Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your Software Supply Chain using Docke...

Docker PDX
September 27, 2016

Securing your Software Supply Chain using Docker - Diogo Mónica

Diogo Mónica is the security lead at Docker, an open platform for building, shipping and running distributed applications. He was an early employee at Square where he led the platform security team, has a BSc, MSc and PhD degrees in Computer Science, serves on the board of advisors of several security startups, and is a long-time IEEE Volunteer.

Docker PDX

September 27, 2016
Tweet

More Decks by Docker PDX

Other Decks in Technology

Transcript

  1. Isolation Myopia “When you care more about VM and container

    escapes than RCE in your applications.”
  2. $ cat software-lifecycle-security.txt ------------------------------------+--------------------------------------- credentialing of participants validating contents before

    shipping security of cargo while in transit inspecting cargo on entry inventory management and tracking ------------------------------------+-------------------------------------- | identity | consistent build | sign application | security scanning | orchestration
  3. IMAGE name: alpine:3.4 sha256: ea08...950 ID: f70c828098f5 expires: 2019-06-20 USER

    name: user org: organization DOCKER HOST name: node-1 ID: 9j1kxp7cd1z...22c *manager expires: 2016-06-21 ID: 58slx2ra5qiee92n4uf56ocvf
  4. $ docker login docker.io Username (user): user Password: Login Succeeded

    $ notary -d ~/.docker/trust key list ROLE GUN KEY ID LOCATION -------------------------------------------------------------------------------------------------------------------- root 5f8ec4acd0a9ca301ef84ac...587 file (...) targets user/myrepo 71662d563fc1dfd0a83c5b3...9ce file (...) user d73b1075076e39a0c3ed638...05e file (...)
  5. $ swarmctl node ls ID Name Membership Status Availability Manager

    Status -- ---- ---------- ------ ------------ -------------- ------------- 3w8pfmhn6janhhzg7pu7ktxd node-3 ACCEPTED READY ACTIVE 9dva02k3khzbrgyok9dqwvv2 node-2 ACCEPTED READY ACTIVE 9j1kxp7cd1zs7a2njgyz6q22c node-1 ACCEPTED READY ACTIVE REACHABLE
  6. $ openssl x509 -in node-3/certificates/swarm-node.crt -text Certificate: ... Issuer: CN=swarm-ca

    Validity Not Before: Jun 17 20:30:00 2016 GMT Not After : Sep 15 20:30:00 2016 GMT Subject: O=58slx2ra5qiee92n4uf..., OU=swarm-worker, CN=3w8pfmhn6janhhzg7pu7ktxd2 ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:swarm-worker ... -----BEGIN CERTIFICATE----- ...
  7. $ docker images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED

    debian latest sha256:e7d38b3517548a1c...0aa f50f9524513f 8 weeks... busybox latest sha256:4a731fb46adc5cef...a92 47bcc53f74dc 11 days... user/myrepo latest sha256:ea0d1389812f43e4...950 f9858dea7747 6 hours... $ notary -d ~/.docker/trust list docker.io/user/myrepo NAME DIGEST SIZE (BYTES) ROLE --------------------------------------------------------------------------------- latest ea0d1389812f43e474c50155ec4914e1b48792...950 1360 targets
  8. 1 FROM ubuntu:16.04 | Use official images * TLS/DCT →

    authenticity * TLS/DCT → integrity * DCT → freshness Pin image version
  9. 1 FROM ubuntu:16.04 2 RUN wget https://<mysite.io>/apt.key \ && echo

    “<checksum> apt.key” \ | shasum -a 256 -c | Use HTTPS * TLS → authenticity * TLS → integrity Validate content
  10. 3 RUN apt-key add apt.key \ && add-apt-repository ppa:<mysite.io> \

    && apt-get update \ && apt-get install mypackage | Validate signatures GPG → integrity GPG → authenticity
  11. $ cat docker_content_trust.txt * signatures * collections - latest →

    ea0d1389812f43e474c50155e… - 3.20.1 → f0adb41c4303e4a7f1d013ead… * expiry
  12. $ # protects against untrusted images $ head -n 1

    Dockerfile FROM user/repo:unsigned $ docker build -t user/myrailsbase . No trust data for unsigned
  13. $ # protects against maliciously signed images $ docker run

    user/repo:fakesigned Warning: potential malicious behavior - trust data has insufficient signatures for remote repository docker.io/ user/repo: valid signatures did not meet threshold
  14. $ # protects against stale images $ docker pull user/repo:reallyold

    Error: remote repository docker.io/user/repo out-of-date: targets expired at Thu Jun 16 10:47:43 PDT 2016
  15. Scanner CVE Scanning validation service Docker Security Scanning Scan Trigger

    (APIs) Plugin Framework CVE/NVD Database BOM Database BOM Notifications Push image Docker Cloud
  16. $ docker ps --format “table {{.ID}}\t{{.Image}}\t{{.Created}}” \ -f ancestor=user/pypy:3-5.2 \

    -f ancestor=user/pypy:2-5.3 CONTAINER ID IMAGE CREATED COMMAND bf8966f2dc59 user/django:pypy 2 weeks "python manage.py run" 263158cab9f0 twisted_web 2 hours "twistd -n web --path" 005c98e79459 user/pypy:3-5.2 1 hours “scrapy crawl dmoz" 005c98e79459 user/pypy:2-5.3 1 hours “youtube-dl ‘http://w"
  17. $ docker run -it --net host --pid host --cap-add audit_control

    ... docker/docker-bench-security [INFO] 1 - Host Configuration [WARN] 1.1 - Create a separate partition for containers [PASS] 1.2 - Use an updated Linux Kernel [PASS] 1.4 - Remove all non-essential services from the host - Network [PASS] 1.5 - Keep Docker up to date [INFO] * Using 1.11.2 which is current as of 2016-06-02 [INFO] * Check with your operating system vendor for support and security maintenance for docker [INFO] 1.6 - Only allow trusted users to control Docker daemon [INFO] * docker:x:999:docker [WARN] 1.7 - Failed to inspect: auditctl command not found. [WARN] 1.8 - Failed to inspect: auditctl command not found. [WARN] 1.9 - Failed to inspect: auditctl command not found. [INFO] 1.10 - Audit Docker files and directories - docker.service [INFO] * File not found [INFO] 1.11 - Audit Docker files and directories - docker.socket [INFO] * File not found ...
  18. Secure Cluster Management • Docker 1.12 integrates swarm. • Swarm

    ships with strong security enabled by default.
  19. Mutual TLS by default • Leader acts as CA. •

    Any Manager can be promoted to leader. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS.
  20. Automatic Certificate Rotation • Customizable certificate rotation periods. • Occurs

    automatically. • Ensures potentially compromised or leaked certificates are rotated out of use. • Whitelist of currently valid certificates.
  21. • Official Images: https://docs.docker.com/docker-hub/official_repos • Docker Content Trust: https://docs.docker.com/engine/security/trust/content_trust •

    Docker Security Scanning: https://docs.docker.com/docker-cloud/builds/image-scan • Docker SwarmKit: https://github.com/docker/swarmkit • A Look Back At One Year Of Docker Security https://blog.docker.com/2016/04/docker-security/