Securing Container using Threat Modelling— STRIDE

Threat modeling is a structured process through which IT pros can identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to mitigate the attack and protect IT resources.

Understanding the technologies involved, their way of working, functionalities it serves, the methodologies it involves, understanding the environment, identifying vulnerabilities, and framing the potential attackers helps you identify, quantify the threats, and thus creates a systematic and structured Threat Model.

  1. Profiles of potential attackers, including their goals and methods.
  2. A catalog of potential threats that may arise.
  1. Enabling docker content trust using Notary (a tool for publishing and managing trusted collections of content). Publishers can digitally sign collections and consumers can verify the integrity and origin of the content and trusted publishers to ensure pulling cryptographically signed base images are pulled.
  1. Checking for the tag version in the Dockerfiles’ FROM directives rather than the generic “latest” tag for full traceability. This can be achieved by either scanning the dockerfile or using Dockerfile linter like hadolint and dockerfilelint.
  2. Checking the Dockerfiles for Docker directive COPY and not, ADD. The danger of using ADD is that it automatically performs decompression of local files. You may end up downloading malicious software and decompressing them which you didn’t intend to.
  1. Setting up auditd in your docker host (a userspace component to the Linux Auditing System) responsible for writing audit records to the disk.
  1. Looking for sensitive volume mount like /proc, /opt, and rejecting the image from building if it's found to be present in dockerfile.
  2. Running automated dependency scanners to check that we are using the latest, most secure version of our code dependencies. Using scanners like OWASP Dependency Check, RetireJS, Synk, OSSIndex can be effective.
  1. Docker CIS Benchmark recommends having HEALTHCHECK command in dockerfile to make sure the application base process is running correctly. Simply scanning the dockerfile for the HEALTHCHECK directive would do this.
  1. Dockerfile linter also helps to check if the root user is being used to execute the program inside of the container and there on you can reject such images within your pipeline.
  2. One of the Docker CIS Benchmark recommendations is to remove setuid and setgid privileges if not needed.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Avinash Jain (@logicbomb)

Avinash Jain (@logicbomb)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc