Talk - Hardening Your Docker Infrastructure

Reports state very high numbers of security vulnerabilities in official images on Docker Hub. Host kernels contain 20+ M LoC, reachable from untrusted applications via many kernel APIs, providing huge attack surface. Dockers default is to run containers and all commands/processes within a container as root.

Kim will discuss:

• Tooling options around significantly improving visibility of vulnerabilities in Docker components and containers
• Safe consumption of Docker images from public registries. Addressing origin, authorship with identification using digests and integrity with opt-in Docker Content Trust

Based on Kim’s:

• Experience building a full dynamically Dockerised security regression testing SaaS
• Writing and publishing the Docker Security - Quick Reference book
• Interviews with experts such as Docker Security Team Lead Diogo Mónica, and Michael Hausenblas of Red Hat (author of the book Container Networking) on Container Networking

Docker host, engine, container, networking and deployment security will be covered with many examples. We will cover:

• Namespaces
• Controlling system resources accessible to containers with CGrouups
• LSMs
• Reducing default Capabilities of the Container root user
• Reducing default syscalls to only the essentials with Seccomp
• Filesystem Mounts
• Coverage of good security practises in Dockerfiles and docker-compose