filmov
tv
AppSecCali 2019 Lightning Talk - How to Lose a Container in 10 Minutes
Показать описание
Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We’ll also look at what happens to a container that’s been left open to the Internet for the duration of the talk.
Despite the fact that many organisations are already using/wanting to use containers and quite possibly moving to the cloud at the same time, I find that there is still an inherent lack of understanding from both devs and security teams as to how containerised applications should be designed and run. Many teams simply try to run a containerised application like it would be run on a virtual machine or in the traditional monolithic application stack, and to accompany that they use the traditional security toolset. This opens up the potential for security breaches and or simply an ineffective application that doesn't take advantage of the benefits containerised environments provide.
As I'm conscious this could be a bit of dry topic and I don't want it to sound like a lecture, my talk has many GIFs and memes and real life examples (they are redacted as I can't name where I saw some of these, unfortunately). More seriously though, it includes relevant stories and was developed with input from my real-life experiences and some stories from other engineers and security professionals. I will spin up a container in WebGo and leave it open to the Internet for the talk, and see what happens to it during the course of the talk.
Sarah Young
Cloud Security and Compliance Specialist, Microsoft
Sarah is a cloud security and compliance specialist working for Microsoft and based in Melbourne, Australia. She has a decade of experience in tech and is particularly interested in cloud security, container/orchestrator security and good ol' fashioned networking and infrastructure.
-
Despite the fact that many organisations are already using/wanting to use containers and quite possibly moving to the cloud at the same time, I find that there is still an inherent lack of understanding from both devs and security teams as to how containerised applications should be designed and run. Many teams simply try to run a containerised application like it would be run on a virtual machine or in the traditional monolithic application stack, and to accompany that they use the traditional security toolset. This opens up the potential for security breaches and or simply an ineffective application that doesn't take advantage of the benefits containerised environments provide.
As I'm conscious this could be a bit of dry topic and I don't want it to sound like a lecture, my talk has many GIFs and memes and real life examples (they are redacted as I can't name where I saw some of these, unfortunately). More seriously though, it includes relevant stories and was developed with input from my real-life experiences and some stories from other engineers and security professionals. I will spin up a container in WebGo and leave it open to the Internet for the talk, and see what happens to it during the course of the talk.
Sarah Young
Cloud Security and Compliance Specialist, Microsoft
Sarah is a cloud security and compliance specialist working for Microsoft and based in Melbourne, Australia. She has a decade of experience in tech and is particularly interested in cloud security, container/orchestrator security and good ol' fashioned networking and infrastructure.
-