operating DockerOperating Docker
Operating DockerJen Andre
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzSteve Hoffman
 
Docker Deep Dive Understanding Docker Engine Docker for DevOps
Docker Deep Dive Understanding Docker Engine Docker for DevOpsDocker Deep Dive Understanding Docker Engine Docker for DevOps
Docker Deep Dive Understanding Docker Engine Docker for DevOpsMehwishHayat3
 

Similar to App sec in the time of docker containers (20)

DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
Docker best Practices
Docker best PracticesDocker best Practices
Docker best Practices
 
Better Operations into the Cloud
Better Operations into the CloudBetter Operations into the Cloud
Better Operations into the Cloud
 
What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...
What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...
What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...
 
Testing as a container
Testing as a containerTesting as a container
Testing as a container
 
Tecnologias Oracle em Docker Containers On-premise e na Nuvem
Tecnologias Oracle em Docker Containers On-premise e na NuvemTecnologias Oracle em Docker Containers On-premise e na Nuvem
Tecnologias Oracle em Docker Containers On-premise e na Nuvem
 
Getting started with docker
Getting started with dockerGetting started with docker
Getting started with docker
 
Deliver Python Apps with Docker
Deliver Python Apps with DockerDeliver Python Apps with Docker
Deliver Python Apps with Docker
 
What is this "docker"
What is this "docker" What is this "docker"
What is this "docker"
 
Locally it worked! virtualizing docker
Locally it worked! virtualizing dockerLocally it worked! virtualizing docker
Locally it worked! virtualizing docker
 
JavaScript All The Things
JavaScript All The ThingsJavaScript All The Things
JavaScript All The Things
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for Docker
 
Containers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsContainers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical Solutions
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
Docker Deep Dive Understanding Docker Engine Docker for DevOps
Docker Deep Dive Understanding Docker Engine Docker for DevOpsDocker Deep Dive Understanding Docker Engine Docker for DevOps
Docker Deep Dive Understanding Docker Engine Docker for DevOps
 

More from Akash Mahajan

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionAkash Mahajan
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereAkash Mahajan
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+dataAkash Mahajan
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesAkash Mahajan
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 

More from Akash Mahajan (15)

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs Session
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
Php security
Php securityPhp security
Php security
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 

Recently uploaded

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

App sec in the time of docker containers

  • 1. APP SEC IN THE TIME OF DOCKER CONTAINERS Akash Mahajan - Director Appsecco C0C0N 2016
  • 2. SOMETHING ABOUT ME ➤ Director of Appsecco ➤ Appsecco is a specialist application security company ➤ Author of ‘Burp Suite Essentials’ ➤ Burp Suite is the most popular software for security testing applications ➤ Community Champion ➤ OWASP Bangalore Chapter Leader ➤ n|u Co-Founder and Community Manager ➤ Co-Trainer of Xtreme Web Hacking Class ➤ Links ➤ @makash | https://linkd.in/webappsecguy | akashm.com
  • 3. “There is space for only 5 types of security approaches in this world -Said no one ever
  • 4. HOW WE DO APPSEC CURRENTLY?
  • 6. BUG BOUNTY BEGINNERS - WIN SOME - LOSE SOME
  • 7. BUG BOUNTY/PENTESTERS & EXPERTS MAKE IT LOOK SIMPLE
  • 8. SECURITY TESTERS PLOD AWAY USING CHECKLISTS & TOOLS
  • 9. WHAT IS A DOCKER CONTAINER?
  • 10. A DOCKER CONTAINER? ➤ A container allows a developer to package up and application and all of its dependent parts in a box ➤ This box is basically an isolated environment and the application has everything it needs to run inside of this environment
  • 11. CONTAINERS ARE COMING A value of 100 is the peak popularity for a term DOCKER IN GOOGLE TRENDS SINCE JUL 2013-PRESENT
  • 12. IF THE DRY GRAPH WASN’T ENOUGH TO CONVINCE YOU
  • 13. “Why has this change to docker become imminent? -Me, when I started noticing how quickly the developer world was moving to docker
  • 14. REPEAT AFTER ME DEVELOPER PRODUCTIVITY DEVELOPER PRODUCTIVITY DEVELOPER PRODUCTIVITY
  • 15. “Regardless of how much security folks think their opinion matters, most of the developers don’t give a fish about what we think - Akash Mahajan, learning the truth the hard way
  • 16. THIS IS WHAT DEVELOPERS WANT - AN IT FREE WORLD Attribution pending. Will update the slides once I know where I nicked this from!
  • 17. BUT ISN’T THIS JUST LIKE CHROOT?
  • 19. “If a developer has to choose between being productive or being secure, more or less she/he will chose being productive - Something I should have said!
  • 20. WHAT CAN WE DO NOW TO GET ON THE BANDWAGON? ➤ Depends on how you do application security ➤ For testing applications ➤ We usually need the setup running somewhere (testing) ➤ Being able to get the complete setup by just running a simple command, makes all of us “productive” ➤ For secure development ➤ Pre-configured dockerfiles with selective containers which allow for secure configuration by default ➤ For secure operations ➤ Running docker in secured, isolated instances
  • 21. DOES DOCKER PROVIDE ISOLATION FROM THE HOST? ➤ Yes if you practice defence in depth ➤ Follow the CIS Docker Benchmark to get a checklist of things to do on ➤ Host Configuration (15 list items) ➤ Docker Daemon Configuration (13 list items) ➤ Files, Permissions and configuration files for Docker Daemon (20 list items) ➤ Container Images (5 list items) ➤ Container Runtime (25 list items) ➤ Follow Docker Security Operations Best Practices
  • 22. DOCKER HOST AND CONTAINER SECURITY GETTING STARTED Start by reading Understanding docker security and best practices https://blog.docker.com/2015/05/understanding-docker-security-and- best-practices/ Use the Docker Bench Security script to automatically check best practices as outlined by the CIS Docker Benchmark version 1.11 https:// github.com/docker/docker-bench-security Play this awesome game to break out of docker containers in your browser https://contained.af/ Read the full CIS Docker 1.11.0 Benchmark report https:// benchmarks.cisecurity.org/tools2/docker/ CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf Definitely read if you plan to run docker in prod or are guiding someone who does http://container-solutions.com/is-docker-safe-for-production/
  • 23. NEW TOOLS, APPROACHES AND OPPORTUNITIES The configuration for docker containers will need to be tested in a continuous manner Auditing of existing deployments against security benchmarks like the CIS Docker Benchmark Following agile practices, dockers build built using CI/CD tools like Jenkins based on pre-commit and post-commit hooks Bring in your SAST, DAST, *ST analysis at any point in this pipeline Setting up and managing private registries Also setting up private repositories for nom etc.
  • 24. TO START WITH, THIS IS WHAT YOU SHOULD DO Test the application as you normally would If you find appsec issues report these Do white box assessment with the docker security checklists You already have a roadmap as mentioned in slide 21 & 22 Keep track of any privilege escalation bugs in docker daemon or the underlying hypervisor/VM tech you are using Understand what is the software supply chain for the application & pick secure alternatives for orchestration itself Application containers make it simple for everyone so use them for training, best practices etc.
  • 25. DOCKER FAILS Couple of #devoops moments
  • 26. TWITTER’S VINE SOURCE CODE DUMP BY @AVICODER ➤ @avicoder a bug bounty hunter, he spoke about this bug at a null/ OWASP/G4H Bangalore meet in June 2016 ➤ He found an interesting sub domain for Vine ( A twitter video app) ➤ He had stumbled upon a private docker registry being used ➤ He realised that the version being used didn’t use any authentication and by querying the API he determined the docker files being hosted ➤ He did a docker pull of an image that contained the source code for the Vine App and got $$$$$ bounty ➤ https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
  • 27. DOCKER IMAGE INSECURITY ➤ This has been fixed now! Especially from docker version 1.10 ➤ Earlier if an image had been compressed with xz (in C so not safety for memory) ➤ Docker Daemon would exec the xz binary as root user ➤ If there was a single vulnerability in xz, a docker pull could result in complete compromise ➤ Read more about the vulnerability https://titanous.com/ posts/docker-insecurity ➤ Read more about how this was fixed https://titanous.com/ posts/docker-insecurity