Securing your Software Supply Chain using Docker - Diogo Mónica

Transcript

1. Securing your Software Supply Chain using Diogo Mónica

2. Isolation Myopia “When you care more about VM and container

   escapes than RCE in your applications.”
3. None

4. Physical Product Supply Chain

5. source/ dependencies build systems/ engineers network application repository deployed systems

   Software Supply Chain

6. $ cat software-lifecycle-security.txt ------------------------------------+--------------------------------------- credentialing of participants validating contents before

   shipping security of cargo while in transit inspecting cargo on entry inventory management and tracking ------------------------------------+-------------------------------------- | identity | consistent build | sign application | security scanning | orchestration

7. Identity

8. IMAGE name: alpine:3.4 sha256: ea08...950 ID: f70c828098f5 expires: 2019-06-20 USER

   name: user org: organization DOCKER HOST name: node-1 ID: 9j1kxp7cd1z...22c *manager expires: 2016-06-21 ID: 58slx2ra5qiee92n4uf56ocvf

9. $ docker login docker.io Username (user): user Password: Login Succeeded

   $ notary -d ~/.docker/trust key list ROLE GUN KEY ID LOCATION -------------------------------------------------------------------------------------------------------------------- root 5f8ec4acd0a9ca301ef84ac...587 file (...) targets user/myrepo 71662d563fc1dfd0a83c5b3...9ce file (...) user d73b1075076e39a0c3ed638...05e file (...)

10. $ swarmctl node ls ID Name Membership Status Availability Manager

    Status -- ---- ---------- ------ ------------ -------------- ------------- 3w8pfmhn6janhhzg7pu7ktxd node-3 ACCEPTED READY ACTIVE 9dva02k3khzbrgyok9dqwvv2 node-2 ACCEPTED READY ACTIVE 9j1kxp7cd1zs7a2njgyz6q22c node-1 ACCEPTED READY ACTIVE REACHABLE

11. $ openssl x509 -in node-3/certificates/swarm-node.crt -text Certificate: ... Issuer: CN=swarm-ca

    Validity Not Before: Jun 17 20:30:00 2016 GMT Not After : Sep 15 20:30:00 2016 GMT Subject: O=58slx2ra5qiee92n4uf..., OU=swarm-worker, CN=3w8pfmhn6janhhzg7pu7ktxd2 ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:swarm-worker ... -----BEGIN CERTIFICATE----- ...

12. $ docker images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED

    debian latest sha256:e7d38b3517548a1c...0aa f50f9524513f 8 weeks... busybox latest sha256:4a731fb46adc5cef...a92 47bcc53f74dc 11 days... user/myrepo latest sha256:ea0d1389812f43e4...950 f9858dea7747 6 hours... $ notary -d ~/.docker/trust list docker.io/user/myrepo NAME DIGEST SIZE (BYTES) ROLE --------------------------------------------------------------------------------- latest ea0d1389812f43e474c50155ec4914e1b48792...950 1360 targets
13. None

14. source/ dependencies Consistent Builds build systems/ engineers

15. $ cat dependency_quality.txt * authenticity * integrity * freshness *

    consistency

16. 1 FROM ubuntu:16.04 | Use official images * TLS/DCT →

    authenticity * TLS/DCT → integrity * DCT → freshness Pin image version

17. 1 FROM ubuntu:16.04 2 RUN wget https://<mysite.io>/apt.key \ && echo

    “<checksum> apt.key” \ | shasum -a 256 -c | Use HTTPS * TLS → authenticity * TLS → integrity Validate content

18. 3 RUN apt-key add apt.key \ && add-apt-repository ppa:<mysite.io> \

    && apt-get update \ && apt-get install mypackage | Validate signatures GPG → integrity GPG → authenticity

19. Application Signing network

20. $ cat docker_content_trust.txt * signatures * collections - latest →

    ea0d1389812f43e474c50155e… - 3.20.1 → f0adb41c4303e4a7f1d013ead… * expiry

21. Docker Content Trust

22. $ # enable docker content trust $ export DOCKER_CONTENT_TRUST=1

23. $ # protects against untrusted images $ head -n 1

    Dockerfile FROM user/repo:unsigned $ docker build -t user/myrailsbase . No trust data for unsigned

