Contain your risk: Deploy secure
containers with trust and confidence
Speakers
Brent BaudePrincipal Software Engineer-Atomic and Docker Development, Red Hat
Randy KilmonVP, Engineering, Black Duck
Today’s Topics
1. Overview of Red Hat and Black Duck Container Security Partnership
2. State of Application Security and Open Source
3. Container Security Best Practices
3
Joint Value for Container Security Partnership
• Greater adoption of Docker containers with trust and confidence• Move from test/dev to
production workloads• High-value or security-
sensitive applications
• Address CISO & Security needs
• Use existing and proven Black Duck-based risk management programs
Value to Customers (Enterprises & ISVs)
• Automate security of Linux containers in production with CI/CD integrations and trusted platform (OpenShift / Atomic Host)
• Differentiate with integration of enterprise-grade Risk Assessment by Black Duck
Open Source Embraced By The Enterprise
OPEN SOURCE• Needed functionality without
acquisition costs• Faster time to market• Lower development costs• Broad support from
communities
CUSTOM CODE• Proprietary functionality• Core enterprise IP• Competitive differentiation
OPEN SOURCE
CUSTOM CODE
Reference: Black Duck Software audits
• On average, open source comprised over 30% of the
code base
• > 98% of the applications tested used open source
OPEN SOURCE CODE
INTERNAL CODE
OUTSOURCED CODE
LEGACY CODE
REUSED CODE
SUPPLY CHAIN CODE
THIRD PARTY CODE
DELIVERED CODE
Open Source Enters the Code Base in Many Ways
7
4 Factors That Make Open Source DifferentEasy access to code
Exploits readily availableVulnerabilities are public
Used Everywhere
Safe and Trusted Use of Containers Is Critical to Adoption
Security is ranked as the #1 adoption challenge for containers
60% of customers are concerned about container security and lack of certification/image provenance
40% of general container images in contain High Priority Vulnerabilities
4,000 new vulnerabilities in open source reported annually, e.g., Heartbleed, Shellshock, Venom, Ghost
98% of companies are using open source software they don’t know about
Container Security
Best Practices
Top 3 Container Security Concerns
Security of Docker and its infrastructure
Authenticity and provenance of the images
Content within the containers Docker runs
Docker Infrastructure
Docker Daemon / Docker Socket• Docker itself must run as root on the host system
• Attacks targeting the host system coming in through Docker would have root privs
• Many Docker containers run with the –privileged flag set which extends privileges of the container allowing it to access all devices on the host system (BAD Idea).
Linux Adaptations to Counter Infrastructure Threats
Red Hat Atomic Host • SE Linux (multi-tenancy)• “Locked down” system (read-only /usr)• Intended to change configurations only in /var & /etc• No yum package manager
VMware Photon and Lightwave• Photon is an optimized and secured Linux host designed
for running containers at scale• Lightwave used for managing authorization and identity
management
Container Content Vulnerabilities
Containers can be at risk by virtue of the code that runs inside them
• OSS components running inside containers represent potential attack vectors
• Could cause problems for the application itself• Could cause more problems if the container is running with the –
privileged flag set • Different open source flavors and versions, as well as different
module versions
Ensuring Content Integrity
Manage and monitor container content carefully…• Dockerfile analysis is insufficient
.tar, .zip files could have anything inside themOther layers are just referenced from other registries
• Asking the package manager is insufficientNot all modules are under package manager’s purviewApplication layer code (.jar’s, e.g.) is never managed in this way
• File inspection (scanning) is the only way to be sure about what’s there!!
Container Security - Industry Efforts
DockerFounder Solomon Hykes announced Nautilus project in opening day keynote speech of DockerCon EU in November.
• Focused only on their 91 “official” (read: carefully/manually curated) images
• Some static analysisRed Hat
Container Certification Program• Tested, certified, signed, supported container images for Red Hat
and partner offerings• Dockerfile inspection
Red Hat Container Certification
UNTRUSTED● Will what’s inside the containers compromise your
infrastructure?● How and when will apps and libraries be updated?● Will it work from host to host?
RED HAT CERTIFIED ● Trusted source for the host and the containers● Trusted content inside the container with security fixes
available as part of an enterprise lifecycle● Portability across hosts
● Container Development Kit● Certification as a service● Certification catalog● Red Hat Container Registry
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP
Black Duck – Level 2 Container Security
• Platform-agnostic support in Hub for analyzing all content (whether inside containers or not)
• Docker host integration for scanning images• Signature-based file identification• Automated identification• Able to show in which layer the component was introduced• Vulnerability reporting over time / alerting
The Black Duck KnowledgeBase
Red Hat Atomic + Black Duck
Hub Integration
Red Hat container
scanning API
Enabling multiple container scanners via a simple interface
RED HATCONTAINER
SCANNING INTERFACE
MORE SECURE CONTAINERS WITH PLUGGABLE SCANNING CAPABILITY
User-friendly wrapper for containersSignificant function add focused on ease-of-useScan sub-command• Scan sub-command is
modular, allows for scan-based plugins.
• Intended for ISVs or customized plug-ins
Atomic CLI (https://github.com/projectatomic/atomic)
List shows which scanners are configured for the system• For RHEL, atomic is pre-
configured with the openscap scanner
Atomic Scan
Installing the Black Duck Scanner is Simple with Atomic
Pulls the correct image from the registryRuns a configuration script
Use --scanner to choose the desired scanner
Default scanner can be defined /etc/atomic.conf
Black Duck Scanner - Installed
Scanning an Image
Local Docker daemon shows 3 images. Lets scan one.
Scanning is Easy
Simple test scanning the RHEL7 image from the Red Hat registry.At the end of the scan, you receive a URL to examine the report on the Black Duck web interface.
Scan one or more containers and/or images--containers, --images, --all--rootfs allows you to scan a mounted filesystemThink libguestfs mounts of your VM’s
Additional Scan Options
• Scan code to identify OSS components in use
• Understand risk factors (security, license, operational)
• Identify licenses, versions, community activity
• View known security vulnerabilities associated with OSS in use within your projects
• Monitor for new vulnerabilities
Identify OSS and Understand Risk
Review project vulnerabilities
Assess, triage and prioritize
Schedule and track planned and actual remediation dates
Review Bill of Materials
Review project vulnerabilities
Assess, triage and prioritize
Schedule and track planned and actual remediation dates
Triage & Remediate Vulnerabilities
Monitor for New Vulnerabilities
Cockpit – Browser Based Administration Tool
http://cockpit-project.org/ Can manage containersNew proposed features:
Working to display vulnerable images|containersAllow users to scan from the web UI
Next Steps ...
Identify critical container images
Perform a free scan of those images
Identify Hub integration points in your development processTransition to a minimal container host
Implement policy to monitor for security risk
Free Container Tools and InformationFree Docker Container Security Scanner
• https://info.blackducksoftware.com/Security-Scan.html
14 Day Free Trial to Black Duck Hub• https://info.blackducksoftware.com/Hub-Free-Trial.html
Red Hat Atomic Host Integration (Requires Black Duck Hub)1. atomic install blackducksoftware/atomic2. atomic scan --scanner blackduck [container]
Red Hat Container Content• https://www.redhat.com/en/insights/containers • https://www.redhat.com/en/technologies/topic/containers