murray goldschmidt - sense of security · process ui (container, presentation layer) appserver...
TRANSCRIPT
Murray GoldschmidtChief Operating Officer – Sense of Security Pty Ltd
Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?
© Sense of Security Pty Ltd 2018
1
Serverless,
Microservices and
Container Security
4
CI/CD Integration for
Automated Security
2
Key Implications for
Penetration Testing
Programs
End to End
Vulnerability
Management
3
Key Security features
for Container
Deployments
Continuous
Monitoring,
Governance &
Compliance Reporting
14-Sep-18Sense of Security
Page 2
A
G
E
N
D
A
© Sense of Security Pty Ltd 2018
Are Containers As Good as it Gets?
14-Sep-18
Cloud containers are designed to virtualize a single application
Sense of SecurityPage 3
*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-they-work
© Sense of Security Pty Ltd 2018
As Good as it Gets?
14-Sep-18
e.g., you have a MySQL container and that's all it does, provide a virtual instance of that application.
Sense of Security
Page 4
*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-they-work
© Sense of Security Pty Ltd 2018
As Good as it Gets?
14-Sep-18
Containers ***SHOULD*** create an isolation boundary at the application level rather than at the server level.
Sense of Security
Page 5
*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-they-work
© Sense of Security Pty Ltd 2018
As Good as it Gets?
14-Sep-18
This isolation ***SHOULD*** mean that if anything goes wrong in that single container (e.g., excessive consumption of resources by a process) it only affects that individual container and not the whole VM or whole server.
Sense of Security
Page 6
*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-they-work
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 7
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 8
Container Security – Tech Neutral
Security Requirements Addressed By
Intrinsic Security of the Kernel Supply Chain Risk Mgt/ Vuln Mgt/ CaaS
Attack Surface Reduction Hardening/Config Mgt/Vuln Mgt
Container Configuration Configuration Management
Hardening of the Kernel and how it interacts with Containers
Hardening
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 9
Monolithic vs Microservices Architecture
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 9
Monolithic vs Microservices Architecture
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 9
Monolithic vs Microservices Architecture
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 10
Monolithic vs Micro Services (API Centric)
https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 10
Monolithic vs Micro Services (API Centric)
https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 11
Example: Microsoft eShop Reference Architecture
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 12
Example: Microsoft eShop Reference Architecture
© Sense of Security Pty Ltd 2018
VM vs. Containers (where the abstraction occurs)
VM
cont.
Cont.
Cont.
Cont.
ContN
cont.
Cont.
Cont.
Cont.
ContN
Hardware
Hypervisor 1
VM
VM
VM
VM
VM
Hardware
Host OS
VM
VM
VM
VM
VM
Hypervisor 2
Hardware
Host OS
cont1
Cont2
Cont3
Cont4
ContN
Container Engine
Dep 1 Dep 2
Guest OS
Dependencies
Application
Container
App. Deps.
Application ABC
Virtualisation Containerisation
Type1 – Bare Metal Type 2
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 15
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 16
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 17
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 18
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 20
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 21
Dev
elo
per
s
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 22
Hac
kers
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 23
Ho
oki
ng
Low
est
Win
s
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 24
No
rth
-So
uth
& E
ast-
Wes
t A
ttac
ks a
nd
Piv
ots
https://neuvector.com/network-security/securing-east-west-traffic-in-container-based-data-center/
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 25
Break-In
© Sense of Security Pty Ltd 2018
Entry Point is usually a “Pin Hole” issue
14-Sep-18Sense of Security
Page 25
For example a known application issue
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 26
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 27
Containers – The “Contained” Challenge
IF you can Break-In
You then Need to Break-Out
http://www.marvinfrancismaninacage.com/
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 28
Break-Out
<goWest goEast>
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 29
Either Find a Container Vuln & Exploit
© Sense of Security Pty Ltd 2018
Or - Living off the Land
14-Sep-18
Relying on misconfiguration, ability to use native tools, or download new and execute
Sense of Security
Page 30
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 31
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 32
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 33
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 36
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 37
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 37
Co
nta
iner
TTL
© Sense of Security Pty Ltd 2018
Content Slide Layout
09-Oct-18Sense of Security
Page 38
© Sense of Security Pty Ltd 2018
Content Slide Layout
09-Oct-18Sense of Security
Page 38
© Sense of Security Pty Ltd 2018
Content Slide Layout
09-Oct-18Sense of Security
Page 39
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 41
How to Upgrade your Vuln Mgt Program
What to expect from a Pen Test
Implications for CaaS
Supply Chain Risk DevSecOps
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 42
Pen Test – Mechanical Attackvs Knowledge & Finesse
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 9
Monolithic vs Microservices Architecture
© Sense of Security Pty Ltd 201814-Sep-18
Sense of Security
Page 45
© Sense of Security Pty Ltd 201814-Sep-18
Sense of Security
Page 45
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 9
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 46
https://neuvector.com/run-time-container-security/
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 46
https://neuvector.com/run-time-container-security/
© Sense of Security Pty Ltd 2018 Page 47
© Sense of Security Pty Ltd 2018 Page 48
© Sense of Security Pty Ltd 2018 Page 48
© Sense of Security Pty Ltd 2018 Page 49
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 9
Load Balancing
Perimeter Public
Functions
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 53
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 53
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 53
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 53
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 53
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 54
Hac
k Tr
ansf
orm
atio
n
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 54
Hac
k Tr
ansf
orm
atio
n
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 54
Hac
k Tr
ansf
orm
atio
n
© Sense of Security Pty Ltd 2018
09-Oct-18Sense of Security
Page 54
Hac
k Tr
ansf
orm
atio
n
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 54
https://neuvector.com/network-security/next-generation-firewall-vs-container-firewall/
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Framework (Struts, Spring, .NET)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Process App (Container, application processing)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Process BackEnd (Container, database)
Process App (Container, application processing)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Operating System (Linux, Windows)
Process BackEnd (Container, database)
Process App (Container, application processing)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Clustering/Orchestration (CaaS, Swarm, Kubernetes)
Operating System (Linux, Windows)
Process BackEnd (Container, database)
Process App (Container, application processing)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Networking (SDN, SecGroups)
Clustering/Orchestration (CaaS, Swarm, Kubernetes)
Operating System (Linux, Windows)
Process BackEnd (Container, database)
Process App (Container, application processing)
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Networking (SDN, SecGroups)
Clustering/Orchestration (CaaS, Swarm, Kubernetes)
Operating System (Linux, Windows)
Process BackEnd (Container, database)
Process App (Container, application processing)
Cloud Platform
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Networking (SDN, SecGroups)
Clustering/Orchestration (CaaS, Swarm, Kubernetes)
Operating System (Linux, Windows)
Process BackEnd (Container, database)
Process App (Container, application processing)
Core Infrastructure
Cloud Platform
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Networking (SDN, SecGroups)
Clustering/Orchestration (CaaS, Swarm, Kubernetes)
Operating System (Linux, Windows)
Process BackEnd (Container, database)
Process App (Container, application processing)
Core Infrastructure
Cloud Platform
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
Security Testing Needs to Go Down The Stack
Process UI (Container, presentation layer)
AppServer (IIS, Apache, Nginx)
Language (Java, PHP, .NET)
Framework (Struts, Spring, .NET)
Networking (SDN, SecGroups)
Clustering/Orchestration (CaaS, Swarm, Kubernetes)
Operating System (Linux, Windows)
Process BackEnd (Container, database)
Process App (Container, application processing)
Core Infrastructure
Cloud Platform
User Interface (WebApps, forms, logons, API’s)
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 56
Finesse
© Sense of Security Pty Ltd 2018 Page 58
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 58
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 59
© Sense of Security Pty Ltd 2018
14-Sep-18Sense of Security
Page 60
Ther
e ar
e Pe
n T
ests
& T
her
e ar
e Pe
n T
ests
!
Lower Cost More considered
Predictable Requires expert capability, R&D
Even if a Web App/Service Pen Test not suitable for current technologies
Requires understanding of the full stack incl implications of -aaS
Doesn’t really assess the threats Requires persistence in an ephemeral setting
More North-South than East-West Yes – it will cost more
Check Box Assurance, Validation & Compliance
© Sense of Security Pty Ltd 2018
Blue Team: Key Steps to App Container Security
1 End-to-End Vulnerability Management
2 Container Attack Surface Reduction
3 User Access Control
4 Hardening the Host OS & the Container
5 SDLC Automation (DevOps)
© Sense of Security Pty Ltd 2018
Automated Vuln Mgt
Build• API’s & Plug-ins
• Third Party
Components
• Vuln Mgt
Automation
Registry• Automated
Scan of
Pub/Priv
Registry Host• Compliance
Scanning
• OS
• CaaS
Runtime• Audit logging
• Event logging
SHIFT LEFT
Image adapted from Qualys materials
© Sense of Security Pty Ltd 2018
Container Security Lifecycle Management & Compliance Summary
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
© Sense of Security Pty Ltd 2018
Container Security Lifecycle Management & Compliance Summary
Develop / Build Test / Modify Release /
Production
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
© Sense of Security Pty Ltd 2018
Container Security Lifecycle Management & Compliance Summary
Develop / Build Test / Modify Release /
Production
Use Trusted Images
Sign & Verify Images
Reduce Attack Surface
Privileged Access & Auth Mgt
Third Party Components Mgt (SCA)
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
© Sense of Security Pty Ltd 2018
Container Security Lifecycle Management & Compliance Summary
Develop / Build Test / Modify Release /
Production
Use Trusted Images
Sign & Verify Images
Reduce Attack Surface
Privileged Access & Auth Mgt
Third Party Components Mgt (SCA)
Network Segmentation
User Authentication
Vulnerability Scanning
Harden the OS
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
© Sense of Security Pty Ltd 2018
Container Security Lifecycle Management & Compliance Summary
Develop / Build Test / Modify Release /
Production
Use Trusted Images
Sign & Verify Images
Reduce Attack Surface
Privileged Access & Auth Mgt
Ongoing SecOps
Third Party Components Mgt (SCA)
Network Segmentation
User Authentication
Vulnerability Scanning
Harden the OS
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
© Sense of Security Pty Ltd 2018
Container Security Lifecycle Management & Compliance Summary
Develop / Build Test / Modify Release /
Production
Use Trusted Images
Sign & Verify Images
Reduce Attack Surface
Privileged Access & Auth Mgt
Ongoing SecOps
Advanced Security Controls
Third Party Components Mgt (SCA)
Network Segmentation
User Authentication
Vulnerability Scanning
Harden the OS
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
© Sense of Security Pty Ltd 2018
Container Security Lifecycle Management & Compliance Summary
Develop / Build Test / Modify Release /
Production
Use Trusted Images
Sign & Verify Images
Reduce Attack Surface
Privileged Access & Auth Mgt
Ongoing SecOps
Advanced Security Controls
Vulnerability Management
Third Party Components Mgt (SCA)
Network Segmentation
User Authentication
Vulnerability Scanning
Harden the OS
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
© Sense of Security Pty Ltd 2018
1Serverless, Microservices and Container Security
4
CI/CD Integration for Automated Security
2Key Implications for Penetration Testing Programs
End to End Vulnerability Management
3
Key Security features for Container Deployments
Continuous Monitoring, Governance & Compliance Reporting
14-Sep-18Sense of Security
Page 64
Rec
ap