The Docker security workshop is a great course to get some more insights and hands-on experience with Docker security. The topics in this course are the absolute fundamentals of what you should know to work with Docker responsibly. It goes from building minimalistic images to real live exploitation and mitigation of containerized solutions. The strictly Docker related part takes only half day.
In the one-day long (extended) version of the course we will not only learn Docker security, but also get means to continuously scan for vulnerabilities in for both appsec and infrastructure. Armed with this knowledge we can get a great understanding of the progression of the security maturity of your company. However, knowledge is useless if we have no effective way to handle it. Because of this the 'Security test automation' part of the course also introduces means of setting up a vulnerability management process.
title: Docker security
duration: normal: 0.5 day (3hrs education time); extended: 1 day
developed by: Riccardo ten Cate
This topic will talk about the Docker security fundamentals such as using minimalistic images, principle of least privilege etc.
How do we scan our docker images for security continuously even before we deploy them to production? What are the best practices for vulnerability scanning on Docker images.
Using minimalistic images is a nice way to get starting. However, for very critical infrastructure
we may want to build our own images from scratch.
By deploying applications through Docker it becomes more important than ever to handle your secrets correctly. Are all your secrets in one place? are they not checked in into version control? Are they laying around in your CI tools?
Let's play this hands-on CTF game where we effectively need to break out of a Docker container and take over the host machine.
When using Docker it is essential to prevent key-sprawl. Secrets and API keys are often overlooked and leave an enormous attack surface that can be abused. How does Vault work, and how does it help secure your delivery pipeline.
How to create a scalable and CI platform agnostic approach for integrating security test automation into your organizations CI/CD pipelines.
When scanning your containers and infrastructure continuously for vulnerabilities it is essential to have a process and a vulnerability management system in place to handle all the metrics that are generated by your favorite tooling.
* -- available in the extended course version