Securing Docker Containers

•

3 j'aime•5,946 vues

Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.

Technologie

Securing Docker
Containers
Randy Kilmon
VP Engineering
Black Duck Software

How Pervasive is Open Source?
• > 98% of the applications
tested used open source
• On average, open source
comprised over 30% of the
code base
Open
Source
Custom
Code
Composition of software tested across
1400 Black Duck customers
Reference:Black Duck Softwareaudits

Building Trust & Confidence is Critical to Adoption of Docker
Security is ranked as the #1 adoption challenge for containers
• 60% of customers are concerned about container security and lack of
certification/image provenance
• 40% of available container images in contain High Priority Vulnerabilities
• 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed,
Shellshock, Venom, Ghost
3Black Duck Customer Conference

Docker Infrastructure
Docker Daemon / Docker Socket
• Docker itself must run as root on the host system
• attacks targeting the host system coming in through Docker would
have root privs
• Many Docker containers run with the –privileged flag set which extends
privileges of the container allowing it to access all devices on the host
system (BAD Idea).
5Black Duck Customer Conference

Responses
Linux adaptations to counter the threat
• Red Hat Atomic Host
• SE linux (multi-tenancy)
• “Locked down” system (read-only /usr)
• Intended to change configurations only in /var & /etc
• No yum package manager
• VMware Photon and Lightwave
• Photon is an optimized and secured Linux host designed for running
containers at scale
• Lightwave used for managing authorization and identity management
6Black Duck Customer Conference

Container Contents
Containers can be vulnerable by virtue of the code that runs inside
them
• OSS components running inside containers represent potential attack
vectors in the same way they can in traditional deployment models
• Could cause problems for the application itself
• Could cause more problems if the container is running with the –
privileged flag set
• Different OS flavors and versions, as well as different module versions
• Based on any one of many Linux distributions
• Patches must be managed carefully
• Security, but also compatibility & supportability
7Black Duck Customer Conference

Responses
Manage and monitor container content carefully
• Dockerfile analysis is insufficient
• .tar, .zip files could have anything inside them
• Other layers are just referenced from other registries
• Asking the package manager is insufficient
• Not all modules are under package manager’s purview
• Application layer code (.jar’s, e.g.) is never managed in this way
• File inspection (scanning) is the only way to be sure about what’s there!!
8Black Duck Customer Conference

Microservices
The more containers you spin up, the larger attack surface you expose
• Speed is critical
• Speed to detection of problems
• Speed to remediation
9Black Duck Customer Conference

The Black Duck Solution
Black Duck key differentiators
• Platform-agnostic support in Hub for analyzing all content (whether
inside containers or not)
• Signature-based file identification
• Automated identification
• Able to show in which layer the component was introduced
• Vulnerability reporting over time / alerting
10Black Duck Customer Conference

Key Integration Points
Many options for workflow
• Scan on any Docker host by accessing images through the Docker
daemon
• Scan on RH Atomic Host with file system level integration
• Scan directly against a Docker registry
• CI tools: Jenkins, Bamboo, etc.
• OpenShift (currently in development)*
11Black Duck Customer Conference

Q&A
13Black Duck Customer Conference
Let’s talk about how you are using or plan to use Docker in your
organizations

Contenu connexe

Tendances

Integrating Black Duck into your Agile DevOps Environment

Black Duck by Synopsys

Making the Transition from Suite to the Hub

Black Duck by Synopsys

The 4 Levels of Open Source Risk Management

Black Duck by Synopsys

Practical Steps to Scale Legal Support for Open Source

Black Duck by Synopsys

Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.

Don't Let Open Source be the Deal Breaker In Your M&A

Black Duck by Synopsys

Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015

Black Duck by Synopsys

Flight East 2018 Presentation–Continuous Integration––An Overview

Synopsys Software Integrity Group

BlackDuck Suite

jeff cheng

Flight East 2018 Presentation–Black Duck at Docusign

Synopsys Software Integrity Group

As presented at OpenShift Commons Sept 8, 2016. Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform. In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.

The How and Why of Container Vulnerability Management

Tim Mackey

Hp fortify source code analyzer(sca)

Nagaraju Repala

Thick client application security assessment

Sanjay Kumar (Seeking options outside India)

As delivered at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Secure Application Development in the Age of Continuous Delivery

Tim Mackey

Open Source KMIP Implementation

sedukull

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...

Synopsys Software Integrity Group

Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated. This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks. See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.

The Future of Security and Productivity in Our Newly Remote World

DevOps.com

Containers for Lawyers Richard Fontana

Black Duck by Synopsys

Open source code is everywhere, helping developers deliver code quickly and efficiently. But, if those open source components are insecure, the result can be a catastrophic data breach. To prevent this from happening, companies are turning to Software Composition Analysis (SCA) solutions to identify vulnerabilities in the open source libraries they’re using. Join Veracode to learn how your development teams can easily identify open source libraries in use, their vulnerabilities, licenses, and risks to their applications – helping you protect both your applications and customer data. Want to learn more about the latest solutions?

Donu’t Let Vulnerabilities Create a Hole in Your Organization

DevOps.com

App Security? There’s a metric for that! (Part 1 of 2) Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management. In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs. Be sure to check out Part 2 of this presentation for a more "Hands On" approach. http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2

NetSPI

AWS Community Day - Vitaliy Shtym - Pragmatic Container Security

AWS Chicago

Tendances (20)

Integrating Black Duck into your Agile DevOps Environment

Making the Transition from Suite to the Hub

The 4 Levels of Open Source Risk Management

Practical Steps to Scale Legal Support for Open Source

Don't Let Open Source be the Deal Breaker In Your M&A

Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015

Flight East 2018 Presentation–Continuous Integration––An Overview

BlackDuck Suite

Flight East 2018 Presentation–Black Duck at Docusign

The How and Why of Container Vulnerability Management

Hp fortify source code analyzer(sca)

Thick client application security assessment

Secure Application Development in the Age of Continuous Delivery

Open Source KMIP Implementation

Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...

The Future of Security and Productivity in Our Newly Remote World

Containers for Lawyers Richard Fontana

Donu’t Let Vulnerabilities Create a Hole in Your Organization

Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2

AWS Community Day - Vitaliy Shtym - Pragmatic Container Security

Similaire à Securing Docker Containers

Talk given by Cem Gürkök, Lead InfoSec Engineer at Salesforce, at DockerCon 16 in June 2016 Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment. In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.

Securing the Container Pipeline

Salesforce Engineering

Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17. To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk. Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as: 1. Network security 2. Access control 3. Tamper management and trust 4. Denial of service and SLAs 5. Vulnerabilities Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats. Watch the webinar on BrightTalk: http://bit.ly/2bpdswg

5 Ways to Secure Your Containers for Docker and Beyond

Black Duck by Synopsys

Containers and Security for DevOps

Salesforce Engineering

Understanding container security

John Kinsella

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. By doing so, thanks to the container, the developer can rest assured that the application will run on any other Linux machine regardless of any customized settings that machine might have that could differ from the machine used for writing and testing the code. In a way, Docker is a bit like a virtual machine. But unlike a virtual machine, rather than creating a whole virtual operating system, Docker allows applications to use the same Linux kernel as the system that they’re running on and only requires applications be shipped with things not already running on the host computer. This gives a significant performance boost and reduces the size of the application.

Docker

Codeister Technolgoies

In the last few years, the popularity of DevSecOps and rich cloud services have been driving the adoption of containers in the software industry. Container architectures become increasingly complex, and organizations cannot escape using them. At the same time, attackers are finding new ways of exploiting containers and container architectures. Are you still new to containerization and infrastructure as code? Do you feel that your knowledge of application security suddenly doesn’t apply to the way applications are built and deployed using containers? Do you get lost in the IaC and container terminology soup? If so, this talk will help clear things up and answer your questions. We start with an introduction into container technologies, briefly go through the key terminology, explain the value that containers bring today, and why they are so popular. Then we will talk about the challenges that DevSecOps engineers have when using contains and the security aspects that they face. This presentation includes descriptions of common container threats and real-world examples of recent attacks. These threats will guide our discussion of the typical vulnerabilities and attack vectors. We will touch on well-known standards and resources for container security, such as OWASP Docker Top 10 project, Container Security Verification Standard, NIST Application Container Security Guide, and CIS Benchmarks. And we conclude with guidelines on how to secure containers and listing best practices that most organizations follow today.

Finding Your Way in Container Security

Ksenia Peguero

Docker Security and Content Trust

ehazlett

Docker Containers Security

Stephane Woillez

Finding Your Way in Container Security

Ksenia Peguero

Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment. In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.

Securing the Container Pipeline at Salesforce by Cem Gurkok

Docker, Inc.

Dockerized containers are the current wave that promising to revolutionize IT. Everybody is talking about containers, but a lot of people remain confused on how they work and why they are different or better than virtual machines. In this session, Black Duck container and virtualization expert Tim Mackey will demystify containers, explain their core concepts, and compare and contrast them with the virtual machine architectures that have been the staple of IT for the last decade.

