Академический Документы
Профессиональный Документы
Культура Документы
2
Cool stuff well talk about
- Containers
- Serverless Applications
3
Who am I?
Official (ISC) CSSLP Instructor
Founder of Gauntlet.io
Loves Software {Engineering,Security}
4
Simple deployment flow
How it works
Developer
5
Simple deployment flow
How it works
6
Shared server
7
Shared server The Server
Your User
8
Shared server The Server
Your User
Security
9
Private server
10
Private server Hypervisor (AWS / Google Cloud / Etc)
Your Server
Your User
11
Private server Hypervisor (AWS / Google Cloud / Etc)
Security
Your User
12
Setting up your private rerver
Manually connect
through SSH & Go Nuts
13
Setting up your private rerver
Security
Manually connect
through SSH & Go Nuts
14
Use CM Tools
... OR ...
Use Configuration
Management (CM) Tools
15
Use CM Tools
Security
16
Ansible example
---
- hosts: server Thats the
sudo: yes
sudo_user: root Infrastructure as
tasks:
Code (IaC) concept.
- name: install mysql-server
apt: name=mysql-server state=present
update_cache=yes
17
Use cloud provider server images
... OR ...
18
Use cloud provider server images
Security
19
Use a Platform as a Service (PaaS)
... OR ...
Platform as a Service (PaaS) -
(Send them your code and let
them manage the servers)
20
Use a Platform as a Service (PaaS)
Security
21
22
Or go with Containers
... OR ...
Containers
23
Its like Debians chroot on
steroids!
Isolation with LESS overhead
Faster deploys
s
Defense-in-depth mechanism
Vi
24
How a container is born
builds a generates
25
How a container is born
Dockerfile Run Container
Build Image
26
What is in a container
A container is a server with its own:
IP Address
Network
File system
Etc
Docker Containers
27
Two major ways to use containers
Microservices
Thin Containers
One process per Container
Monolithic
Fat Containers
Multiple processes per Container
Looks like a Virtual Machine (VM)
28
Typical flow with Containers
Image
Database of
Images
29
What can you do about security?
- Keep Docker Up-to-date
- Harden Docker Daemon
- Dont run containers as root
- And dont let users easily become root
- Remove SUID flags / SUDO
- Dont put sensitive files in your container
- Audit Dockerfiles
30
What can you do about security?
- Reduce Container Capabilities
- Avoid images without Dockerfile
- As you cant check whats inside so easily, e.g.,
look for backdoors
- Only install an image if you trust
- If possible verify
- Limit Container Usage (Memory/Etc) Anti-DoS
31
What can you do about security?
- Run security scanners on images
- Docker Security Scanning (Paid)
- CoreOS Clair (Open Source)
- Consider using a Container Security Platform
- Evaluated by Gartner:
- Aqua Security, CloudPassage, Docker, Magnetic.io,
Twistlock, Weaveworks
32
Enough about containers
Time is finite after all
.
.
Show me the Serverless Stuff
33
Serverless Applications
34
The Challenge
- Case Study: Dadarios Learning Platform
- Build a Serverless Application with:
- Authentication
- Authorization
- Payment Processing
35
Authentication Authentication Provider
cate
s er authenti
(3) U 0
on Auth
Users
dadario.com.br
36
Authorization Authentication Provider
cate
s er authenti
(3) U 0
on Auth
37
User Database
Payment Processing
Payment Provider
g
s e r p ay usin
(3) U l
PayPa
38
But there are Limitations
- Few languages available
- Cant include all libraries
- Need automation to organize multiple
functions
40
Takeaways
- Development is changing, thus Security must catch up
- Your applications are safer in Containers
- Serverless Applications are real and growing
41
Resources, References & Tools
Docker
https://docs.docker.com/docker-cloud/builds/image-scan/
https://github.com/coreos/clair
https://github.com/CenturyLinkLabs/dockerfile-from-image
https://www.sumologic.com/blog-devops/securing-docker-containers/
https://www.ctl.io/developers/blog/post/tutorial-protecting-sensitive-info-docker
Serverless
https://github.com/apex/apex
https://github.com/serverless/serverless
42
Thank you
Anderson Dadario
dadario.com.br | @andersonmvd
Founder of Gauntlet.io
Slides are available for free on https://dadario.com.br/slides
43