Container Security. Fundamental Technology Concepts that Protect Containerized Applications - Helion
ISBN: 9781492056713
stron: 200, Format: ebook
Data wydania: 2020-04-06
Księgarnia: Helion
Cena książki: 160,65 zł (poprzednio: 186,80 zł)
Oszczędzasz: 14% (-26,15 zł)
To facilitate scalability and resilience, many organizations now run applications in cloud native environments using containers and orchestration. But how do you know if the deployment is secure? This practical book examines key underlying technologies to help developers, operators, and security professionals assess security risks and determine appropriate solutions.
Author Liz Rice, Chief Open Source Officer at Isovalent, looks at how the building blocks commonly used in container-based systems are constructed in Linux. You'll understand what's happening when you deploy containers and learn how to assess potential security risks that could affect your deployments. If you run container applications with kubectl or docker and use Linux command-line tools such as ps and grep, you're ready to get started.
- Explore attack vectors that affect container deployments
- Dive into the Linux constructs that underpin containers
- Examine measures for hardening containers
- Understand how misconfigurations can compromise container isolation
- Learn best practices for building container images
- Identify container images that have known software vulnerabilities
- Leverage secure connections between containers
- Use security tooling to prevent attacks on your deployment
Osoby które kupowały "Container Security. Fundamental Technology Concepts that Protect Containerized Applications", wybierały także:
- Learning Java Lambdas 373,75 zł, (29,90 zł -92%)
- The DevOps 2.1 Toolkit: Docker Swarm 332,22 zł, (29,90 zł -91%)
- Securing Network Infrastructure 199,33 zł, (29,90 zł -85%)
- Mastering Linux Security and Hardening 186,88 zł, (29,90 zł -84%)
- Blockchain Development with Hyperledger 175,88 zł, (29,90 zł -83%)
Spis treści
Container Security. Fundamental Technology Concepts that Protect Containerized Applications eBook -- spis treści
- Preface
- Who This Book Is For
- What This Book Covers
- A Note about Kubernetes
- Examples
- How to Run Containers
- Feedback
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
- 1. Container Security Threats
- Risks, Threats, and Mitigations
- Container Threat Model
- Security Boundaries
- Multitenancy
- Shared Machines
- Virtualization
- Container Multitenancy
- Container Instances
- Security Principles
- Least Privilege
- Defense in Depth
- Reducing the Attack Surface
- Limiting the Blast Radius
- Segregation of Duties
- Applying Security Principles with Containers
- Summary
- 2. Linux System Calls, Permissions, and Capabilities
- System Calls
- File Permissions
- setuid and setgid
- Security implications of setuid
- setuid and setgid
- Linux Capabilities
- Privilege Escalation
- Summary
- 3. Control Groups
- Cgroup Hierarchies
- Creating Cgroups
- Setting Resource Limits
- Assigning a Process to a Cgroup
- Docker Using Cgroups
- Cgroups V2
- Summary
- 4. Container Isolation
- Linux Namespaces
- Isolating the Hostname
- Isolating Process IDs
- Changing the Root Directory
- Combine Namespacing and Changing the Root
- Mount Namespace
- Network Namespace
- User Namespace
- User Namespace Restrictions in Docker
- Inter-process Communications Namespace
- Cgroup Namespace
- Container Processes from the Host Perspective
- Container Host Machines
- Summary
- 5. Virtual Machines
- Booting Up a Machine
- Enter the VMM
- Type 1 VMMs, or Hypervisors
- Type 2 VMM
- Kernel-Based Virtual Machines
- Trap-and-Emulate
- Handling Non-Virtualizable Instructions
- Process Isolation and Security
- Disadvantages of Virtual Machines
- Container Isolation Compared to VM Isolation
- Summary
- 6. Container Images
- Root Filesystem and Image Configuration
- Overriding Config at Runtime
- OCI Standards
- Image Configuration
- Building Images
- The Dangers of docker build
- Daemonless Builds
- Image Layers
- Sensitive data in layers
- Storing Images
- Identifying Images
- Image Security
- Build-Time Security
- Provenance of the Dockerfile
- Dockerfile Best Practices for Security
- Attacks on the Build Machine
- Image Storage Security
- Running Your Own Registry
- Signing Images
- Image Deployment Security
- Deploying the Right Image
- Malicious Deployment Definition
- Admission Control
- GitOps and Deployment Security
- Summary
- 7. Software Vulnerabilities in Images
- Vulnerability Research
- Vulnerabilities, Patches, and Distributions
- Application-Level Vulnerabilities
- Vulnerability Risk Management
- Vulnerability Scanning
- Installed Packages
- Container Image Scanning
- Immutable Containers
- Regular Scanning
- Scanning Tools
- Sources of Information
- Out-of-Date Sources
- Wont Fix Vulnerabilities
- Subpackage Vulnerabilities
- Package Name Differences
- Additional Scanning Features
- Scanner Errors
- Scanning in the CI/CD Pipeline
- Prevent Vulnerable Images from Running
- Zero-Day Vulnerabilities
- Summary
- 8. Strengthening Container Isolation
- Seccomp
- AppArmor
- SELinux
- gVisor
- Kata Containers
- Firecracker
- Unikernels
- Summary
- 9. Breaking Container Isolation
- Containers Run as Root by Default
- Override the User ID
- Root Requirement Inside Containers
- Rootless Containers
- The --privileged Flag and Capabilities
- Mounting Sensitive Directories
- Mounting the Docker Socket
- Sharing Namespaces Between a Container and Its Host
- Sidecar Containers
- Summary
- Containers Run as Root by Default
- 10. Container Network Security
- Container Firewalls
- OSI Networking Model
- Sending an IP Packet
- IP Addresses for Containers
- Network Isolation
- Layer 3/4 Routing and Rules
- iptables
- IPVS
- Network Policies
- Network Policy Solutions
- Network Policy Best Practices
- Service Mesh
- Summary
- 11. Securely Connecting Components with TLS
- Secure Connections
- X.509 Certificates
- Public/Private Key Pairs
- Certificate Authorities
- Certificate Signing Requests
- TLS Connections
- Secure Connections Between Containers
- Certificate Revocation
- Summary
- 12. Passing Secrets to Containers
- Secret Properties
- Getting Information into a Container
- Storing the Secret in the Container Image
- Passing the Secret Over the Network
- Passing Secrets in Environment Variables
- Passing Secrets Through Files
- Kubernetes Secrets
- Secrets Are Accessible by Root
- Summary
- 13. Container Runtime Protection
- Container Image Profiles
- Network Traffic Profiles
- Executable Profiles
- Observing executables with eBPF
- File Access Profiles
- User ID Profiles
- Other Runtime Profiles
- Container Security Tools
- Prevention or alerting
- Drift Prevention
- Summary
- Container Image Profiles
- 14. Containers and the OWASP Top 10
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting XSS
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
- Summary
- Conclusions
- Security Checklist
- Index