sacon - devops-container (richard bussiere)
TRANSCRIPT
![Page 1: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/1.jpg)
SACON
SACONInternational2017
RichardBussiereTenable
TechnicalDirector
India|Bangalore|November10– 11|HotelLalit Ashok
IntegratingContainerVulnerabilityManagementintoDevOps
![Page 2: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/2.jpg)
SACON 2017
ü What’stheSecurityRiskIntroducedthroughContainers?
ü Whatcanwedoaboutit?ü ShortDemoü Conclusions
Agenda
![Page 3: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/3.jpg)
SACON 2017
Howcanyouunderstandthevulnerabilities&riskdynamicassetsexposeyoutowhentheassetisherenowthengone?
WhackaMole??
![Page 4: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/4.jpg)
SACON 20174
Canyouanswerthesequestions?
HowExposedAreWe? HowDoWeProactivelyReduceOurExposure?HowSecureAreWe?
Everyorganization,nomatterhowlargeorsmall,should beabletoanswerthesethreefundamentalquestionsatalltimes:
![Page 5: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/5.jpg)
SACON 2017
CommunicateCyber Risk
Continuous Visibility
Cyber ExposureMetric
PrioritizeExposure
LiveDiscovery
MeasuringCyberExposureLeveragesVulnerability Management
Accurately represent and communicate cyber risk to the business – in
business terms
Continuous Visibility into where an asset is
secure, or exposed, and to what extent
Apply Cyber Exposure data as a key risk metric
for strategic decision support
Add context to the exposure to prioritize
and select the appropriate remediation
technique
Live Discovery of every modern asset
across any computing
environment
![Page 6: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/6.jpg)
SACON 20176
![Page 7: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/7.jpg)
SACON 20177
Intersecting3Domains
![Page 8: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/8.jpg)
SACON 2017
Agile=ContinuousChangeAgile=ContinuousChange
![Page 9: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/9.jpg)
SACON 2017
AskedtwodifferentCISOsoftwodifferentmajorIndiantelcos “What’syourcontainerstrategy”?
• Answer:”What’sacontainer?”
Singapore
• ConsideringusingDevOpsinthenearfuture…
• Mostnotsureifthisstuffisactuallypresentintheirenvironments
DevOps&Security- Disconnected?
Cansecuritykeepupwiththepace?
![Page 10: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/10.jpg)
SACON 201710
DevOpsisdrivingchangesinITarchitecture
Monolithic Microservices
Builtasasingle,self-containedunit
Componentsareinterconnected andinterdependent
Builtasasuiteofmodularservices
Componentsarelooselycoupledandhighlycohesive
![Page 11: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/11.jpg)
SACON 201711
Applicationcontainersenableinfrastructuremodernizationwithmicroservices
Eachmicroservice ishostedinacontainerandconnectedviaAPIs
Containersencapsulatealightweightruntimeenvironmentfortheapplication
Microservices oncontainersprovide:• Faster developmentanddeploymentvelocity
•Greaterscalabilitytoquicklycreateanddestroy
• Increasedoperationalefficiencyandresponsiveness
![Page 12: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/12.jpg)
SACON 201712
YouTubeexample:microservices andcontainers
![Page 13: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/13.jpg)
SACON 2017
Applicationcontainersareexplodinginadoption…
13Sources:1) Datadog,20172) Docker,2017
Docker Adoption1
8 Billion+Docker Container
Downloads2
500,000+Dockerized apps in Docker
Hub2
![Page 14: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/14.jpg)
SACON 201714
MajorCyberExposuregap
Oforganizationswithcontainersinproduction1
18%
Perform Image Scanning
RiskAssessmentIndex2Organization’sabilitytoassess
cybersecurityrisks
Score:52%Grade:F
Score:57%Grade:F
ContainerizationPlatforms
DevOpsEnvironments
15.9
40.5
Official Images
Community Images
AveragenumberofvulnerabilitiesinDockerHub3
Sources:1) Anchore,“SnapshotoftheContainerEcoystem,”20172) Tenable,“2017GlobalCybersecurityAssuranceReportCard,”20173) Tenable,“SourcingContainerImagesfromDockerHosts,”2017
![Page 15: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/15.jpg)
SACON 2017
Modernapplicationsraisethestakeswithrisk
15
“Modern applications are largely assembled, not developed, and developers often download and use known vulnerable open-source components and frameworks.”
-Gartner
![Page 16: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/16.jpg)
SACON 201716
Andorganizationshavetakennotice
“Even if Docker certifies an app as being safe and effective, I'm not risking $11 billion on Docker telling me it's safe. We need extra assurance and to prove it to ourselves.”
– James Ford, Chief Strategic Architect, ADP
![Page 17: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/17.jpg)
SACON 2017
SharingImages:DockerHub… Safe?
![Page 18: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/18.jpg)
SACON 201718
Traditionalsecurityapproachesdonotworkwithcontainers
1 2
Inability to Use Traditional VM
Techniques
Inability to RemediateVulnerabilitiesShort Lifespan
3
![Page 19: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/19.jpg)
SACON 2017
Insanity: Doingthesamethingoverandoveragainandexpectingadifferentresult
19
Thinkdifferentlyaboutprotectingmodernassets
![Page 20: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/20.jpg)
SACON 201720
Preventcontainervulnerabilitiesbysecuringimagespriortodeployment
IntegratecontainersecurityintotheDevOpstoolchain
Identifyandremediatevulnerabilitiesbeforetheyareexploitable
Ensureallcontainerimagesaresecureandcompliantbeforeproduction
![Page 21: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/21.jpg)
SACON 201721
WhatdoesthismeantoSecurityandDevOps?
EnterpriseSecurity DevOps
Ensure containers are part of a holistic Cyber Exposure program
Reduce risk across a growing modern attack surface
Identify and remediate vulnerabilities as early in the SDLC as possible
Deliver quality, well-tested code at high velocity and scale
Integrate security into the DevOps toolchain, without sacrificing speed
Identify and remediate vulnerabilities as early in the SDLC as possible
![Page 22: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/22.jpg)
SACON 2017
PerformrapidvulnerabilityandmalwaredetectiontestingwithintheDevOpstoolchain
OutoftheboxintegrationswithCI/CDbuildsystems
• Jenkins, Bamboo, Shippable, Travis CI and more• Import across container images registries• Fully documented RESTful API for custom
integrations
22
“Shiftleft”withsecurityinthesoftwaredevelopmentlifecycle
RegistryTestBuildSource Control
Build ContainerUnit TestsAPI TestsSecurity TestsPush to Registry
![Page 23: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/23.jpg)
SACON 2017
Produceadetailedbillofmaterialscoveringalllayersandcomponents
• Libraries / binaries• Configuration files• Dependencies• Applications
“At-a-glancevisibility”intobothcontainerimageinventoryandsecurity
23
Knowwhatisinsideacontainerbeforedeployment
Layer 1
Layer 2
Layer 3
Layer 4
Container Image Layers
![Page 24: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/24.jpg)
SACON 2017
Assessmentofcontainerimagesbylayer
Detectthepresenceofmalwareinthelayers
Applylayerhierarchyintelligencetounderstandwhenvulnerabilitiesaremitigatedinhigherlayers
24
Deepassessmentofcontainerimages
![Page 25: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/25.jpg)
SACON 2017
Continuouslymonitorinproductioncontainersfornewvulnerabilities
Automaticallyre-testasnewvulnerabilitiesareidentified
Respondtonewlyemergingriskstoencsureontinuous protection
25
Continuouslyprotectcontainersfromnewlyidentifiedthreats
![Page 26: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/26.jpg)
SACON 2017
Writecontainersecuritypoliciesthataligntosecuritygoalsandobjectives
Notifydevelopersimmediatelywhencontainerimagesexceedorganizationriskthresholds
Allowdeveloperstotakedirectactionwithspecificremediationadvice
26
Policy- Ensurecontainersinproductionarecompliantwithpolicy
![Page 27: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/27.jpg)
SACON 201727
Reducecostsbycatchingcontainervulnerabilitiesearlier
1X 7X 15X
100X
Design Implementation Testing Maintenance
Cost of Fixing Defects in SLDC1
1)Source:ComputerBusinessReview,”ThecostoffixingbugsthroughouttheSDLC,”March2017
Reducecostsby>85%byremediatingvulnerabilitiesbeforedeployment
Reducefalsepositivesandensuredevelopersdonotwastetimefixingnon-vulns
Reduce Costs
![Page 28: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/28.jpg)
SACON 201728
EliminateBlindSpots
Comprehensiveinsightinto:• Containerimageinventory• Summaryofvulnerabilitiesandmalware
• DistributionofvulnerabilitiesbyCVSSscoreandrisklevel
Eliminate Blind Spots
![Page 29: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/29.jpg)
SACON 201729
AvoidslowingdownexistingDevOpsprocessesandworkflows
<30secondsecuritytestwithintheDevOpstoolchain
OutoftheboxintegrationwithcommonCI/CDsystemsandcontainerregistries
Accelerate DevOps
![Page 30: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/30.jpg)
SACON 2017
ContainerHost
TheEntireProcessLaidOut…
KubernetesSwarmMesosphereCloudFoundry
GitlabGithub EnterpriseGithubBitbucker ServerBitbucket
JenkinsBambooDistelliWerckerCodeship
SourceControl Build
PublicRegistry
Registry
Containerimages liveherebeforedeployment
Orchestration
Docker
![Page 31: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/31.jpg)
SACON 2017
InjectingSecurityintoDevOpsWorkflow
ContainerHost
Build
PublicRegistry
Registry
Orchestration
![Page 32: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/32.jpg)
SACON 2017
WhentoScanContainerImages?
Pre-ProductionbyDeveloper
In-ProductionAutomaticallyandContinuously
Build PublicRegistry
![Page 33: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/33.jpg)
SACON 2017
VulnerabilityScanningwithModernStacks
Server
HostOS
ContainerEngine
Bins/Libs
MySQL
Bins/Libs
App
App
App
MySQL
MySQL
Containers
Scanforvulnsusing“traditional”approaches
Scanforvulnsbyscanningcontainerimages
ExternalWebAppScanning
![Page 34: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/34.jpg)
SACON 201734
Identifyrunningcontainerhosts…
Vulnerability Management
![Page 35: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/35.jpg)
SACON 201735
…andhardenhostswiththeCISDockerbenchmark
ConfigurationPatchingPermissionsAccessSprawl
![Page 36: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/36.jpg)
SACON 2017
TryTenable.io ContainerSecuritytoday
Try It for Free
tenable.com/try-container
60 Day Fully Operational Trial for FREE!!
![Page 37: SACON - Devops-container (Richard Bussiere)](https://reader034.vdocuments.site/reader034/viewer/2022050614/5a6482677f8b9a27568b5581/html5/thumbnails/37.jpg)
SACON 201737