Upload
boyd-hemphill
View
2.132
Download
2
Embed Size (px)
Citation preview
@behemphi@stackengin
e
D O C K E R D O C K E R
D O C K E R … S E C U R I T Y … D O C K
E R
B O Y D H E M P H I L L , D I R E C T O R O F E V A N G E L I S M
@behemphi@stackengin
e
G O A L S
• Understand Why Docker is
Such a Big Deal
Love to @petecheslock
@behemphi@stackengin
e
G O A L S
• Understand Why Docker is
Such a Big Deal
• Consider Docker Security
Concerns
Love to @petecheslock
@behemphi@stackengin
e
G O A L S
• Understand Why Docker is
Such a Big Deal
• Consider Docker Security
Concerns
• Ponder a Rational Docker
Adoption Strategy Love to @petecheslock
@behemphi@stackengin
e
– B O Y D H E M P H I L L
“As and Ops director, I am personally guilty of
pooping rainbows on security concerns.”
@behemphi@stackengin
e
W H O A M I ?
• Technologist
@behemphi@stackengin
e
W H O A M I ?
• Technologist
• Community Builder
@behemphi@stackengin
e
W H O A M I ?
• Technologist
• Community Builder
• Extroverted Nerd
@behemphi@stackengin
e
W H O A M I ?
• Technologist
• Community Builder
• Extroverted Nerd
• Evangelist
@behemphi@stackengin
e
- T H E A U S T I N D E V O P S C O M M U N I T Y
“Come to Docker Austin and Austin DevOps. Your
participation will move the conversations towards
your passion - security.”
@behemphi@stackengin
e
T H I S T H I N G O F
W H I C H Y O U
S P E A K ?
• Docker Docker Docker
@behemphi@stackengin
e
T H I S T H I N G O F
W H I C H Y O U
S P E A K ?
• Docker Docker Docker
• Orchestration, Service
Discovery, Community
@behemphi@stackengin
e
T H I S T H I N G O F
W H I C H Y O U
S P E A K ?
• Docker Docker Docker
• Orchestration, Service
Discovery, Community
• Like what you hear? Come
join the conversation:
http://goo.gl/YyyJOx
@behemphi@stackengin
e
- B O B Q U I L L I N - C E O
“Buy copious amounts of StackEngine goodness.”
@behemphi@stackengin
e
W H O A R E
Y O U ?
• Have heard of Docker
@behemphi@stackengin
e
W H O A R E
Y O U ?
• Have heard of Docker?
• Have experimented with
Docker on the job?
@behemphi@stackengin
e
W H O A R E
Y O U ?
• Have heard of Docker?
• Have experimented with
Docker on the job?
• Are using Docker in a
production environment?
@behemphi@stackengin
e
- S E C U R I T Y H O B B I T S
“Unicorns nothing, Balrogs is more like it!”
@behemphi@stackengin
e
C O M M O N
G R O U N D
• Philosophy
@behemphi@stackengin
e
C O M M O N
G R O U N D
• Philosophy
• Model
@behemphi@stackengin
e
C O M M O N
G R O U N D
• Philosophy
• Model
• Implementation
@behemphi@stackengin
e
C O M M O N
G R O U N D
• Philosophy
• Model
• Implementation
• Tooling
@behemphi@stackengin
e
“Don’t be a tools”
H T T P S : / / G O O . G L / R T 2 S W F
@behemphi@stackengin
e
M I C R O -
S E R V I C E S
M I C R O - T E A M S
• Docker makes micro-
service philosophy
available to mere mortals
@behemphi@stackengin
e
M I C R O -
S E R V I C E S
M I C R O - T E A M S
• Docker makes micro-
service philosophy
available to mere mortals
• Containers are
infrastructure boundaries
for services
@behemphi@stackengin
e
M I C R O -
S E R V I C E S
M I C R O - T E A M S
• Docker makes micro-
service philosophy
available to mere mortals
• Containers are
infrastructure boundaries
for services
• Extraordinary business for
early adopters.
@behemphi@stackengin
e
M I C R O -
S E R V I C E S
M I C R O - T E A M S
• Docker makes micro-
service philosophy
available to mere mortals
• Containers are
infrastructure boundaries
for services
• Extraordinary business for
early adopters.
• Terrifying
@behemphi@stackengin
e
- T H E U N E N L I G H T E N E D ?
“Developer freedom is antithetical to practical
security”
@behemphi@stackengin
e
P R O C E S S
D E N S I T Y
• ~2.2% of US power is data
centers.
http://goo.gl/1TBdd7
@behemphi@stackengin
e
P R O C E S S
D E N S I T Y
• ~2.2% of US power is data
centers.
• Docker adoptions are
cutting infrastructure
spend by 50% to 80%
http://goo.gl/vB4UDF
@behemphi@stackengin
e
P R O C E S S
D E N S I T Y
• ~2.2% of US power is data
centers.
• Docker adoptions are
cutting infrastructure
spend by 50% to 80%
• Density comes with its own
problems
@behemphi@stackengin
e
– D E V O P S
“Lessons learned from early Ops adoption will
inform security efforts.”
