Don’t be a fail whale – secure your containers!

I was pretty stoked to be invited to talk about container security and participate in a panel discussion… I’m not going to lie, it is always a little daunting to be on stage in front of 600 people!

This was my first time attending a Container Camp, and it was really refreshing to attend a tech conference that wasn’t just focused on security (not that I don’t enjoy attending those conferences, eh-hem) and to see demonstrations of how different organisations are implementing new technology to accelerate both their agile and DevOps journey.

My talk, “Don’t be a fail whale: secure your containers” focused on – unsurprisingly – container security. I spoke about threat modelling in the context of containers and how the traditional security toolchain isn’t necessarily appropriate to tackle security threats to containers.

In what might be usually be considered a rather dry topic (especially for those who work outside security) I used as many GIFs and memes as marketing would allow me to in order to engage the audience. Possibly a risky tactic, but I received some good feedback; that people in the audience learned something new about container security, so, mission accomplished!

The container security expert panel consisted of myself, Tsvi Korren from Aqua Security, Ian Da Silva from Twistlock and Michael Ducy from Sysdig. We took some questions from the moderator (the fantastic Andrew Martin) where we talked about container and orchestrator security at a higher, more conceptual level.

A strong theme in the discussion was the “shift to the left” where developers and security activities blend into each other i.e. DevSecOps as part of a continuous delivery cycle. The audience were able to submit questions online, and it was interesting to see that their focus was more around technical configuration questions, particularly around Kubernetes. This is to be expected with relatively new technology that developers are still getting their heads around the best ways to implement.

My favourite “question” was from the individual who tried to delete the question thread with the “DROP TABLE” SQL command. Good job the platform being used had decent SQL injection protection… but nice try from whoever did that. 😉

I hear that Container Camp will be back in Melbourne next year (it’s also in London in September). If you missed it this time and are interested in learning more about container technologies or already use them in your environment, I very much encourage you to attend in the future.

Container Camp talks from previous events can be found on YouTube:

https://www.youtube.com/channel/UCvksXSnLqIVM_uFB7xyrsSg

Sarah Young is a security architect in Versent’s security practice and works with customers to design secure cloud solutions and uplift the security posture of IT environments and processes. She is an advocate of encouraging more women to take up roles in IT, and spends her free time working her way through her “hit list” of hipster brunch establishments.