Securing your container infra

The 17 Ways to Run Containers on AWS

Static vs Dynamic analysis

• Static analysis is the testing and evaluation of an application by examining the code without executing the application.
• Dynamic analysis is the testing and evaluation of an application during runtime.

Dynamic Analysis vs. Static Analysis

Damn vulnerable container

(base) :Downloads $ docker pull vulnerables/web-dvwa

Digest: sha256:dae203fe11646a86937bf04db0079adef295f426da68a92b40e3b181f337daa7

Status: Downloaded newer image for vulnerables/web-dvwa:latest

docker.io/vulnerables/web-dvwa:latest

(base) :Downloads $ docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

docker-bench-security_docker-bench-security latest 377fa82a87fe 2 weeks ago 62.7MB

quay.io/wildfly/wildfly latest 8ed07860a04a 4 weeks ago 729MB

docker/docker-bench-security latest 0037349aef7e 3 years ago 51.6MB

vulnerables/web-dvwa latest ab0d83586b6e 3 years ago 712MB

(base) : Downloads $ docker run — rm -it -p 80:80 vulnerables/web-dvwa

[+] Starting mysql…

[ ok ] Starting MariaDB database server: mysqld . ..

[+] Starting apache

[….] Starting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 172.17.0.2. Set the ‘ServerName’ directive globally to suppress this message

. ok

Docker Hub

Docker bench Security

$docker pull docker/docker-bench-security

Downloads $ docker pull docker/docker-bench-security

Using default tag: latest

latest: Pulling from docker/docker-bench-security

Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8

Status: Image is up to date for docker/docker-bench-security:latest

Downloads $ docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

d81603e825ce vulnerables/web-dvwa “/main.sh” 23 minutes ago Up 23 minutes 0.0.0.0:80->80/tcp stupefied_booth

Command to run docker bench on your system:

docker run -it — net host — pid host — userns host — cap-add audit_control -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc — label docker_bench_security docker/docker-bench-security

Docker Hub

Docker Bench Security FAQs

anchore

Open Source Container Security with Syft & Grype * Anchore

Grype:

$ brew tap anchore/grype

$ brew install grype

$grype vulnerables/web-dvwa:latest or

This command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image).

$grype vulnerables/web-dvwa:latest — scope all-layers

Includes software from all image layers in the vulnerability scan, regardless of its presence in the final image

https://github.com/anchore/grype/

Snyk:

$brew tap snyk/tap

$brew install snyk

$ $ snyk auth<api-token>

Your account has been authenticated. Snyk is now ready to be used.

https://docs.snyk.io/snyk-cli/authenticate-the-cli-with-your-account

$ snyk container test vulnerables/web-dvwa:latest

Testing vulnerables/web-dvwa:latest…

References:

• https://www.tigera.io/learn/guides/container-security/container-security-tools-top-7-open-source-options/
• https://sysdig.com/blog/dockerfile-best-practices/

Slide deck link:

Full talk YouTube link: