App Sec In The Time of Docker Containers

Transcript

1. APP SEC IN THE TIME OF DOCKER CONTAINERS Akash Mahajan

   - Director Appsecco DevOpsDays India 2016 #DevOpsDaysIN

2. THAT WEB APPLICATION SECURITY GUY

3. “ There is space for only 5 types of security

   approaches in this world -Said no one ever

4. THIS IS HOW I FELT WHEN I STARTED TAKING DOCKER

   SERIOUSLY Image courtesy Arguazuarma http://arquazuarma.blogspot.in/2011/01/from-outside-looking-in.html

5. DIDN’T FEEL LIKE THAT WEB APPLICATION SECURITY GUY From  h'p://rigel.co/2013/11/26/impostor-­‐syndrome/

6. DEALING WITH IT

7. HOW WE DO APPSEC CURRENTLY?

8. AUTOMATED WEB APPLICATION SCANNERS NAIL HAMMER ANALOGY

9. BUG BOUNTY BEGINNERS - WIN SOME - LOSE SOME

10. BUG BOUNTY/PENTESTERS & EXPERTS MAKE IT LOOK SIMPLE

11. SECURITY TESTERS PLOD AWAY USING CHECKLISTS & TOOLS

12. WHAT IS A DOCKER CONTAINER?

13. A DOCKER CONTAINER? ➤ A container allows a developer to

    package up and application and all of its dependent parts in a box ➤ This box is basically an isolated environment and the application has everything it needs to run inside of this environment

14. CONTAINERS ARE COMING A value of 100 is the peak

    popularity for a term DOCKER IN GOOGLE TRENDS SINCE JUL 2013-PRESENT

15. IF THE DRY GRAPH WASN’T ENOUGH TO CONVINCE YOU

16. “ Why has this change to docker become imminent? -Me,

    when I started noticing how quickly the developer world was moving to docker

17. REPEAT AFTER ME DEVELOPER PRODUCTIVITY OPERATIONAL PRODUCTIVITY DEVELOPER PRODUCTIVITY

18. “ Regardless of how much security folks think their opinion

    matters, most of the developers don’t give a fish about what we think - Akash Mahajan, learning the truth the hard way

19. THIS IS WHAT DEVELOPERS WANT - AN IT FREE WORLD

    http://www.infoq.com/cn/articles/docker-core-technology-preview

20. BUT ISN’T THIS JUST LIKE CHROOT?

21. INSTALLING MUTILLIDAE (PHP+APACHE+MYSQL APP)

22. OR USE SOMETHING AS SIMPLE AS KITEMATIC (MAC ONLY)

23. “ If a developer has to choose between being productive

    or being secure, more or less she/he will chose being productive - Something I should have said!

24. PRODUCTIVITY TRUMPS SECURITY TRUE FACT - SAMPLE SIZE 1 curl

     http://path/to/bash/script.sh  |  sudo  bash

25. CONTAINERS, APPSEC & OWASP

26. FOR CONTAINERS THESE ARE THE RELEVANT APPSEC RISKS OWASP Top

    10 Issue What is that? A1 Injection Stuff that harms the server A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff that harms the server A4 Insecure Direct Object Reference A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure A9 Using components with Known Vulnerabilities Stuff that possibly enables any or all of the above, due to using 3rd party stuff

27. OWASP TOP 10 - A1 INJECTION Attacker Data Files Creds

    Shell

28. OWASP TOP 10 - A2 BROKEN AUTHN & SESSION MANAGEMENT

    What is the name of my pet? Tinkerbell

29. OWASP TOP 10 - A4 INSECURE DIRECT OBJECT REFERENCE 890141042432191

    890141042432192 890141042432193 890141042432194

30. OWASP TOP 10 - A5 SECURITY MISCONFIGURATION

31. WHAT CAN WE DO NOW TO GET ON THE BANDWAGON?

    Task What should be done Testing Applications We usually need the setup running somewhere (testing) Secure Development Pre-configured dockerfiles with selective containers which allow for secure configuration by default Secure Operations Running docker in secured, isolated instances

32. TESTING APPLICATIONS AGAINST OWASP TOP 10 Now all of this

    can be in Docker! Now all of this can be in Docker! APP == API

33. SECURE DEVELOPMENT BY BEING SECURE BY DEFAULT ENABLE CONTENT TRUST

    AND NOTARY

34. SECURE OPERATIONS - FOLLOW BEST PRACTICES ➤Kernel Namespaces ➤Control Groups

    ➤Capabilities ➤Syscall Filtering with Seccomp ➤Mandatory Access Control ➤SELinux ➤AppArmor

35. PRACTICE DEFENCE IN DEPTH USING CIS CHECKLIST ➤ Follow the

    CIS Docker Benchmark to get a checklist of things to do on ➤ Host Configuration (15 list items) ➤ Docker Daemon Configuration (13 list items) ➤ Files, Permissions and configuration files for Docker Daemon (20 list items) ➤ Container Images (5 list items) ➤ Container Runtime (25 list items) ➤ Follow Docker Security Operations Best Practices https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf

36. DOCKER HOST AND CONTAINER SECURITY GETTING STARTED Start by reading

    Understanding docker security and best practices https:// blog.docker.com/2015/05/understanding-docker-security-and-best-practices/ Use the Docker Bench Security script to automatically check best practices as outlined by the CIS Docker Benchmark version 1.11 https://github.com/docker/ docker-bench-security Play this awesome game to break out of docker containers in your browser https:// contained.af/ Read the full CIS Docker 1.11.0 Benchmark report https:// benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf Understanding and Hardening Linux Containers by NCC Group https:// www.nccgroup.trust/us/our-research/understanding-and-hardening-linux-containers/

37. TO START WITH, THIS IS WHAT YOU SHOULD DO Test

    the application as you normally would If you find application security issues report these Do white box assessment with the docker security checklists Keep track of any privilege escalation bugs in docker daemon or the underlying hypervisor/VM tech you are using Understand what is the software supply chain for the application & pick secure alternatives for orchestration itself

38. DOCKER FAILS Couple of #devoops moments

39. TWITTER’S VINE SOURCE CODE DUMP BY @AVICODER ➤ @avicoder a

    bug bounty hunter, he spoke about this bug at a null/ OWASP/G4H Bangalore meet in June 2016 ➤ He found an interesting sub domain for Vine ( A twitter video app) ➤ He had stumbled upon a private docker registry being used ➤ He realised that the version being used didn’t use any authentication and by querying the API he determined the docker files being hosted ➤ He did a docker pull of an image that contained the source code for the Vine App and got $$$$$ bounty ➤ https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/

40. DOCKER IMAGE INSECURITY ➤ This has been fixed now! Especially

    from docker version 1.10 ➤ Earlier if an image had been compressed with xz (in C so not safety for memory) ➤ Docker Daemon would exec the xz binary as root user ➤ If there was a single vulnerability in xz, a docker pull could result in complete compromise ➤ Read more about the vulnerability https://titanous.com/posts/docker- insecurity ➤ Read more about how this was fixed https://titanous.com/posts/docker- insecurity

41. NOT EXACTLY A DOCKER ISSUE BUT THIS SHOULD RESONATE

42. DIRTY DIRTY COW HAS A POC FOR DOCKER ESCAPE http://www.theregister.co.uk/2016/11/01/docker_user_havent_patched_dirty_cow_yet_bad_news/

43. QUESTIONS @makash | https://linkd.in/webappsecguy | [email protected]