SlideShare a Scribd company logo

Automate Your Container Deployments Securely

DevOps.com
DevOps.com

Operations seeking to make their apps and APIs both performant and available to their users must bake effective application security tooling into their processes and infrastructure configurations. How can development and operations teams release at increasing velocity with app protection built into their CI/CD pipeline? A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure in any environment from cloud using containers to datacenters to a hybrid of these. Join application security expert Aneel Dadani from Signal Sciences to learn how your team can automate, deploy at scale safely while gaining layer 7 visibility in production environments. Attendees will learn: What constitutes effective application security within the context of cloud adoption and an ever expanding threat landscape How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked How DevOps teams can scale their application footprint to meet demand while securing your codebase in production How to inspect request traffic at the API gateway or the ingress

Technology
1 of 27
Download to read offline
Automate Your Container Deployments Securely Aneel Dadani
Agenda ● Introduction ● Market Trend ● Securing Microservices ● Integration of Signal Sciences with Demo ● Q&A Agendae
Introduction Aneel Dadani Technical Account Manager Signal Sciences Introduction
Signal Sciences Architecture Real-time web app protection that scales without impacting performance Load Balancer Web Servers Application Containers PaaS Service Mesh API Gateway Hosted Cloud WAF Reverse Proxy Architecture
Market Trend
IMAGE GOES HERE Web Usage Trend Business conducted on the web: ● Online Shopping ● Online Gaming ● On-Demand Services ● Financial Services ● Media Streaming ● Video Conferencing Market Trend
Cloud Native Adoption Trend 1. Source:: ESG Research Cloud Native Adoption
Container Orchestration K8S Controller Node Pod Node Pod Node Pod Container Pod Pod Pod Pod Pod Pod Container Container Container Orchestration
Securing Microservices
Vulnerabilities in the wild ● CVE-2020-8555 ● CVE-2020-8558 Kubernetes vulnerabilities
Examples of Application Layer Attacks ● Remote Code Execution (RCE) ○ CVE-2017-5638 - Apache Struts Vulnerability ● Server Side Request Forgery (SSRF) ○ SSRF used to retrieve AWS credentials App Layer Attack Examples
Defense In Depth 6 - Public Cloud 5 - Cluster 4 - Node 3 - Network 2 - Pod 1 - Container 0 - Kernel Defense in Depth
● Ensure kernel versions are patched and contain no existing vulnerabilities ● Review allowed system calls and remove unnecessary / unwanted calls ● Consider utilizing further container sandboxing such as gVisor or kata containers to restrict system calls 0 - Kernel Layer 0 - Kernel Defense in Depth
Layer 1 - Container (Build) ● Remove unnecessary components, packages, and network utilities ● Minimal base images ● Scan images for vulnerabilities and misconfigurations ● Pull images from known-good sources ● Check for integrity of images throughout the CI/CD pipeline and build process 1 - Container 0 - Kernel Defense in Depth
Layer 1 - Container (Runtime) ● Ephemeral containers for live debugging ● Watch for anomalies and suspicious events ○ Unexpected child processes ○ Shell run inside a container ○ Sensitive file is unexpectedly read 1 - Container 0 - Kernel Defense in Depth
Layer 2 - Pod ● Pod Security Context ○ Privileged containers ○ Group and User IDs for processes and volumes ○ Granular Linux capabilities (drop or add) ○ Sandboxing and Mandatory Access Controls (seccomp, AppArmor, SELinux) ○ Filesystem permissions ○ Privilege escalation program privileges ● Pod Security Policy ○ Principle of Least Privilege 2 - Pod 1 - Container 0 - Kernel Defense in Depth
3 - Network Layer 3 - Network ● By default, all pods can talk to other pods ● Network Policies to segment communication ● The Kubernetes API is accessible from the inside ● Egress traffic to malicious IPs ● Service mesh to control traffic between workloads and ingress / egress 2 - Pod 1 - Container 0 - Kernel Defense in Depth
4 - Node 3 - Network Layer 4 - Node ● Check open ports and services ● Limit external administrative access to nodes and control plane ● Minimal base OS and harden according to CIS Benchmarks ● Scan and patch like any other asset 2 - Pod 1 - Container 0 - Kernel Defense in Depth
5 - Cluster 4 - Node 3 - Network Layer 5 - Cluster ● Securing system components ○ kube-apiserver ○ kubelet ○ etcd ● Secrets ○ Read-only volumes in containers ○ Need to know ○ Encryption ○ RBAC ● Update Kubernetes ● Enable audit logging ● Third-party components 2 - Pod 1 - Container 0 - Kernel Defense in Depth
6 - Public Cloud 5 - Cluster 4 - Node 3 - Network Layer 6 - Public Cloud ● Cloud networking ● Build systems ● Access control ● Logging and monitoring ● Encryption ● The list goes on and on... 2 - Pod 1 - Container 0 - Kernel Defense in Depth
Security in Layers The Mega Security Checklist ● Can containers run as root? ● Can containers mount sensitive volumes / directories? Read or Read / Write? ● Can Pods run in “Privileged” mode? ● What policies (PSP, custom, OPA) are in place and for who? ● Is RBAC enforcing the principle of least privilege? ● How are secrets being stored and retrieved? Rotated? Revoked? ● Where do container images come from? Are images being validated? These are just a few questions to consider when building out a Kubernetes AppSec strategy. Get the full checklist at: signalsciences.com/resources
Kubernetes Security Tooling Protect Any App Cloud Containers, PaaS, & Serverless Against Any Attack ● OWASP Injection Attacks ● Business Logic Attacks ● Brute Force Attacks ● Application Abuse & Misuse ● Request Rate Limiting ● Account Takeover ● Bad Bots ● Virtual Patching Any DevOps Toolchain Generic Webhooks & Any Custom Tools via Full RESTFul/JSON API Layer 7 Visibility, Flexible Deployment, Scalable Protection Web Servers & Languages Gateways & Proxies Kubernetes Security Tooling
Demo Time
Privileged Containers Demo
Deploying Signal Sciences Demo Node Pod Pod Pod Pod :4000 :80 listener='http://127.0.0.1:4000' upstreams='http://127.0.0.1:80'
Q&A
Thank You!

