How Secure are your Docker Images?

Presented at BSidesSF 2017, Feb. 13, 2017, 10:45 a.m. (30 minutes).

This presentation extracts few points from CIS Docker 1.12 benchmark which was co-authored by me.  Ref:  https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker12.100  Abstract: The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition.  The credit goes to "Docker" which made the concept of containerization very useful and handy by adding many benefits to existing container technologies. Tech giants like Redhat, Google, IBM, VMware etc. are not only the biggest contributors to this most active open source project but also major users of it. The effect of containers already impacted the virtual machine market and this impact is going to increase significantly in near future.   Security is always an important issue for any upcoming technology and Docker is no exception to it. This presentation starts with a brief introduction to containers vs. virtualization technology, Docker ecosystem and then goes in-detailed into security of "Docker Images" explaining various security issues that can happen in each stage of Docker image life cycle and how each of them can be fixed. It also provides security benchmark to enterprises/personal users who want to maintain their own in-house registry and need a security compliance set for generating/consuming/maintaining images securely.

Presenters:

  • Manideep Konakandla - Security Researcher - Carnegie Mellon University
    " Manideep K www.manideepk.comIs an Author, Security Researcher, Speaker and a J.N Tata Scholar. He is current Security Researcher + Masters student in Information Security @Carnegie Mellon University, USA and is currently researching on "Security of containers with focus on Docker". He also works as a research assistant @Cylab, Carnegie Mellon. He has authored a book at an age of 21 which made him one of the youngest authors in India to write a book on Hacking. He was also featured in India's largest circulated English and Telugu newspapers including Deccan Chronicle, The Hindu, Hans India, Vaartha, AndhraJyoti, Saakshi, Andhrabhoomi, Visaalandra etc. and was also interviewed by HMTV news channel for his achievements in Security. He holds more than a dozen certifications - ISO 27001:2013 ISMS Lead Auditor, CCNA, CEH, ECSA, JNCIP-SEC, CHFI, JNCIS-SEC , ITIL v3, etc. He will be representing Carnegie Mellon at RSA Conference USA 2017. Manideep has also reported critical vulnerabilities on more than 100 websites and applications including Yahoo Messenger, Jease CMS, universities providing Masters in Information and Cyber Security - CMU, Purdue, USC, NEU, SUNY Brook etc. He also has cracked Sodexo MNC meal passes barcode algorithm and presented it at NULL security conference. He was appreciated by Deccan Chronicle newspaper for this milestone. His team recently won third prize at Microsoft's "Build the Shield" competition.Manideep was also a speaker at more than 50 seminars, workshops on 'Ethical Hacking & Cyber Forensics' and 'Cyber Crime Eradication' including at IIT Guwahati, ISTE (Indian Society for Technical Education), CSI (Computer Society of India), Tata Consultancy Services. He has trained more than 15,000 people in Information Security domain including corporate security teams, cyber cops and students. He worked as a Team Lead for Core Security & Data Analytics module at Tata Consultancy Services for 3 years before joining Carnegie Mellon. He received appreciations from Global Head-IT Security for his extraordinary performance in enhancing organization's security posture. He also worked along with CIO and CSO for few investigations and cyber security exercises. Apart from his profession, he also works as a freelancer and is also associated as a professional member with prestigious organizations such as OWASP, APSA, CSI, ACM etc."

Links:

Similar Presentations: