The Golden Ticket - Docker and High Security Microservices

Explore the intricacies of building secure microservices architecture using Docker in this 54-minute conference talk. Delve into practical, real-world examples of creating high-security Docker containers, leveraging the latest security features such as User Namespaces and seccomp-bpf. Learn about often-overlooked security principles, network security challenges, secrets management, and application hardening techniques. Gain insights into designing minimal container images, implementing Mandatory Access Control, creating custom AppArmor profiles, and utilizing Seccomp profiles. Discover the security benefits and potential downsides of microservices, and understand how to limit compromises across different OSI layers. Whether you're focused on microservices or general Docker usage, acquire valuable knowledge to enhance your container security practices.

Intro
You've seen Microservices before
Your Legacy Application
The Principle of Least Privilege
The Principle of Least Surprise
The Principle of Least Access
Upsides of Microservices AppSec
Downsides of Microservices AppSec
Exploring Real World Compromise
Limit Compromises: OSI Edition
Layer 7 Authentication: Application
Layer 4/5 (7) Authentication: TLS
Layer 3 Authentication: IPSEC
Containers Map to Microservices
Pruning The Attack Tree
Minimal: Distro
Security starts with the base OS
Minimal Container?
Minimal: Container Images
General idea for Docker
Golang wiki server example
Mandatory Access Control
Nested AppArmor
Custom AppArmor Profiles
AppArmor Profile Gotchas
Why Custom Profiles?
Seccomp Profiles using strace
Seccomp Profiles using Seccomp
General Seccomp Pitfalls
Seccomp in Docker
Seccomp notes
The Problem of Managing Secrets
Other Security Recommendations