Recommended

Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogDevOps.com
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLAElasticsearch
 
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...DevOps.com
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 
Microsoft: Enterprise search for cloud native applications
Microsoft: Enterprise search for cloud native applicationsMicrosoft: Enterprise search for cloud native applications
Microsoft: Enterprise search for cloud native applicationsElasticsearch
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic StackSiscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic StackElasticsearch
 

Recommended

Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogDevOps.com
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLAElasticsearch
 
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...DevOps.com
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 
Microsoft: Enterprise search for cloud native applications
Microsoft: Enterprise search for cloud native applicationsMicrosoft: Enterprise search for cloud native applications
Microsoft: Enterprise search for cloud native applicationsElasticsearch
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic StackSiscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic StackElasticsearch
 
Security Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic StackSecurity Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic StackElasticsearch
 
Combinação de logs, métricas e rastreamentos para observabilidade unificada
Combinação de logs, métricas e rastreamentos para observabilidade unificadaCombinação de logs, métricas e rastreamentos para observabilidade unificada
Combinação de logs, métricas e rastreamentos para observabilidade unificadaElasticsearch
 
The user s identities
The user s identitiesThe user s identities
The user s identitiesGiuliano Latini
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positivesElasticsearch
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsDevOps.com
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElasticsearch
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackElasticsearch
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosElasticsearch
 
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise KubernetesDCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise KubernetesDocker, Inc.
 
The full picture of Openstack in real-time
The full picture of Openstack in real-timeThe full picture of Openstack in real-time
The full picture of Openstack in real-timeDynatrace
 
F5 Cloud Solutions
F5 Cloud SolutionsF5 Cloud Solutions
F5 Cloud SolutionsMarketingArrowECS_CZ
 
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...Sumo Logic
 
Will County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with DataWill County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with DataElasticsearch
 
Keynote
KeynoteKeynote
KeynoteElasticsearch
 
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...Elasticsearch
 
What’s New with NGINX Controller Load Balancing Module 2.0?
What’s New with NGINX Controller Load Balancing Module 2.0?What’s New with NGINX Controller Load Balancing Module 2.0?
What’s New with NGINX Controller Load Balancing Module 2.0?NGINX, Inc.
 
Keynote: Making search better, faster, easier
Keynote: Making search better, faster, easierKeynote: Making search better, faster, easier
Keynote: Making search better, faster, easierElasticsearch
 
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)Codit
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfJuan Vicente Herrera Ruiz de Alejo
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 

More Related Content

What's hot

Security Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic StackSecurity Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic StackElasticsearch
 
Combinação de logs, métricas e rastreamentos para observabilidade unificada
Combinação de logs, métricas e rastreamentos para observabilidade unificadaCombinação de logs, métricas e rastreamentos para observabilidade unificada
Combinação de logs, métricas e rastreamentos para observabilidade unificadaElasticsearch
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positivesElasticsearch
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsDevOps.com
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElasticsearch
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackElasticsearch
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosElasticsearch
 
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise KubernetesDCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise KubernetesDocker, Inc.
 
The full picture of Openstack in real-time
The full picture of Openstack in real-timeThe full picture of Openstack in real-time
The full picture of Openstack in real-timeDynatrace
 
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...Sumo Logic
 
Will County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with DataWill County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with DataElasticsearch
 
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...Elasticsearch
 
What’s New with NGINX Controller Load Balancing Module 2.0?
What’s New with NGINX Controller Load Balancing Module 2.0?What’s New with NGINX Controller Load Balancing Module 2.0?
What’s New with NGINX Controller Load Balancing Module 2.0?NGINX, Inc.
 
Keynote: Making search better, faster, easier
Keynote: Making search better, faster, easierKeynote: Making search better, faster, easier
Keynote: Making search better, faster, easierElasticsearch
 
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)Codit
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 

What's hot (20)

Security Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic StackSecurity Events Logging at Bell with the Elastic Stack
Security Events Logging at Bell with the Elastic Stack
 
Combinação de logs, métricas e rastreamentos para observabilidade unificada
Combinação de logs, métricas e rastreamentos para observabilidade unificadaCombinação de logs, métricas e rastreamentos para observabilidade unificada
Combinação de logs, métricas e rastreamentos para observabilidade unificada
 
The user s identities
The user s identitiesThe user s identities
The user s identities
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
 
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at ScaleElastic @ Adobe: Making Search Smarter with Machine Learning at Scale
Elastic @ Adobe: Making Search Smarter with Machine Learning at Scale
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic Stack
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivos
 
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise KubernetesDCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
 
The full picture of Openstack in real-time
The full picture of Openstack in real-timeThe full picture of Openstack in real-time
The full picture of Openstack in real-time
 
F5 Cloud Solutions
F5 Cloud SolutionsF5 Cloud Solutions
F5 Cloud Solutions
 
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
 
Will County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with DataWill County Sheriff’s Office: Solving Crime with Data
Will County Sheriff’s Office: Solving Crime with Data
 
Keynote
KeynoteKeynote
Keynote
 
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...
Elastic APM : développez vos logs et vos indicateurs pour obtenir une vue com...
 
What’s New with NGINX Controller Load Balancing Module 2.0?
What’s New with NGINX Controller Load Balancing Module 2.0?What’s New with NGINX Controller Load Balancing Module 2.0?
What’s New with NGINX Controller Load Balancing Module 2.0?
 
Keynote: Making search better, faster, easier
Keynote: Making search better, faster, easierKeynote: Making search better, faster, easier
Keynote: Making search better, faster, easier
 
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
Living on the (IoT) edge (Sam Vanhoutte @TechdaysNL 2017)
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 

Similar to Automate Your Container Deployments Securely

Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and DaemonsQConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemonsaspyker
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments DevOps.com
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2aspyker
 
NetflixOSS Meetup season 3 episode 2
NetflixOSS Meetup season 3 episode 2NetflixOSS Meetup season 3 episode 2
NetflixOSS Meetup season 3 episode 2Ruslan Meshenberg
 
ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...
ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...
ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...Docker-Hanoi
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutesSysdig
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfAswathRangaraj1
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfJose Manuel Ortega Candel
 

Similar to Automate Your Container Deployments Securely (20)

Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and DaemonsQConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments
 
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native StorageAutopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2Netflix Open Source Meetup Season 3 Episode 2
Netflix Open Source Meetup Season 3 Episode 2
 
NetflixOSS Meetup season 3 episode 2
NetflixOSS Meetup season 3 episode 2NetflixOSS Meetup season 3 episode 2
NetflixOSS Meetup season 3 episode 2
 
ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...
ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...
ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutes
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
 

More from DevOps.com

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareDevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykDevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudDevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and PredictionsDevOps.com
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionDevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureDevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportDevOps.com
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogDevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDevOps.com
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid finalDevOps.com
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureDevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...DevOps.com
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...DevOps.com
 
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...DevOps.com
 

More from DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
 
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
 

Recently uploaded

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Automate Your Container Deployments Securely

