Muutke küpsiste eelistusi

Container Security: Fundamental Technology Concepts that Protect Containerized Applications [Pehme köide]

4.54/5 (322 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 165 pages, kõrgus x laius: 233x178 mm
  • Ilmumisaeg: 17-Apr-2020
  • Kirjastus: O'Reilly Media
  • ISBN-10: 1492056707
  • ISBN-13: 9781492056706
Teised raamatud teemal:
  • Pehme köide
  • Hind: 54,01 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Tavahind: 63,54 €
  • Säästad 15%
  • Raamatu kohalejõudmiseks kirjastusest kulub orienteeruvalt 2-4 nädalat
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Tellimisaeg 2-4 nädalat
  • Lisa soovinimekirja
Container Security: Fundamental Technology Concepts that Protect Containerized ApplicationsSuurem pilt
  • Formaat: Paperback / softback, 165 pages, kõrgus x laius: 233x178 mm
  • Ilmumisaeg: 17-Apr-2020
  • Kirjastus: O'Reilly Media
  • ISBN-10: 1492056707
  • ISBN-13: 9781492056706
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781492056706.html
Märksõnad:
"This practical book examines key underlying technologies to help developers, operators, and security professionals assess security risks and determine appropriate solutions. Author Liz Rice, VP of open source engineering at Aqua Security, looks at how the building blocks commonly used in container-based systems are constructed in Linux."

To facilitate scalability and resilience, many organizations now run applications in cloud native environments using containers and orchestration. But how do you know if the deployment is secure? This practical book examines key underlying technologies to help developers, operators, and security professionals assess security risks and determine appropriate solutions.

Author Liz Rice, VP of open source engineering at Aqua Security, looks at how the building blocks commonly used in container-based systems are constructed in Linux. You&;ll understand what&;s happening when you deploy containers and learn how to assess potential security risks that could affect your deployments. If you run container applications with kubectl or docker and use Linux command-line tools such as ps and grep, you&;re ready to get started.