Containers 101

Black Duck by Synopsys

They provide the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of containers.by using kata containers, instead of namespace, small virtual machines are created on the kernel and be strongly isolated. The technology of Kata Containers is based on KVM hypervisor. That’s why the level of isolation is equivalent to typical hypervisors. This session will focus on a live production phase when choosing kata instead of docker, and why they are preferable Although containers provides software-level isolation of resources, the kernel needs to be shared. That’s why the isolation level in terms of security is not so high when compared with hypervisors.This learns to shift from Docker as the de facto standard to Kata containers and learn how to obtain higherl level of security

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...

NETWAYS

Container Security

Salman Baset

The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors. This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Denim Group

Linuxcon secureefficientcontainerimagemanagementharbor

LinuxCon ContainerCon CloudOpen China

Michael Wardrop, Netflix Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads. As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.

DCSF19 Container Security: Theory & Practice at Netflix

Docker, Inc.

OpenStack Summit

Docker, Inc.

Docker Security

antitree

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4

Qualcomm Developer Network

Presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software on September 8, 2016 with OpenShift Commons. Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform. In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.

The How and Why of Container Vulnerability Management

Black Duck by Synopsys

Similaire à Securing Docker Containers (20)

Securing the Container Pipeline

5 Ways to Secure Your Containers for Docker and Beyond

Containers and Security for DevOps

Understanding container security

Docker

Finding Your Way in Container Security

Docker Security and Content Trust

Docker Containers Security

Finding Your Way in Container Security

Securing the Container Pipeline at Salesforce by Cem Gurkok

Containers 101

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...

Container Security

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Linuxcon secureefficientcontainerimagemanagementharbor

DCSF19 Container Security: Theory & Practice at Netflix

OpenStack Summit

Docker Security

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4

The How and Why of Container Vulnerability Management

Plus de Black Duck by Synopsys

Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included: A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises. For more information, please visit us at www.blackducksoftware.com

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...

Black Duck by Synopsys

Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...

Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub

Black Duck by Synopsys

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...

Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Black Duck by Synopsys

Open-Source- Sicherheits- und Risikoanalyse 2018

Black Duck by Synopsys

At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

Black Duck by Synopsys

Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - From Protex to Hub

Black Duck by Synopsys

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Black Duck by Synopsys

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Black Duck by Synopsys

Open Source Rookies and Community

Black Duck by Synopsys

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year. Open Source Insight is your weekly news resource for open source security and cybersecurity news!

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Black Duck by Synopsys

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Black Duck by Synopsys

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Black Duck by Synopsys

This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions. Read on for all the open source security and cybersecurity news you need to know this week.

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Black Duck by Synopsys

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk. Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Black Duck by Synopsys

This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Black Duck by Synopsys

Plus de Black Duck by Synopsys (20)

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Open-Source- Sicherheits- und Risikoanalyse 2018

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

FLIGHT Amsterdam Presentation - From Protex to Hub

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Open Source Rookies and Community

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Dernier

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Delhi Call girls

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

Explore 'The Codex of Business: Writing Software for Real-World Solutions,' a compelling SlideShare presentation that delves into digital transformation in healthcare. Discover through a detailed case study how Agile methodologies empower healthcare providers to develop, iterate, and refine digital solutions that address real-world challenges. Learn how strategic planning, user feedback, and continuous improvement drive success in deploying technologies that enhance patient care and operational efficiency. Ideal for healthcare professionals, IT specialists, and digital transformation advocates seeking actionable insights and practical examples of technology making a real difference.

The Codex of Business Writing Software for Real-World Solutions 2.pptx

Malak Abu Hammad

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

In an era where artificial intelligence (AI) stands at the forefront of business innovation, Information Architecture (IA) is at the core of functionality. See “There’s No AI Without IA” – (from 2016 but even more relevant today) Understanding and leveraging how Information Architecture (IA) supports AI synergies between knowledge engineering and prompt engineering is critical for senior leaders looking to successfully deploy AI for internal and externally facing knowledge processes. This webinar be a high-level overview of the methodologies that can elevate AI-driven knowledge processes supporting both employees and customers. Core Insights Include: Strategic Knowledge Engineering: Delve into how structuring AI's knowledge base is required to prevent hallucinations, enable contextual retrieval of accurate information. This will include discussion of gold standard libraries of use cases support testing various LLMs and structures and configurations of knowledge base. Precision in Prompt Engineering: Learn the art of crafting prompts that direct AI to deliver targeted, relevant responses, thereby optimizing customer experiences and business outcomes. Unified Approach for Enhanced AI Performance: Explore the intersection of knowledge and prompt engineering to develop AI systems that are not only more responsive but also aligned with overarching business strategies. Guiding Principles for Implementation: Equip yourself with best practices, ethical guidelines, and strategic considerations for embedding these technologies into your business ecosystem effectively. This webinar is designed to empower business and technology leaders with the knowledge to harness the full potential of AI, ensuring their organizations not only keep pace with digital transformation but lead the charge. Join us to map a roadmap to fully leverage Information Architecture (IA) and AI chart a course towards a future where AI is a key pillar of strategic innovation and business success.

