<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 16, 2017, at 10:21 PM, Jim Kinney <<a href="mailto:jim.kinney@gmail.com" class="">jim.kinney@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">From a sysadmin perspective, containers make it far to easy to bypass all security protocols. Until it's live, it's a binary blob waiting to suck in code from unknown sources and send information to unknown locations. Virtual machine security is better and more understood than containers.<span class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote><div><br class=""></div><div>You host your own hub. That’s the answer. We’re prevented from “reaching out” to the ‘net for anything at all. I’ve built my own container registries internally, and only pull images *I* have rolled from there. I never touch DockerHub.</div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Until I can get a SHA256 signed docker container with sig I trust, I can't allow them to touch my storage cluster.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote><div><br class=""></div><div>Again, the setup is necessary, but you can completely lock it down to your own internal resources. This is a non-issue.</div><br class=""><blockquote type="cite" class=""><div class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">How do containers get updated for security patches? They don't. Toss it and rebuild. </span></div></blockquote><div><br class=""></div><div>You do it. Don’t rely on Docker or the community. Roll your own images (just like folks who use custom AMIs) and maintain full control of “all the things”.</div><br class=""><blockquote type="cite" class=""><div class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">That sets up a churn of install new containers which will in time dull the build process security focus. </span></div></blockquote><div><br class=""></div><div><br class=""></div><div>Which is why we automate. I personally use Puppet, as that is my SME domain, but I’ve seen workflows for both Chef and Ansible. Also a non-issue.</div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Time passes and a mission critical process is running on a gaping security hole that can't be patched because the F+@$ing developer who built it got a better job offer and left. </span></div></blockquote><div><br class=""></div><div>All containers should be curated by Systems. The Developers should submit them for security scanning, or you should employ a DevSecOps model for deployment. i.e., federate security scanning by providing OS, App, transport, penetration, and network security testing as APIs that devs can leverage instead of leaving them to security. Left to their own devices, unreasonable deploy timelines set for them, and golf-playing pointy-hairs with unreasonable ship date requirements, it’ll never happen.</div><div><br class=""></div><div>This should all be automated and part of a security CI/CD pipeline without which a “pass” from the security field, cannot ever be deployed into production. This is how we do it.</div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Developers don't have the responsibility for the integrity of the system, network, environment. Just their code. The sysadmin is on the hook for that blob of festering code rot that lets <fill in a cracking team name here> gain root in a container attached to a few TB of patient/banking/insurance/ANYTHING data and suddenly the sysadmin makes headline news .</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote></div><br class=""><div class="">Which doesn’t really happen in containerized applications. ESPECIALLY if you’re orchestrating them properly, and the curation of the containers is where they belong: in Systems and Security circles.</div><div class=""><br class=""></div><div class="">FUD doesn’t play well here, and this smacks of FUD to me. </div><div class=""><br class=""></div><div class="">Not to call you out, Jim. :D</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">The real issue is automation should be a core component of Security, Operations, QA, Development, AND Deployment. None of this crap should be touched with human hands any more. That’s how you end up with an Equifax website with a U/P of admin:admin, thus this morning’s news.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">—jms</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>