Talk - Hardening Your Docker Infrastructure

Abstract

The security defaults of Docker are designed to get you up and running (“just work”) quickly, rather than being the most secure. There are many default configurations that can be improved upon. In this talk Kim will walk through improving the security of Docker hosts, containers, networking and deployments.

Date
Location
Auckland, New Zealand

Reports state very high numbers of security vulnerabilities in official images on Docker Hub. Host kernels contain 20+ M LoC, reachable from untrusted applications via many kernel APIs, providing huge attack surface. Dockers default is to run containers and all commands/processes within a container as root.

Kim will discuss:

  • Tooling options around significantly improving visibility of vulnerabilities in Docker components and containers
  • Safe consumption of Docker images from public registries. Addressing origin, authorship with identification using digests and integrity with opt-in Docker Content Trust

Based on Kim’s:

Docker host, engine, container, networking and deployment security will be covered with many examples. We will cover:

  • Namespaces
  • Controlling system resources accessible to containers with CGrouups
  • LSMs
  • Reducing default Capabilities of the Container root user
  • Reducing default syscalls to only the essentials with Seccomp
  • Filesystem Mounts
  • Coverage of good security practises in Dockerfiles and docker-compose


Avatar
Kim Carter
Technologist / Engineer, Information Security Professional

Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd. OWASP NZ Chapter Leader. Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 18 years of commercial industry experience across many domains.