Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important.

Sr. Developer Advocate and Docker Captain, @ericsmalling goes over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix issues when building containers BEFORE you ship them. Additionally, he discusses tactics to minimize exploit exposure by hardening runtime container and Kubernetes configurations.

Links mentioned in the video:

• Security Context blog: https://snyk.co/k8s-securitycontext
• Network Policy recipes: https://github.com/ahmetb/kubernetes-network-policy-recipes
• Ko Build tool: https://ko.build
• Jib Build tool: https://github.com/GoogleContainerTools/jib

Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for containers, IaC templates application dependencies and code for platforms like npm, Maven, NuGet, RubyGems, PyPI and more.

Learn more about Snyk http://bit.ly/snyk-io

TOC:

0:00 - Introduction

0:14 - Container challenges for devs

3:13 - Container exploit demo

9:46 - Catching vulnerable images with Snyk Container

15:56 - Snyk SCM integration and auto fix PRs

17:25 - Defense in depth for mitigating zero-days

18:29 - Hardening container Images

21:40 - Runtime configuration

24:53 - Kubernetes

29:02 - Key takeaways

30:41 - Wrapup

📱Social Media📱
___________________________________________
Twitter: https://twitter.com/snyksec
Facebook: https://www.facebook.com/snyksec
LinkedIn: https://www.linkedin.com/company/snyk
Website: https://snyk.io/