Containers have changed the way we do deployments. Organizations have openly embraced containerization, to supplement traditional deployment paradigms like Virtual Machines and Hypervisors. Docker, has emerged as the leading container technology that is used by organizations, large and small for packaging and deploying consistent-state applications with help of Container Orchestrators like compose, kubernetes, etc.. .
Serverless on the other hand seems to be taking over at a rapid rate with increased usage of micro-services across organizations which allows them the flexibility to have multiple tech-stacks.
However, as always, security remains to be a challenge that organizations face with containerized and serverless deployments. While containers may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, the shared kernel and other shared resources like the network and the filesystem. Serverless deployments face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage.
This training has been created with the singular objective of achieving optimal security for containerized and serverless deployments. This training will be a 2 day program that will detail, through specific theory elements and extensive hands-on exercises, ways in which containerized and serverless deployments can be made secure, yet scalable, efficient and effective.
The training consists of, but not limited to the following focus areas in Container Security and Serverless Deployment:
* Introduction to Containers and Containerized Deployments - Docker, Compose
* Introduction to Container Orchestration Technologies - Kubernetes
* Introduction to Docker Native Continuous Integration Services
* A View into DevSecOps and the Container Security Problem
* Container Security Threat Model:
- Container - Host Attacks
- Container - Container Attacks
- Container Sprawl
- Container Secrets Exposure
- Insecure Libraries and Applications in Containerized Deployments
- Container Daemon Threats
* Container Security Best Practices:
- Access Control Models for Containers
- Practical Secrets Management for Container Deployments
- Auditing, Logging and Monitoring for Containerized Deployments
- Container Vulnerability Management Best Practices
- Resource Management and Trust Allocation - Containerized Deployments
* Introduction to Serverless - AWS Lambda
* Deploying Application to AWS Lambda
* Testing a Serverless Application for Vulnerabilities.
The author brings with him extensive experience, packaging and deploying Services using containers and Serverless securely to production. In addition, he has experience with developing integrations for containerized deployments and orchestrating it using docker API, automation in security and have considerable knowledge in DevSecOps. He has helped build 'Orchestron', a Vulnerability Management Solutions and Scalable Scanner Integrations that leverage containers to the hilt.
# Day 1 ## Session 1 Introduction to Containerized Deployments - Understanding and getting comfortable using Docker.
* An Introduction to Container Deployments
- LXC and Linux Containers
- Introducing Docker Images and Containers
- Docker Commands and Cheatsheet
- Hands-on: Docker commands, Dockerfile, Images, Compose
- Hands-on Lab: Playing with Docker Container Deployments: Deploying a containerized Web App
## Session 2 Container Deployments - Threat Landscape- An Introduction to possible threats and attack surface when using Docker for Deployments.
* Threat Model for Containerized Deployments
- Daemon-related Threats
- Network related Threats
- OS and Kernel Threats
- Threats with Application Libraries
- Threats from Containerized Applications
> Container Breakout Docker Security Examples
- Hands-on Tour of some of the exploits and the potential damages they can cause.
* Secrets Management of Docker Env Variables and other secrets
* OS and Kernel Level Exploits:
- DirtyCow
- Shellshock
- CVE-2017-1000253
- Privileged User Flaws
* Application Library Flaws:
- Struts2 Web App Flaw - Library
- Python Docx 0.8.5 XXE Flaw with DDoS - Billion Laughs Attack
Required MaterialsLaptop Requirements- Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred. Netbooks WON’T work
- Minimum 80GB HDD space available
- Working WiFi adapter with ability to connect to third party wireless networks
- User must be able to use the USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a USB Mass Storage Device (Flash Drive).
- Soft copy of the Slides and the VMs will be given to participants on a USB Flash Drive that will be formatted with the NTFS format.
- Please download and install the latest installation of Oracle VM VirtualBox
- We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization
- You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu. Please ensure that you have a password (if required) to access the BIOS menu.
Additional Requirements An AWS account to deploy a Web-Application on AWS-Lambda will be necessary.
