Erica Windisch

CEO|Founder IO P|PE

@ewindisch

exploring "does it contain"

Drop root; Gain root

Three

Patterns...

Isolation

Pattern #1

Service

{

Application

Consolidation

Pattern #2

(not actually a security pattern)

Hypervisors: a case study

Xen project: ~38 CVEs in the past 12 months
29 CVEs with a CVSS score >4
This is a ~~good~~ great, functioning security team.
Fewer CVEs for other hypervisors is not indicative of better security; it may mean worse security response.

https://www.cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html

"x86 considered

harmful"

VMs do not contain

1. http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

Consolidation may be appropriate for you, but it's not a security pattern.

Fragmentation

(aka isolation)

Pattern #3

(micro)Services

= isolation

...not more services

with more seams

Phase #2

user namespaces

DEMO!

Thank you,

Erica Windisch

erica@windisch.us

@ewindisch

Drop root; Gain root

By Erica Windisch

Drop root; Gain root

1,833

Erica Windisch

ewindisch

Three

Isolation

Pattern #1

Consolidation

Pattern #2

Hypervisors: a case study

Fragmentation

Pattern #3

(micro)Services

Phase #2

user namespaces

DEMO!

Thank you,

Erica Windisch

Drop root; Gain root

More from Erica Windisch