the how and why of container vulnerability management
TRANSCRIPT
![Page 1: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/1.jpg)
The How and Why of Container
Vulnerability Management
OpenShift Commons
![Page 2: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/2.jpg)
#whoami – Tim Mackey
Current roles: Senior Technical Evangelist; Occasional coder• Former XenServer Community Manager in Citrix Open Source
Business OfficeCool things I’ve done• Designed laser communication systems• Early designer of retail self-checkout machines• Embedded special relativity algorithms into industrial control system
Find me• Twitter: @TimInTech ( https://twitter.com/TimInTech )• SlideShare: slideshare.net/TimMackey• LinkedIn: www.linkedin.com/in/mackeytim
![Page 3: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/3.jpg)
Understanding the Attacker
Model
![Page 4: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/4.jpg)
Vulnerability Management Implies Data Breach Management
89% of data breaches had a financial or espionage motive
Legal costs and forensics dominate remediation expenses
Source: Verizon 2016 Data Breach Report
![Page 5: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/5.jpg)
Attackers Decide What’s Valuable …
![Page 6: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/6.jpg)
But security investment is often not aligned with actual risks
![Page 7: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/7.jpg)
Anatomy of a New Attack
Potential Attack
Iterate
Test against platforms
Document
Don’t forget PR department!
Deploy
![Page 8: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/8.jpg)
Control
Domain
NetworkingCompute Storage
Hypervisor
Container VM
Minimal OS
Understanding Scope of Compromise – Protect From the Inside
Cont
aine
rCo
ntai
ner
Cont
aine
r
Container VM
Minimal OS
Cont
aine
rCo
ntai
ner
Cont
aine
r
Secu
rity
Serv
ice
Cont
aine
r
![Page 9: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/9.jpg)
Exploiting a Vulnerability
![Page 10: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/10.jpg)
CLOSED SOURCE COMMERCIAL CODE• DEDICATED SECURITY RESEARCHERS• ALERTING AND NOTIFICATION INFRASTRUCTURE• REGULAR PATCH UPDATES• DEDICATED SUPPORT TEAM WITH SLA
OPEN SOURCE CODE• “COMMUNITY”-BASED CODE ANALYSIS• MONITOR NEWSFEEDS YOURSELF• NO STANDARD PATCHING MECHANISM• ULTIMATELY, YOU ARE RESPONSIBLE
Who is Responsible for Code and Security?
![Page 11: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/11.jpg)
Knowledge is Key. Can You Keep Up?
glibc
BugReported
July 2015
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
![Page 12: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/12.jpg)
Knowledge is Key. Can You Keep Up?
glibc
VulnIntroduce
d
May 2008
glibc
BugReported
July 2015
CVE-2015-7547
CVE Assigned
Feb 16-2016
Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
![Page 13: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/13.jpg)
Knowledge is Key. Can You Keep Up?
glibc
VulnIntroduce
d
May 2008
CVE-2015-7547
CVE Assigned
Feb 16-2016
glibc
BugReported
July 2015
NationalVulnerabilityDatabase
VulnPublished
Feb 18-2016
Moderate Security RiskLow Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
![Page 14: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/14.jpg)
Knowledge is Key. Can You Keep Up?
glibc
VulnIntroduce
d
NationalVulnerabilityDatabase
VulnPublished
YouFind It
May 2008
CVE-2015-7547
CVE Assigned
Feb 16-2016 Feb 18-2016
glibc
BugReported
July 2015
Patches Available
YouFix It
Highest Security RiskModerate Security
RiskLow Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
![Page 15: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/15.jpg)
Understanding Vulnerability Impact
![Page 16: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/16.jpg)
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 20150
500
1000
1500
2000
2500
3000
3500Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd
Reference: Black Duck Software KnowledgeBase, NVD
Vulnerability Disclosures Trending Upward
![Page 17: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/17.jpg)
Container Production Growth Continues
![Page 18: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/18.jpg)
Securing the Container
Contents and Environment
![Page 19: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/19.jpg)
Baseline to Limit the Scope of Compromise
• Enable Linux Security Modules• SELinux
• --selinux-enabled on Docker engine, --security-opt=“label:profile”
• Apply Linux kernel security profiles• grsecurity, PaX and seccomp protections for ALSR and RBAC
• Adjust privileged kernel capabilities• Reduce capabilities with --cap-drop• Beware –cap-add and –privileged=false, and CAP_SYS_ADMIN
• Use a minimal Linux host OS• Red Hat Enterprise Linux Atomic Host 7
• Reduce impact of noisy neighbors• Use cgroups to set CPU shares and memory
![Page 20: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/20.jpg)
Red Hat Enterprise Linux Atomic Host 7
• What is Atomic Host?• Optimized RHEL7 variation designed for use with Docker• Uses SELinux for safeguards• Provides atomic upgrade and rollback capabilities via rpm-ostree• Pre-installed with Docker and Kubernetes
• Atomic App and Atomic Nulecule• Provides a model for multi-container application definition• Supports Docker, Kubernetes, OpenShift and Mesos• OpenShift artifacts run natively or via atomic provider
• Provides security compliance scan capabilities
![Page 21: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/21.jpg)
Container Source Trust
Red Hat Atomic Host
Atom
ic Ap
pAt
omic
App
Atom
ic Ap
p
Red Hat Registry
MyS
QL
Redi
s
Jenk
ins
Docker Hub
Dock
er C
onta
iner
Dock
er C
onta
iner
Dock
er C
onta
iner
Dock
er C
onta
iner
Dock
er C
onta
iner
Third Party and Custom Problem: Who to trust, and why?