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Earley Information Science

Slack Application Development 101 Slides

praypatel2

Dernier (20)

Automating Google Workspace (GWS) & more with Apps Script

Boost Fertility New Invention Ups Success Rates.pdf

A Year of the Servo Reboot: Where Are We Now?

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

08448380779 Call Girls In Civil Lines Women Seeking Men

GenCyber Cyber Security Day Presentation

2024: Domino Containers - The Next Step. News from the Domino Container commu...

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Driving Behavioral Change for Information Management through Data-Driven Gree...

The Codex of Business Writing Software for Real-World Solutions 2.pptx

Artificial Intelligence: Facts and Myths

Exploring the Future Potential of AI-Enabled Smartphone Processors

🐬 The future of MySQL is Postgres 🐘

Boost PC performance: How more available memory can improve productivity

What Are The Drone Anti-jamming Systems Technology?

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Slack Application Development 101 Slides

Securing Docker Containers

1. Securing Docker Containers Randy Kilmon VP Engineering Black Duck Software

2. How Pervasive is Open Source? • > 98% of the applications tested used open source • On average, open source comprised over 30% of the code base Open Source Custom Code Composition of software tested across 1400 Black Duck customers Reference:Black Duck Softwareaudits

3. Building Trust & Confidence is Critical to Adoption of Docker Security is ranked as the #1 adoption challenge for containers • 60% of customers are concerned about container security and lack of certification/image provenance • 40% of available container images in contain High Priority Vulnerabilities • 4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed, Shellshock, Venom, Ghost 3Black Duck Customer Conference

4. Areas of Concern Docker security issues fall into three main categories • Docker itself and the infrastructure it uses • The authenticity and provenance of the images themselves • The security profile of the content within the containers Docker runs 4Black Duck Customer Conference

5. Docker Infrastructure Docker Daemon / Docker Socket • Docker itself must run as root on the host system • attacks targeting the host system coming in through Docker would have root privs • Many Docker containers run with the –privileged flag set which extends privileges of the container allowing it to access all devices on the host system (BAD Idea). 5Black Duck Customer Conference

6. Responses Linux adaptations to counter the threat • Red Hat Atomic Host • SE linux (multi-tenancy) • “Locked down” system (read-only /usr) • Intended to change configurations only in /var & /etc • No yum package manager • VMware Photon and Lightwave • Photon is an optimized and secured Linux host designed for running containers at scale • Lightwave used for managing authorization and identity management 6Black Duck Customer Conference

7. Container Contents Containers can be vulnerable by virtue of the code that runs inside them • OSS components running inside containers represent potential attack vectors in the same way they can in traditional deployment models • Could cause problems for the application itself • Could cause more problems if the container is running with the – privileged flag set • Different OS flavors and versions, as well as different module versions • Based on any one of many Linux distributions • Patches must be managed carefully • Security, but also compatibility & supportability 7Black Duck Customer Conference

8. Responses Manage and monitor container content carefully • Dockerfile analysis is insufficient • .tar, .zip files could have anything inside them • Other layers are just referenced from other registries • Asking the package manager is insufficient • Not all modules are under package manager’s purview • Application layer code (.jar’s, e.g.) is never managed in this way • File inspection (scanning) is the only way to be sure about what’s there!! 8Black Duck Customer Conference

9. Microservices The more containers you spin up, the larger attack surface you expose • Speed is critical • Speed to detection of problems • Speed to remediation 9Black Duck Customer Conference

10. The Black Duck Solution Black Duck key differentiators • Platform-agnostic support in Hub for analyzing all content (whether inside containers or not) • Signature-based file identification • Automated identification • Able to show in which layer the component was introduced • Vulnerability reporting over time / alerting 10Black Duck Customer Conference

11. Key Integration Points Many options for workflow • Scan on any Docker host by accessing images through the Docker daemon • Scan on RH Atomic Host with file system level integration • Scan directly against a Docker registry • CI tools: Jenkins, Bamboo, etc. • OpenShift (currently in development)* 11Black Duck Customer Conference

12. Demo 12Black Duck Customer Conference

13. Q&A 13Black Duck Customer Conference Let’s talk about how you are using or plan to use Docker in your organizations

Securing Docker Containers

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Securing Docker Containers

Similaire à Securing Docker Containers (20)

Plus de Black Duck by Synopsys

Plus de Black Duck by Synopsys (20)

Dernier

Dernier (20)

Securing Docker Containers