Secure Containerized Applications

Erica Windisch

@ewindisch

for

Isolation

Pattern #1

Service

{

Application

Consolidation

Pattern #2

(not actually a security pattern)

Hypervisors: a case study

  • Xen project: ~38 CVEs in the past 12 months
  • 29 CVEs with a CVSS score >4
  • This is a good great, functioning security team.
  • Fewer CVEs for other hypervisors is not indicative of better security; it may mean worse security response.

 

https://www.cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html

"x86 considered

harmful"

 

VMs do not contain

1. http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

1

Consolidation may be appropriate for you, but it's not a security pattern.

Fragmentation

(aka isolation)

Pattern #3

(micro)Services

= isolation

 

...not more services

with more seams

"This seems like a lot of work"

Thank you,

Erica Windisch

erica@windisch.us

@ewindisch

containerdays2015

By Erica Windisch

containerdays2015

  • 8,535