The Docker-Denver Meetup group’s February get-together featured Tsvi Korren, a CISSP from Aqua Security who shared some valuable insights about how to optimize security for the Docker containers that you create/deploy, and how to work with your security team from the initial deployment. This enables the engineer to deploy a more-secure solution with a greatly-reduced chance of needing to wipe out an already-deployed container & re-create it due to discovery of a security issue. Given the focus of Aqua’s business, it seems unlikely that the Docker-Denver group could have found a more-ideal expert – at least within the Denver metropolitan area.
Some of the insights that he shared were:
- How to identify what Security people want, & how to work with them;
- The image that you build from is going to have the largest impact on the overall security posture of your product(s);
- The risk posture of pre-packaged images is unknown (but can be audited using freely-available tools);
- The 1st encounter with the Security team is only the beginning of the process.
(There’s quite a bit more that I would love to share, but I don’t want to run afoul of ‘fair use’ guidelines.)
One of the central ideas that Mr. Korren conveyed was that security should be kept in mind at all stages in the creation/deployment process, & he included specific suggestions to that effect. All in all, this was one of the most worthwhile talks that I’ve attended in quite a while, and I’m very glad that I had the opportunity.