  • 2. Agenda ● Introduction ● Market Trend ● Securing Microservices ● Integration of Signal Sciences with Demo ● Q&A Agendae
  • 3. Introduction Aneel Dadani Technical Account Manager Signal Sciences Introduction
  • 4. Signal Sciences Architecture Real-time web app protection that scales without impacting performance Load Balancer Web Servers Application Containers PaaS Service Mesh API Gateway Hosted Cloud WAF Reverse Proxy Architecture
  • 6. IMAGE GOES HERE Web Usage Trend Business conducted on the web: ● Online Shopping ● Online Gaming ● On-Demand Services ● Financial Services ● Media Streaming ● Video Conferencing Market Trend
  • 7. Cloud Native Adoption Trend 1. Source:: ESG Research Cloud Native Adoption
  • 10. Vulnerabilities in the wild ● CVE-2020-8555 ● CVE-2020-8558 Kubernetes vulnerabilities
  • 11. Examples of Application Layer Attacks ● Remote Code Execution (RCE) ○ CVE-2017-5638 - Apache Struts Vulnerability ● Server Side Request Forgery (SSRF) ○ SSRF used to retrieve AWS credentials App Layer Attack Examples
  • 12. Defense In Depth 6 - Public Cloud 5 - Cluster 4 - Node 3 - Network 2 - Pod 1 - Container 0 - Kernel Defense in Depth
  • 13. ● Ensure kernel versions are patched and contain no existing vulnerabilities ● Review allowed system calls and remove unnecessary / unwanted calls ● Consider utilizing further container sandboxing such as gVisor or kata containers to restrict system calls 0 - Kernel Layer 0 - Kernel Defense in Depth
  • 14. Layer 1 - Container (Build) ● Remove unnecessary components, packages, and network utilities ● Minimal base images ● Scan images for vulnerabilities and misconfigurations ● Pull images from known-good sources ● Check for integrity of images throughout the CI/CD pipeline and build process 1 - Container 0 - Kernel Defense in Depth
  • 15. Layer 1 - Container (Runtime) ● Ephemeral containers for live debugging ● Watch for anomalies and suspicious events ○ Unexpected child processes ○ Shell run inside a container ○ Sensitive file is unexpectedly read 1 - Container 0 - Kernel Defense in Depth
  • 16. Layer 2 - Pod ● Pod Security Context ○ Privileged containers ○ Group and User IDs for processes and volumes ○ Granular Linux capabilities (drop or add) ○ Sandboxing and Mandatory Access Controls (seccomp, AppArmor, SELinux) ○ Filesystem permissions ○ Privilege escalation program privileges ● Pod Security Policy ○ Principle of Least Privilege 2 - Pod 1 - Container 0 - Kernel Defense in Depth
  • 17. 3 - Network Layer 3 - Network ● By default, all pods can talk to other pods ● Network Policies to segment communication ● The Kubernetes API is accessible from the inside ● Egress traffic to malicious IPs ● Service mesh to control traffic between workloads and ingress / egress 2 - Pod 1 - Container 0 - Kernel Defense in Depth
  • 18. 4 - Node 3 - Network Layer 4 - Node ● Check open ports and services ● Limit external administrative access to nodes and control plane ● Minimal base OS and harden according to CIS Benchmarks ● Scan and patch like any other asset 2 - Pod 1 - Container 0 - Kernel Defense in Depth
  • 19. 5 - Cluster 4 - Node 3 - Network Layer 5 - Cluster ● Securing system components ○ kube-apiserver ○ kubelet ○ etcd ● Secrets ○ Read-only volumes in containers ○ Need to know ○ Encryption ○ RBAC ● Update Kubernetes ● Enable audit logging ● Third-party components 2 - Pod 1 - Container 0 - Kernel Defense in Depth
  • 20. 6 - Public Cloud 5 - Cluster 4 - Node 3 - Network Layer 6 - Public Cloud ● Cloud networking ● Build systems ● Access control ● Logging and monitoring ● Encryption ● The list goes on and on... 2 - Pod 1 - Container 0 - Kernel Defense in Depth
  • 21. Security in Layers The Mega Security Checklist ● Can containers run as root? ● Can containers mount sensitive volumes / directories? Read or Read / Write? ● Can Pods run in “Privileged” mode? ● What policies (PSP, custom, OPA) are in place and for who? ● Is RBAC enforcing the principle of least privilege? ● How are secrets being stored and retrieved? Rotated? Revoked? ● Where do container images come from? Are images being validated? These are just a few questions to consider when building out a Kubernetes AppSec strategy. Get the full checklist at: signalsciences.com/resources
  • 22. Kubernetes Security Tooling Protect Any App Cloud Containers, PaaS, & Serverless Against Any Attack ● OWASP Injection Attacks ● Business Logic Attacks ● Brute Force Attacks ● Application Abuse & Misuse ● Request Rate Limiting ● Account Takeover ● Bad Bots ● Virtual Patching Any DevOps Toolchain Generic Webhooks & Any Custom Tools via Full RESTFul/JSON API Layer 7 Visibility, Flexible Deployment, Scalable Protection Web Servers & Languages Gateways & Proxies Kubernetes Security Tooling
  • 25. Deploying Signal Sciences Demo Node Pod Pod Pod Pod :4000 :80 listener='http://127.0.0.1:4000' upstreams='http://127.0.0.1:80'
  • 26. Q&A