  • Explore attack vectors that affect container deployments
  • Dive into the Linux constructs that underpin containers
  • Examine measures for hardening containers
  • Understand how misconfigurations can compromise container isolation
  • Learn best practices for building container images
  • Identify container images that have known software vulnerabilities
  • Leverage secure connections between containers
  • Use security tooling to prevent attacks on your deployment
Preface ix
1 Container Security Threats
1(12)
Risks, Threats, and Mitigations
2(1)
Container Threat Model
3(3)
Security Boundaries
6(1)
Multitenancy
7(3)
Shared Machines
8(1)
Virtualization
8(1)
Container Multitenancy
9(1)
Container Instances
10(1)
Security Principles
10(2)
Least Privilege
10(1)
Defense in Depth
11(1)
Reducing the Attack Surface
11(1)
Limiting the Blast Radius
11(1)
Segregation of Duties
11(1)
Applying Security Principles with Containers
11(1)
Summary
12(1)
2 Linux System Calls, Permissions, and Capabilities
13(10)
System Calls
13(1)
File Permissions
14(5)
Setuid and setgid
16(3)
Linux Capabilities
19(2)
Privilege Escalation
21(1)
Summary
22(1)
3 Control Groups
23(8)
Cgroup Hierarchies
23(1)
Creating Cgroups
24(2)
Setting Resource Limits
26(1)
Assigning a Process to a Cgroup
27(1)
Docker Using Cgroups
28(1)
Cgroups V2
29(1)
Summary
30(1)
4 Container Isolation
31(24)
Linux Namespaces
32(1)
Isolating the Hostname
33(2)
Isolating Process IDs
35(3)
Changing the Root Directory
38(3)
Combine Namespacing and Changing the Root
41(1)
Mount Namespace
42(1)
Network Namespace
43(2)
User Namespace
45(3)
User Namespace Restrictions in Docker
48(1)
Inter-process Communications Namespace
48(1)
Cgroup Namespace
49(1)
Container Processes from the Host Perspective
50(2)
Container Host Machines
52(1)
Summary
53(2)
5 Virtual Machines
55(10)
Booting Up a Machine
55(2)
Enter the VMM
57(2)
Type 1 VMMs, or Hypervisors
57(1)
Type 2 VMM
58(1)
Kernel-Based Virtual Machines
59(1)
Trap-and-Emulate
59(1)
Handling Non-Virtualizable Instructions
60(1)
Process Isolation and Security
61(1)
Disadvantages of Virtual Machines
62(1)
Container Isolation Compared to VM Isolation
63(1)
Summary
63(2)
6 Container Images
65(18)
Root Filesystem and Image Configuration
65(1)
Overriding Config at Runtime
66(1)
OCI Standards
66(1)
Image Configuration
67(1)
Building Images
68(3)
The Dangers of docker build
68(1)
Daemonless Builds
69(1)
Image Layers
69(2)
Storing Images
71(1)
Identifying Images
72(2)
Image Security
74(1)
Build-Time Security
74(3)
Provenance of the Dockerfile
74(1)
Dockerfile Best Practices for Security
75(2)
Attacks on the Build Machine
77(1)
Image Storage Security
77(1)
Running Your Own Registry
78(1)
Signing Images
78(1)
Image Deployment Security
78(2)
Deploying the Right Image
79(1)
Malicious Deployment Definition
79(1)
Admission Control
79(1)
GitOps and Deployment Security
80(1)
Summary
81(2)
7 Software Vulnerabilities in Images
83(12)
Vulnerability Research
83(1)
Vulnerabilities, Patches, and Distributions
84(1)
Application-Level Vulnerabilities
85(1)
Vulnerability Risk Management
85(1)
Vulnerability Scanning
85(1)
Installed Packages
86(1)
Container Image Scanning
87(2)
Immutable Containers
87(1)
Regular Scanning
88(1)
Scanning Tools
89(2)
Sources of Information
89(1)
Out-of-Date Sources
89(1)
Won't Fix Vulnerabilities
89(1)
Subpackage Vulnerabilities
90(1)
Package Name Differences
90(1)
Additional Scanning Features
90(1)
Scanner Errors
90(1)
Scanning in the CI/CD Pipeline
91(2)
Prevent Vulnerable Images from Running
93(1)
Zero-Day Vulnerabilities
94(1)
Summary
94(1)
8 Strengthening Container Isolation
95(10)
Seccomp
95(2)
AppArmor
97(1)
SELinux
98(2)
Gvisor
100(2)
Kata Containers
102(1)
Firecracker
103(1)
Unikernels
103(1)
Summary
104(1)
9 Breaking Container Isolation
105(12)
Containers Run as Root by Default
105(6)
Override the User ID
106(1)
Root Requirement Inside Containers
107(2)
Rootless Containers
109(2)
The --privileged Flag and Capabilities
111(2)
Mounting Sensitive Directories
113(1)
Mounting the Docker Socket
114(1)
Sharing Namespaces Between a Container and Its Host
115(1)
Sidecar Containers
115(1)
Summary
116(1)
10 Container Network Security
117(14)
Container Firewalls
117(2)
OSI Networking Model
119(1)
Sending an IP Packet
120(1)
IP Addresses for Containers
121(1)
Network Isolation
122(1)
Layer 3/4 Routing and Rules
123(2)
Iptables
123(2)
IPVS
125(1)
Network Policies
125(4)
Network Policy Solutions
127(1)
Network Policy Best Practices
128(1)
Service Mesh
129(1)
Summary
130(1)
11 Securely Connecting Components with TLS
131(10)
Secure Connections
131(1)
X.509 Certificates
132(4)
Public/Private Key Pairs
133(1)
Certificate Authorities
134(2)
Certificate Signing Requests
136(1)
TLS Connections
136(2)
Secure Connections Between Containers
138(1)
Certificate Revocation
138(1)
Summary
139(2)
12 Passing Secrets to Containers
141(8)
Secret Properties
141(1)
Getting Information into a Container
142(3)
Storing the Secret in the Container Image
143(1)
Passing the Secret Over the Network
144(1)
Passing Secrets in Environment Variables
144(1)
Passing Secrets Through Files
145(1)
Kubernetes Secrets
145(1)
Secrets Are Accessible by Root
146(2)
Summary
148(1)
13 Container Runtime Protection
149(8)
Container Image Profiles
149(6)
Network Traffic Profiles
150(1)
Executable Profiles
150(2)
File Access Profiles
152(1)
User ID Profiles
152(1)
Other Runtime Profiles
153(1)
Container Security Tools
153(2)
Drift Prevention
155(1)
Summary
156(1)
14 Containers and the OWASP Top 10
157(6)
Injection
157(1)
Broken Authentication
157(1)
Sensitive Data Exposure
158(1)
XML External Entities
158(1)
Broken Access Control
158(1)
Security Misconfiguration
159(1)
Cross-Site Scripting XSS
159(1)
Insecure Deserialization
159(1)
Using Components with Known Vulnerabilities
160(1)
Insufficient Logging and Monitoring
160(1)
Summary
161(2)
Conclusions 163(2)
Appendix. Security Checklist 165(2)
Index 167
Liz Rice is the Technology Evangelist with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter, kube-bench and manifesto. She was Co-Chair of the CNCF's KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle.