Global AppSec Amsterdam

Docker and Containerization in general offer several advantages for developers: They fit excellent in software development processes, they enable fast development cycles, reproducible deployments and with little change the same container can run either in a test or production environment. Last but not least: it always seems a cool thing for developers. Some DevOps marketing companies realized that, telling you your business will fall behind if you're not in the container business as the "time to market" is just too long. So far, so good. Or not? A catch is that an average developer is no expert in system and network security. Container security is a system and network topic though. And also if you have system and network security knowledge, you first need to fully understand the technology. Even big players seem still on the learning curve as several researches and incidents in 2018 showed. But also the containerization technologies like CoreOS and Kubernetes showed surprising flaws in the recent past. This mixture of complexity and/or lack of acknowledging it's not KISS and a lack of system knowledge are not good start conditions for a building and operating a secure container environment. This is the point where the OWASP Docker Top 10 chimes in. By using a threat model approach, attack surfaces were defined first. Based on that, 10 controls evolved. The speaker will show an overview over the 10 points and some practical examples (also bad ones) to demonstrate pitfalls. The OWASP Docker Top 10 is a defender project. It starts from important Do's and Dont's to more advanced controls which could help you to make your environment almost bullet proof.