@behemphi@stackengin
e
Q U I C K S U M M A R Y
• Significant business advantages
• Cost Savings
• linux.com - https://goo.gl/CJM6ZX
• Increase feature velocity
• Increase innovation
• Reduce communication friction
• Understand the pitfalls and plan for them
• Don’t reject new, make it better
@behemphi@stackengin
e
– D O C K E R A N D $ 1 , 0 0 0 , 0 0 0 , 0 0 0
“Docker is worthy of your consideration.”
@behemphi@stackengin
e
I D E N T I T Y
M A N A G E M E N
T
• You are root and so is
anyone else who can
`docker run`
@behemphi@stackengin
e
I D E N T I T Y
M A N A G E M E N
T
• You are root and so is
anyone else who can
`docker run`
• Orchestration tools such a
StackEngine address this.
@behemphi@stackengin
e
I D E N T I T Y
M A N A G E M E N
T
• You are root and so is
anyone else who can
`docker run`
• Orchestration tools such a
StackEngine address this.
• Look for ACLs at the API,
CLI and GUI levels.
@behemphi@stackengin
e
– S O M E B A D A C T O R
O R
- S O M E D E V E L O P E R W I T H A G O O D I D E A
`docker run --privileged --entrypoint "rm -rf /root" -v
/root:/root:rw stackhub/haproxy`
H T T P : / / G O O . G L / U H I K P R
@behemphi@stackengin
e
I M A G E
V E R I F I C A T I O
N
• This is not a new problem
@behemphi@stackengin
e
I M A G E
V E R I F I C A T I O
N
• This is not a new problem
• Docker Content Trust
@behemphi@stackengin
e
I M A G E
V E R I F I C A T I O
N
• This is not a new problem
• Docker Content Trust
• Caveats:
• Not enabled by default
• Image authors must
make the effort
http://goo.gl/lU7zLk
@behemphi@stackengin
e
D O C K E R A S A
H Y P E R V I S O R
• Venom
http://goo.gl/4VyTKv
@behemphi@stackengin
e
D O C K E R A S A
H Y P E R V I S O R
• Venom
• Battle Hardening
Project Inception Date
Docker 2013
Xen 2003
KVM 2005
@behemphi@stackengin
e
D O C K E R A S A
H Y P E R V I S O R
• Venom
• Battle Hardening
• Complexity - Lines of Code
ProjectLines of
CodeReference
Docker 300k goo.gl/m8lIn0
Xen 500k goo.gl/xu2uVc
KVM 13,500k goo.gl/9wSPM7
@behemphi@stackengin
e
D O C K E R A S A
H Y P E R V I S O R
• Venom
• Battle Hardening
• Complexity - Lines of Code
• Code Churn
D O C K E R
X E N
D O C K E R L A N G
K V M
@behemphi@stackengin
e
D O C K E R A S A
H Y P E R V I S O R
• Venom
• Battle Hardening
• Complexity - Lines of Code
• Code Churn
• Rate of Change
ProjectCommits per month - previous
12 months
Docker 627
Xen 204
KVM 5894
@behemphi@stackengin
e
D O C K E R A S A
H Y P E R V I S O R
• Venom
• Battle Hardening
• Complexity - Lines of Code
• Code Churn
• Rate of Change
• Contributors
ProjectContributors - previous 12
months
Docker 634
Xen 116
KVM 3580
ProjectIncep-
tion
Lines of
Codechurn
Commits
per
month
Contri-
buters
Docker 2013 300k 627 634
Xen 2003 500k 204 116
KVM 2005 13,500k 5894 3580
@behemphi@stackengin
e
– B O Y D H E M P H I L L
“If nothing else, running Docker in a Hypervisor as
a security measure should be considered more
closely. Thanks https://www.openhub.net/ !”
@behemphi@stackengin
e
B L A C K B O X T E S T I N G
@behemphi@stackengin
e
D E V O P S 2 . 0
• Ops is a bottleneck, then
DevOps
@behemphi@stackengin
e
D E V O P S 2 . 0
• Ops is a bottleneck, then
DevOps
• Sec is a bottleneck, now
DevSec
@behemphi@stackengin
e
D E V O P S 2 . 0
• Ops is a bottleneck, then
DevOps
• Sec is a bottleneck, now
DevSec
• Black Box testing with full
cheats
@behemphi@stackengin
e
D E V O P S 2 . 0
• Ops is a bottleneck, then
DevOps
• Sec is a bottleneck, now
DevSec
• Black Box testing with full
cheats
• Security is a form of
Quailty. Move it as far to
the front of the SDLC as
possible.
@behemphi@stackengin
e
D E V O P S 2 . 0
• Ops is a bottleneck, then
DevOps
• Sec is a bottleneck, now
DevSec
• Black Box testing with full cheats
• Security is a form of Quailty.
Move it as far to the front of the
SDLC as possible.
• Attack yourself, make it a game
and build it in to daily workflows.
@behemphi@stackengin
e
– P A R A P H R A S I N G A D R I A N C O C K C R O F T
“Attack yourself, celebrate your breaches. ”
@behemphi@stackengin
e
S T R A N G L E R
P A T T E R N
• http://goo.gl/YkrgqE
• Replace one thing at a
time and do it well
@behemphi@stackengin
e
“Evolution, not revolution. Revolutions are bloody
and never achieve the original goal. ”
@stackengin
e@behemphi– J O H N N Y A P P L E S E E D
“Questions, comments, tomatoes?”