How are we securing the intricate world of containers?
In our Super Cyber Friday event, “Hacking Container Security: An hour of critical thinking about how to shine a light into an image’s black box,” we went into the essentials of containers, their role in modern app development, and the vulnerabilities that hackers exploit within container images and explored ways to peek into these "black boxes." Joining us for this discussion were Mackenzie Jackson from GitGuardian and David B. Cross , CISO at 甲骨文 SaaS Cloud.
HUGE thanks to our sponsor, GitGuardian
Watch the full video
Join us for our next Super Cyber Friday on Friday [10-13-23] for “Hacking The Risks and Rewards of AI: An hour of critical thinking about how to safely embrace this emerging technology.” Register here.
Quotes from our guests?
"Make sure you scan your containers for any hard-coded and plain text secrets in the image, and also in the files used to create them." - Mackenzie Jackson, GitGuardian?
"Containers and applications are the future, right? However, it's going to take a little time to get there. Containers are where almost all new applications and services are being built." - David Cross, Oracle SaaS Cloud.
"A lot of the declarative code that we write to build and maintain these containers is essentially source code, and this is where we find the vulnerability. Yes, you can scan your image. However, if you scan the source code and what you're doing to build it, you will find these vulnerabilities quicker and be able to secure it." - Mackenzie Jackson, GitGuardian?
领英推荐
"There's a lot of cases where developers or IT professionals are embedding the secrets or the credentials, such as URLs, into the container. It's just like in the Windows domain environment. Once you've got credentials, then you laterally move." - David Cross, Oracle SaaS Cloud.
"One of the worst things you can do, as we move, into the cloud, is what many have done: simply shift and lift everything. Here's everything that was my VM. I'm now going to jam it in and get it to run in a container. No, the whole idea is to build it with the bare minimum. That's really the most important thing to start with. You build what you need, not taking all these other things and filling up an unmanageable container." - David Cross, Oracle SaaS Cloud.
"Using a Docker ignore file when building Docker containers and ensuring that files containing secrets don't end up there are good starting points [when hardening your environment]." - Mackenzie Jackson, GitGuardian
"I think the great thing about honey tokens is that if you look at the time frame of an attack, especially something like a supply chain attack, the time from when the attackers compromise a component in your supply chain to when they actually launch their attacks can be weeks, often months. It's not easy for an attacker to immediately move out laterally when they break into a system. Attackers are pretty predictable. The first thing they're going to do is try to identify secrets. That's how you're going to be able to find them very quickly. You can also put honey tokens in your supply chain and be the first to know." - Mackenzie Jackson, GitGuardian
"You may have an insider problem, sometimes more than an outsider problem. There's one element of outsiders coming in and moving laterally, but often, companies may find that internal people are hunting. This means you may have a bigger problem." - David Cross, Oracle SaaS Cloud.
Quotes from the chat
“Build security in, from planning a product through production.” - ?? Larry Rosen , vCISO, Principal Security ?
“It strikes me that containerization can become a step backwards from zero trust because they are deployed with a lot of assumptions that data access won't pierce the veil. They become the new trusted zone without a lot of care and attention.” - Duane Gran , director of information security, Converge Technology Solutions Corp.
“One of the security foundations is ‘don't run unnecessary stuff.’ Seems to be the same for containers.” - John Prokap , vp, infrastructure and operations, HarperCollins Publishers