SESSION ID: CSV-F01 Securely Deploying Micro Services, Containers & Serverless … ·...

#RSAC

SESSION ID:

Murray Goldschmidt

Securely Deploying Micro Services, Containers & Serverless PaaS Web Apps

CSV-F01

Chief Operating OfficerSense of Security@ITsecurityAU

#RSAC

1

Serverless,

Microservices and

Container Security

4

CI/CD Integration for

Automated Security

End to End

Vulnerability

Management2

Key Implications for

Penetration Testing

Programs Continuous

Monitoring,

Governance &

Compliance Reporting3

Key Security features

for Container

Deployments

A

G

E

N

D

A

2

#RSAC

Are Containers As Good as it Gets?

Cloud containers are designed to virtualize a single application

*** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how-they-work

3

#RSAC

As Good as it Gets?

e.g., you have a MySQL container and that's all it does, provide a virtual instance of that application.


4

#RSAC

As Good as it Gets?

Containers ***SHOULD*** create an isolation boundary at the application level rather than at the server level.


5

#RSAC

As Good as it Gets?

This isolation ***SHOULD*** mean that if anything goes wrong in that single container (e.g., excessive consumption of resources by a process) it only affects that individual container and not the whole VM or whole server.


6

https://searchservervirtualization.techtarget.com/definition/container-based-virtualization-operating-system-level-virtualization

#RSAC

7

#RSAC

Container Security – Tech Neutral

Security Requirements Addressed By

Intrinsic Security of the Kernel Supply Chain Risk Mgt/ Vuln Mgt/ CaaS

Attack Surface Reduction Hardening/Config Mgt/Vuln Mgt

Container Configuration Configuration Management

Hardening of the Kernel and how it interacts with Containers

Hardening

8

#RSAC

Monolithic vs Microservices Architecture

9

#RSAC


10

#RSAC


11

#RSAC

Monolithic vs Micro Services (API Centric)

https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/12

#RSAC

Monolithic vs Micro Services (API Centric)

https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/13

#RSAC

Example: Microsoft eShop Reference Architecture

14

#RSAC

Example: Microsoft eShop Reference Architecture

15

#RSAC

VM vs. Containers (where the abstraction occurs)

VM

cont.

Cont.

Cont.

Cont.

ContN

cont.

Cont.

Cont.

Cont.

ContN

Hardware

Hypervisor 1

VM

VM

VM

VM

VM

Hardware

Host OS

VM

VM

VM

VM

VM

Hypervisor 2

Hardware

Host OS

cont1

Cont2

Cont3

Cont4

ContN

Container Engine

Dep 1 Dep 2

Guest OS

Dependencies

Application

Container

App. Deps.

Application ABC

Virtualisation Containerisation

Type1 – Bare Metal Type 2

16

#RSAC

17

#RSAC

18

#RSAC

19

#RSAC

20

#RSAC

21

#RSAC

Dev

elo

pe

rs

22

#RSAC

Hac

kers

23

#RSAC

Ho

oki

ng

Low

est

Win

s

24

#RSAC

No

rth

-So

uth

& E

ast-

We

st A

ttac

ks

and

Piv

ots

https://neuvector.com/network-security/securing-east-west-traffic-in-container-based-data-center/25

#RSAC

Break-In

26

#RSAC

Entry Point is usually a “Pin Hole” issue

For example a known application issue27

#RSAC

28

#RSAC

Containers – The “Contained” Challenge

IF you can Break-In

You then Need to Break-Out

http://www.marvinfrancismaninacage.com/ 29

#RSAC

Break-Out

<goWest goEast>

30

#RSAC

Either Find a Container Vuln & Exploit

31

#RSAC

https://brauner.github.io/2019/02/12/privileged-containers.html

Recent Container Vulnerabilities

32

#RSAC

https://brauner.github.io/2019/02/12/privileged-containers.html


33

#RSAC


34

#RSAC

Or - Living off the Land

35

#RSAC

Page 31

#RSAC

Page 32

#RSAC

38

#RSAC

39

#RSAC

40

#RSAC

Co

nta

ine

r T

TL

41

#RSAC

Content Slide Layout

Page 42

#RSAC

Content Slide Layout

Page 43

#RSAC

How to Upgrade your Vuln Mgt Program

What to expect from a Pen Test

Implications for CaaS

Supply Chain Risk DevSecOps

44

#RSAC

Pen Test – Mechanical Attackvs Knowledge & Finesse

45

#RSAC


46

#RSAC

47

#RSAC

48

#RSAC

49

#RSAC

https://neuvector.com/run-time-container-security/

50

#RSAC

51

#RSAC

52

#RSAC

53

#RSAC

Load Balancing

Perimeter Public Functions

54

#RSAC

55

#RSAC

Hac

k Tr

ansf

orm

atio

n

56

#RSAC

https://neuvector.com/network-security/next-generation-firewall-vs-container-firewall/

57

#RSAC

Security Testing Needs to Go Down The Stack

58

#RSAC


User Interface (WebApps, forms, logons, API’s)

58

#RSAC


Framework (Struts, Spring, .NET)


58

#RSAC


Language (Java, PHP, .NET)



58

#RSAC


AppServer (IIS, Apache, Nginx)




58

#RSAC


Process UI (Container, presentation layer)





58

#RSAC






Process App (Container, application processing)


58

#RSAC






Process BackEnd (Container, database)



58

#RSAC






Operating System (Linux, Windows)




58

#RSAC






Clustering/Orchestration (CaaS, Swarm, Kubernetes)





58

#RSAC






Networking (SDN, SecGroups)






58

#RSAC











Cloud Platform


58

#RSAC











Core Infrastructure

Cloud Platform


58

#RSAC

Finesse

59

#RSAC

60

#RSAC

61

#RSAC

62

#RSAC

The

re a

re P

en

Te

sts

& T

he

re a

re P

en

Te

sts!

Lower Cost More considered

Predictable Requires expert capability, R&D

Even if a Web App/Service Pen Test not suitable for current technologies

Requires understanding of the full stack incl implications of -aaS

Doesn’t really assess the threats Requires persistence in an ephemeral setting

More North-South than East-West Yes – it will cost more

Check Box Assurance, Validation & Compliance

63

#RSAC

Blue Team: Key Steps to App Container Security

1 End-to-End Vulnerability Management

2 Container Attack Surface Reduction

3 User Access Control

4 Hardening the Host OS & the Container

5 SDLC Automation (DevOps)

64

#RSAC

Solutioning

1 End-to-End Vulnerability Management

65

#RSAC

Automated Vuln Mgt

Build• API’s & Plug-ins

• Third Party

Components

• Vuln Mgt

Automation

Registry• Automated

Scan of

Pub/Priv

Registry Host• Compliance

Scanning

• OS

• CaaS

Runtime• Audit logging

• Event logging

SHIFT LEFT

Image adapted from Qualys materials

66

#RSAC

67

#RSAC

Solutioning

2 Container Attack Surface Reduction

68

#RSAC

Solutioning

3 User Access Control

69

#RSAC

Solutioning

4 Hardening the Host OS & the Container

See NIST SP 800-190 and various others incl https://www.cisecurity.org/benchmark/docker/

70

#RSAC

Solutioning

5 SDLC Automation (DevOps)

71

#RSAC

1Serverless, Microservices and Container Security

4

CI/CD Integration for Automated Security

2Key Implications for Penetration Testing Programs

End to End Vulnerability Management

3

Key Security features for Container Deployments

Continuous Monitoring, Governance & Compliance Reporting

Re

cap

72

#RSAC

Apply What You Have Learned Today –Exec/Procurement

Next week you should:– Reset your review criteria for Penetration Testing

– Explicitly incorporate testing of Cloud Technologies into your Vuln Mgt Program

In the first three months following this presentation you should:– Review suppliers’ capability to test Cloud Technologies

– Develop the Blue Team side of the equation

– Have A functional Shift Left feature in your Vuln Mgt Program for Cloud

Within six months you should– Have performed an effective Penetration Test on your Cloud investment

– Fine tune your blue team response to cloud technology attacks

73

#RSAC

Apply What You Have Learned Today – Pen Testers

Next week you should:– Shortlist all the relevant cloud technologies in use by your clients– Re-calibrate your approach to test PaaS and Container

In the first three months following this presentation you should:– Demonstrate the ability to breakout of containers– Demonstrate the ability to live off the land

Within six months you should– Perfect methods for persistence in highly dynamic environments– Determine how to integrate Pen Test with client Blue Team (Purple Team)

74

Murray GoldschmidtChief Operating OfficerSense of [email protected]

Office: +61 2 9290 4444

Mobile: +61 422 978 311

SESSION ID: CSV-F01 Securely Deploying Micro Services, Containers & Serverless … ·...

Documents

Transcript of SESSION ID: CSV-F01 Securely Deploying Micro Services, Containers & Serverless … ·...