Turning Container security up to 11 with Capabilities
A compromised sidecar container sniffs traffic between your services. See the attack in action and learn the one setting that stops it cold.
#1about 8 minutes
Demonstrating a man-in-the-middle attack between containers
A proof-of-concept shows how a malicious container can sniff unencrypted traffic between other containers running on the same host.
#2about 5 minutes
Introducing Linux capabilities for granular privilege control
Traditional Unix permissions are an all-or-nothing model, whereas Linux capabilities split root privileges into distinct units for finer control.
#3about 4 minutes
Differentiating between file and process capabilities
Capabilities can be set on files to elevate privileges for specific binaries or on processes to reduce them, with the latter being key for containers.
#4about 3 minutes
Managing default container capabilities in Docker
Docker grants a default set of powerful capabilities to containers, which can be restricted using `cap-drop` and `cap-add` flags.
#5about 4 minutes
Securing deployments by dropping unnecessary capabilities
By dropping all capabilities and only adding back the essential ones, the man-in-the-middle attack is successfully prevented in both Docker and Kubernetes.
#6about 3 minutes
Using capabilities as a defense-in-depth measure
Limiting capabilities does not prevent an initial exploit but significantly reduces the potential impact and blast radius of a compromised container.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
01:22 MIN
Leveraging containerization for improved security posture
Kubernetes Security - Challenge and Opportunity
06:25 MIN
Security best practices for containers and Kubernetes
Microservices: how to get started with Spring Boot and Kubernetes
01:52 MIN
Securing container images and the software supply chain
Security Challenges of Breaking A Monolith
02:35 MIN
Using containers to improve security and deployment
DevSecOps: Security in DevOps
02:30 MIN
Securing container images against common vulnerabilities
Kubernetes Security Best Practices
05:08 MIN
Analyzing the impact of a container vulnerability
Security Challenges of Breaking A Monolith
01:35 MIN
Why Dockerfile security is a critical foundation
A practical guide to writing secure Dockerfiles
02:28 MIN
Overcoming the challenges of container-based infrastructure
Building Reliable Serverless Applications with AWS CDK and Testing
Dev Digest 138 - Are you secure about this?Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Learning Kubernetes made easy with KubeCampusLearning to use Kubernetes? KubeCampus by Kasten offers free educational content for all skill levels to get you started!Kubernetes is an open-source system for deploying, scaling and managing containerized applications. It allows you to deploy your ...
Chris Heilmann
Dev Digest 110 - XY marks the spotty securityThis time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
42:45
46:36
42:25
30:33
44:00
32:55
40:00
23:08
.png?w=240&auto=compress,format)
