Container Security. Fundamental Technology Concepts that Protect Containerized Applications - Helion

ebook

Autor: Liz Rice
ISBN: 9781492056713
stron: 200, Format: ebook
Data wydania: 2020-04-06
Księgarnia: Helion

Cena książki: 152,15 zł (poprzednio: 176,92 zł)
Oszczędzasz: 14% (-24,77 zł)

Osoby, które kupiły tę książkę, wybierały także »

Tagi: Bezpieczeństwo systemów

To facilitate scalability and resilience, many organizations now run applications in cloud native environments using containers and orchestration. But how do you know if the deployment is secure? This practical book examines key underlying technologies to help developers, operators, and security professionals assess security risks and determine appropriate solutions.

Author Liz Rice, Chief Open Source Officer at Isovalent, looks at how the building blocks commonly used in container-based systems are constructed in Linux. You'll understand what's happening when you deploy containers and learn how to assess potential security risks that could affect your deployments. If you run container applications with kubectl or docker and use Linux command-line tools such as ps and grep, you're ready to get started.

Explore attack vectors that affect container deployments
Dive into the Linux constructs that underpin containers
Examine measures for hardening containers
Understand how misconfigurations can compromise container isolation
Learn best practices for building container images
Identify container images that have known software vulnerabilities
Leverage secure connections between containers
Use security tooling to prevent attacks on your deployment

Osoby które kupowały "Container Security. Fundamental Technology Concepts that Protect Containerized Applications", wybierały także:

Profesjonalne testy penetracyjne. Zbuduj własne środowisko do testów 67,42 zł, (20,90 zł -69%)
Spring Security. Kurs video. Metody zabezpieczania aplikacji webowych 69,00 zł, (31,05 zł -55%)
Bezpieczeństwo systemów informatycznych. Zasady i praktyka. Wydanie IV. Tom 2 99,00 zł, (49,50 zł -50%)
Hartowanie Linuksa we wrogich środowiskach sieciowych. Ochrona serwera od TLS po Tor 59,00 zł, (29,50 zł -50%)
Przetwarzanie danych w dużej skali. Niezawodność, skalowalność i łatwość konserwacji systemów 89,00 zł, (44,50 zł -50%)

Spis treści

Container Security. Fundamental Technology Concepts that Protect Containerized Applications eBook -- spis treści

Preface
- Who This Book Is For
- What This Book Covers
- A Note about Kubernetes
- Examples
- How to Run Containers
- Feedback
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
1. Container Security Threats
- Risks, Threats, and Mitigations
- Container Threat Model
- Security Boundaries
- Multitenancy
  - Shared Machines
  - Virtualization
  - Container Multitenancy
  - Container Instances
- Security Principles
  - Least Privilege
  - Defense in Depth
  - Reducing the Attack Surface
  - Limiting the Blast Radius
  - Segregation of Duties
  - Applying Security Principles with Containers
- Summary
2. Linux System Calls, Permissions, and Capabilities
- System Calls
- File Permissions
  - setuid and setgid
    - Security implications of setuid
- Linux Capabilities
- Privilege Escalation
- Summary
3. Control Groups
- Cgroup Hierarchies
- Creating Cgroups
- Setting Resource Limits
- Assigning a Process to a Cgroup
- Docker Using Cgroups
- Cgroups V2
- Summary
4. Container Isolation
- Linux Namespaces
- Isolating the Hostname
- Isolating Process IDs
- Changing the Root Directory
- Combine Namespacing and Changing the Root
- Mount Namespace
- Network Namespace
- User Namespace
  - User Namespace Restrictions in Docker
- Inter-process Communications Namespace
- Cgroup Namespace
- Container Processes from the Host Perspective
- Container Host Machines
- Summary
5. Virtual Machines
- Booting Up a Machine
- Enter the VMM
  - Type 1 VMMs, or Hypervisors
  - Type 2 VMM
  - Kernel-Based Virtual Machines
- Trap-and-Emulate
- Handling Non-Virtualizable Instructions
- Process Isolation and Security
- Disadvantages of Virtual Machines
- Container Isolation Compared to VM Isolation
- Summary
6. Container Images
- Root Filesystem and Image Configuration
- Overriding Config at Runtime
- OCI Standards
- Image Configuration
- Building Images
  - The Dangers of docker build
  - Daemonless Builds
  - Image Layers
    - Sensitive data in layers
- Storing Images
- Identifying Images
- Image Security
- Build-Time Security
  - Provenance of the Dockerfile
  - Dockerfile Best Practices for Security
  - Attacks on the Build Machine
- Image Storage Security
  - Running Your Own Registry
  - Signing Images
- Image Deployment Security
  - Deploying the Right Image
  - Malicious Deployment Definition
  - Admission Control
- GitOps and Deployment Security
- Summary
7. Software Vulnerabilities in Images
- Vulnerability Research
- Vulnerabilities, Patches, and Distributions
- Application-Level Vulnerabilities
- Vulnerability Risk Management
- Vulnerability Scanning
- Installed Packages
- Container Image Scanning
  - Immutable Containers
  - Regular Scanning
- Scanning Tools
  - Sources of Information
  - Out-of-Date Sources
  - Wont Fix Vulnerabilities
  - Subpackage Vulnerabilities
  - Package Name Differences
  - Additional Scanning Features
  - Scanner Errors
- Scanning in the CI/CD Pipeline
- Prevent Vulnerable Images from Running
- Zero-Day Vulnerabilities
- Summary
8. Strengthening Container Isolation
- Seccomp
- AppArmor
- SELinux
- gVisor
- Kata Containers
- Firecracker
- Unikernels
- Summary
9. Breaking Container Isolation
- Containers Run as Root by Default
  - Override the User ID
  - Root Requirement Inside Containers
  - Rootless Containers
- The --privileged Flag and Capabilities
- Mounting Sensitive Directories
- Mounting the Docker Socket
- Sharing Namespaces Between a Container and Its Host
- Sidecar Containers
- Summary
10. Container Network Security
- Container Firewalls
- OSI Networking Model
- Sending an IP Packet
- IP Addresses for Containers
- Network Isolation
- Layer 3/4 Routing and Rules
  - iptables
  - IPVS
- Network Policies
  - Network Policy Solutions
  - Network Policy Best Practices
- Service Mesh
- Summary
11. Securely Connecting Components with TLS
- Secure Connections
- X.509 Certificates
  - Public/Private Key Pairs
  - Certificate Authorities
  - Certificate Signing Requests
- TLS Connections
- Secure Connections Between Containers
- Certificate Revocation
- Summary
12. Passing Secrets to Containers
- Secret Properties
- Getting Information into a Container
  - Storing the Secret in the Container Image
  - Passing the Secret Over the Network
  - Passing Secrets in Environment Variables
  - Passing Secrets Through Files
- Kubernetes Secrets
- Secrets Are Accessible by Root
- Summary
13. Container Runtime Protection
- Container Image Profiles
  - Network Traffic Profiles
  - Executable Profiles
    - Observing executables with eBPF
  - File Access Profiles
  - User ID Profiles
  - Other Runtime Profiles
  - Container Security Tools
    - Prevention or alerting
- Drift Prevention
- Summary
14. Containers and the OWASP Top 10
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting XSS
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
- Summary
Conclusions
Security Checklist
Index