• Trusted source?• Unexpected image
contents• Locked application layer
versions (e.g. no yum update)
• Layer dependencies (monolithic vs micro-services)
• Validated when?
![Page 22: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/22.jpg)
OpenSCAP vs. Black Duck Hub
OpenSCAP• Profile driven compliance policy engine• Vendor vulnerability data is but one component of policy• Integrated directly with Red Hat Atomic• Usage: atomic scan --scanner openscap {container id}
Black Duck Hub integration with Red Hat Atomic• Broad vulnerability data for most open source components• Covers vulnerability, license compliance and operational risk• Integrated with Red Hat Atomic• Rich tooling integration for development teams• Installed via: atomic install blackducksoftware/atomic• Usage: atomic scan --scanner blackduck {container id}
![Page 23: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/23.jpg)
A DONATION HAPPILY GIVEN TO THE DEMO GODS
![Page 24: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/24.jpg)
Risk Mitigation Shrinks Scope of Compromise
Open source license compliance• Ensure project dependencies are understood
Use of vulnerable open source components• Is component a fork or dependency?• How is component linked?
Operational risk• Can you differentiate between “stable” and “dead”?• Is there a significant change set in your future?• API versioning• Security response process for project
![Page 25: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/25.jpg)
7 of the top 10 Software Companies (44 of the top 100)
6 of the top 8Mobile Handset Vendors
6 of the top 10 Investment Banks
24Countries
250+Employees
1,800Customers
Who is Black Duck Software?
27
Founded
2002
![Page 26: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/26.jpg)
8,500WEBSITES
350BILLION LINES OF CODE
2,400LICENSE TYPES
1.5MILLION PROJECTS
76,000VULNERABILITIES
• Largest database of open source project information in the world.
• Vulnerabilities coverage extended through partnership with Risk Based Security.
• The KnowledgeBase is essential for identifying and solving open source issues.
Comprehensive KnowledgeBase
![Page 27: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/27.jpg)
Black Duck Hub Security Architecture
Hub Scan1 File and Directory Signatures
2 Open Source Component Identified
3
Hub Web Application
Black Duck KnowledgeBase
On Premises Black Duck Data Center
![Page 28: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/28.jpg)
We Need Your Help
Knowledge is power• Know what’s running and why• Define proactive vulnerability response process• Don’t let technology hype cycle dictate security
Invest in defense in depth models• Don’t rely on perimeter security to do heavy lifting• Do look at hypervisor & container trends in security• Make developers and ops teams part of the solution• Focus attention on vulnerability remediation
Together we can build a more secure data center
![Page 29: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/29.jpg)
Free Black Duck Container Tools
Free Docker Container Security Scanner• https://info.blackducksoftware.com/Security-Scan.html
14 Day Free Trial to Black Duck Hub• https://info.blackducksoftware.com/Demo.html
• Red Hat Atomic Host Integration (Requires Black Duck Hub)1. atomic install blackducksoftware/atomic2. atomic scan --scanner blackduck [container]
![Page 30: The How and Why of Container Vulnerability Management](https://reader036.vdocuments.us/reader036/viewer/2022070602/5873f5341a28abb1528b5f11/html5/thumbnails/30.jpg)
Know Your Code®