24. $ # protects against maliciously signed images $ docker run

    user/repo:fakesigned Warning: potential malicious behavior - trust data has insufficient signatures for remote repository docker.io/ user/repo: valid signatures did not meet threshold

25. $ # protects against stale images $ docker pull user/repo:reallyold

    Error: remote repository docker.io/user/repo out-of-date: targets expired at Thu Jun 16 10:47:43 PDT 2016

26. Developer or CI

27. 3 2 1 Trusted Image Chaining

28. debian:jessie ruby 2.3.1 ruby:2.3 rails 4.2.6 rails:4.2.6 extra libraries mycompany/

    railsbase:1.0

29. Security Scanning + Gating application repository

30. None

31. Scanner CVE Scanning validation service Docker Security Scanning Scan Trigger

    (APIs) Plugin Framework CVE/NVD Database BOM Database BOM Notifications Push image Docker Cloud
32. None

33. Auto-Chained Remediation

34. None
35. None

36. $ docker ps --format “table {{.ID}}\t{{.Image}}\t{{.Created}}” \ -f ancestor=user/pypy:3-5.2 \

    -f ancestor=user/pypy:2-5.3 CONTAINER ID IMAGE CREATED COMMAND bf8966f2dc59 user/django:pypy 2 weeks "python manage.py run" 263158cab9f0 twisted_web 2 hours "twistd -n web --path" 005c98e79459 user/pypy:3-5.2 1 hours “scrapy crawl dmoz" 005c98e79459 user/pypy:2-5.3 1 hours “youtube-dl ‘http://w"

37. Orchestration deployed systems

38. $ docker run -it --net host --pid host --cap-add audit_control

    ... docker/docker-bench-security [INFO] 1 - Host Configuration [WARN] 1.1 - Create a separate partition for containers [PASS] 1.2 - Use an updated Linux Kernel [PASS] 1.4 - Remove all non-essential services from the host - Network [PASS] 1.5 - Keep Docker up to date [INFO] * Using 1.11.2 which is current as of 2016-06-02 [INFO] * Check with your operating system vendor for support and security maintenance for docker [INFO] 1.6 - Only allow trusted users to control Docker daemon [INFO] * docker:x:999:docker [WARN] 1.7 - Failed to inspect: auditctl command not found. [WARN] 1.8 - Failed to inspect: auditctl command not found. [WARN] 1.9 - Failed to inspect: auditctl command not found. [INFO] 1.10 - Audit Docker files and directories - docker.service [INFO] * File not found [INFO] 1.11 - Audit Docker files and directories - docker.socket [INFO] * File not found ...

39. Secure Cluster Management • Docker 1.12 integrates swarm. • Swarm

    ships with strong security enabled by default.

40. Mutual TLS by default • Leader acts as CA. •

    Any Manager can be promoted to leader. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS.

41. Support for External CAs • Managers support BYO CA. •

    Forwards CSRs to external CA.

42. Automatic Certificate Rotation • Customizable certificate rotation periods. • Occurs

    automatically. • Ensures potentially compromised or leaked certificates are rotated out of use. • Whitelist of currently valid certificates.

43. DEMO time!!!

44. Identity

45. Official Images/ Docker Content Trust source/ dependencies build systems/ engineers

    network application repository deployed systems

46. Docker Content Trust source/ dependencies build systems/ engineers network application

    repository deployed systems

47. Docker Security Scanning source/ dependencies build systems/ engineers network application

    repository deployed systems

48. Docker Swarm/ Bench source/ dependencies build systems/ engineers network application

    repository deployed systems

49. • Official Images: https://docs.docker.com/docker-hub/official_repos • Docker Content Trust: https://docs.docker.com/engine/security/trust/content_trust •

    Docker Security Scanning: https://docs.docker.com/docker-cloud/builds/image-scan • Docker SwarmKit: https://github.com/docker/swarmkit • A Look Back At One Year Of Docker Security https://blog.docker.com/2016/04/docker-security/

50. Thank you!