murray goldschmidt - sense of security · process ui (container, presentation layer) appserver...

Murray GoldschmidtChief Operating Officer – Sense of Security Pty Ltd

Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

© Sense of Security Pty Ltd 2018

1

Serverless,

Microservices and

Container Security

4

CI/CD Integration for

Automated Security

2

Key Implications for

Penetration Testing

Programs

End to End

Vulnerability

Management

3

Key Security features

for Container

Deployments

Continuous

Monitoring,

Governance &

Compliance Reporting

14-Sep-18Sense of Security

A

G

E

N

D

A


Are Containers As Good as it Gets?

14-Sep-18

Cloud containers are designed to virtualize a single application

Sense of Security

*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-they-work


As Good as it Gets?

14-Sep-18

e.g., you have a MySQL container and that's all it does, provide a virtual instance of that application.

Sense of Security



As Good as it Gets?

14-Sep-18

Containers ***SHOULD*** create an isolation boundary at the application level rather than at the server level.

Sense of Security



As Good as it Gets?

14-Sep-18

This isolation ***SHOULD*** mean that if anything goes wrong in that single container (e.g., excessive consumption of resources by a process) it only affects that individual container and not the whole VM or whole server.

Sense of Security


https://searchservervirtualization.techtarget.com/definition/container-based-virtualization-operating-system-level-virtualization



Container Security – Tech Neutral

Security Requirements Addressed By

Intrinsic Security of the Kernel Supply Chain Risk Mgt/ Vuln Mgt/ CaaS

Attack Surface Reduction Hardening/Config Mgt/Vuln Mgt

Container Configuration Configuration Management

Hardening of the Kernel and how it interacts with Containers

Hardening



Monolithic vs Microservices Architecture



Page 9




Page 10

Monolithic vs Micro Services (API Centric)

https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/



Page 11

Example: Microsoft eShop Reference Architecture



Page 12

Example: Microsoft eShop Reference Architecture


VM vs. Containers (where the abstraction occurs)

VM

cont.

Cont.

Cont.

Cont.

ContN

cont.

Cont.

Cont.

Cont.

ContN

Hardware

Hypervisor 1

VM

VM

VM

VM

VM

Hardware

Host OS

VM

VM

VM

VM

VM

Hypervisor 2

Hardware

Host OS

cont1

Cont2

Cont3

Cont4

ContN

Container Engine

Dep 1 Dep 2

Guest OS

Dependencies

Application

Container

App. Deps.

Application ABC

Virtualisation Containerisation

Type1 – Bare Metal Type 2



Page 15



Page 16



Page 17



Page 18



Page 20



Page 21

Dev

elo

per

s



Page 22

Hac

kers



Page 23

Ho

oki

ng

Low

est

Win

s



Page 24

No

rth

-So

uth

& E

ast-

Wes

t A

ttac

ks a

nd

Piv

ots

https://neuvector.com/network-security/securing-east-west-traffic-in-container-based-data-center/



Page 25

Break-In


Entry Point is usually a “Pin Hole” issue


Page 25

For example a known application issue



Page 26



Page 27

Containers – The “Contained” Challenge

IF you can Break-In

You then Need to Break-Out

http://www.marvinfrancismaninacage.com/



Page 28

Break-Out

<goWest goEast>



Page 29

Either Find a Container Vuln & Exploit


Or - Living off the Land

14-Sep-18

Relying on misconfiguration, ability to use native tools, or download new and execute

Sense of Security

Page 30



Page 31



Page 32



Page 33



Page 36



Page 37



Page 37

Co

nta

iner

TTL


Content Slide Layout

09-Oct-18Sense of Security

Page 38


Content Slide Layout


Page 39



Page 41

How to Upgrade your Vuln Mgt Program

What to expect from a Pen Test

Implications for CaaS

Supply Chain Risk DevSecOps



Page 42

Pen Test – Mechanical Attackvs Knowledge & Finesse



Page 9


© Sense of Security Pty Ltd 201814-Sep-18

Sense of Security

Page 45



Page 9



Page 46

https://neuvector.com/run-time-container-security/



Page 9

Load Balancing

Perimeter Public

Functions



Page 53



Page 54

Hac

k Tr

ansf

orm

atio

n



Page 54

https://neuvector.com/network-security/next-generation-firewall-vs-container-firewall/


Security Testing Needs to Go Down The Stack



User Interface (WebApps, forms, logons, API’s)



Framework (Struts, Spring, .NET)




Language (Java, PHP, .NET)





AppServer (IIS, Apache, Nginx)






Process UI (Container, presentation layer)











Process App (Container, application processing)








Process BackEnd (Container, database)









Operating System (Linux, Windows)










Clustering/Orchestration (CaaS, Swarm, Kubernetes)











Networking (SDN, SecGroups)

















Cloud Platform













Core Infrastructure

Cloud Platform




Page 56

Finesse



Page 58



Page 59



Page 60

Ther

e ar

e Pe

n T

ests

& T

her

e ar

e Pe

n T

ests

!

Lower Cost More considered

Predictable Requires expert capability, R&D

Even if a Web App/Service Pen Test not suitable for current technologies

Requires understanding of the full stack incl implications of -aaS

Doesn’t really assess the threats Requires persistence in an ephemeral setting

More North-South than East-West Yes – it will cost more

Check Box Assurance, Validation & Compliance


Blue Team: Key Steps to App Container Security

1 End-to-End Vulnerability Management

2 Container Attack Surface Reduction

3 User Access Control

4 Hardening the Host OS & the Container

5 SDLC Automation (DevOps)


Automated Vuln Mgt

Build• API’s & Plug-ins

• Third Party

Components

• Vuln Mgt

Automation

Registry• Automated

Scan of

Pub/Priv

Registry Host• Compliance

Scanning

• OS

• CaaS

Runtime• Audit logging

• Event logging

SHIFT LEFT

Image adapted from Qualys materials


Container Security Lifecycle Management & Compliance Summary

Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,

by Amy DeMartine and Dave Bartoletti April 14, 2017



Develop / Build Test / Modify Release /

Production






Production

Use Trusted Images

Sign & Verify Images

Reduce Attack Surface

Privileged Access & Auth Mgt

Third Party Components Mgt (SCA)






Production

Use Trusted Images





Network Segmentation

User Authentication

Vulnerability Scanning

Harden the OS






Production

Use Trusted Images




Ongoing SecOps



User Authentication


Harden the OS






Production

Use Trusted Images




Ongoing SecOps

Advanced Security Controls



User Authentication


Harden the OS






Production

Use Trusted Images




Ongoing SecOps

Advanced Security Controls

Vulnerability Management



User Authentication


Harden the OS




1Serverless, Microservices and Container Security

4

CI/CD Integration for Automated Security

2Key Implications for Penetration Testing Programs

End to End Vulnerability Management

3

Key Security features for Container Deployments

Continuous Monitoring, Governance & Compliance Reporting


Page 64

Rec

ap


•[email protected]

mailto:[email protected]

murray goldschmidt - sense of security · process ui (container, presentation layer) appserver...

Documents