Mathias Tausig

Turning Container security up to 11 with Capabilities

A compromised sidecar container sniffs traffic between your services. See the attack in action and learn the one setting that stops it cold.

Turning Container security up to 11 with Capabilities
#1about 8 minutes

Demonstrating a man-in-the-middle attack between containers

A proof-of-concept shows how a malicious container can sniff unencrypted traffic between other containers running on the same host.

#2about 5 minutes

Introducing Linux capabilities for granular privilege control

Traditional Unix permissions are an all-or-nothing model, whereas Linux capabilities split root privileges into distinct units for finer control.

#3about 4 minutes

Differentiating between file and process capabilities

Capabilities can be set on files to elevate privileges for specific binaries or on processes to reduce them, with the latter being key for containers.

#4about 3 minutes

Managing default container capabilities in Docker

Docker grants a default set of powerful capabilities to containers, which can be restricted using `cap-drop` and `cap-add` flags.

#5about 4 minutes

Securing deployments by dropping unnecessary capabilities

By dropping all capabilities and only adding back the essential ones, the man-in-the-middle attack is successfully prevented in both Docker and Kubernetes.

#6about 3 minutes

Using capabilities as a defense-in-depth measure

Limiting capabilities does not prevent an initial exploit but significantly reduces the potential impact and blast radius of a compromised container.

Related jobs
Jobs that call for the skills explored in this talk.

Remote

Name of

Name of

Remote
Intermediate
PHP
Java
+1

Matching moments

Leveraging containerization for improved security posture
01:22 MIN

Leveraging containerization for improved security posture

Kubernetes Security - Challenge and Opportunity

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Security best practices for containers and Kubernetes
06:25 MIN

Security best practices for containers and Kubernetes

Microservices: how to get started with Spring Boot and Kubernetes

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Securing container images and the software supply chain
01:52 MIN

Securing container images and the software supply chain

Security Challenges of Breaking A Monolith

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Using containers to improve security and deployment
02:35 MIN

Using containers to improve security and deployment

DevSecOps: Security in DevOps

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Securing container images against common vulnerabilities
02:30 MIN

Securing container images against common vulnerabilities

Kubernetes Security Best Practices

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Analyzing the impact of a container vulnerability
05:08 MIN

Analyzing the impact of a container vulnerability

Security Challenges of Breaking A Monolith

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Why Dockerfile security is a critical foundation
01:35 MIN

Why Dockerfile security is a critical foundation

A practical guide to writing secure Dockerfiles

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Overcoming the challenges of container-based infrastructure
02:28 MIN

Overcoming the challenges of container-based infrastructure

Building Reliable Serverless Applications with AWS CDK and Testing

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.

Featured Partners

Related Videos

See all videos
Kubernetes Security - Challenge and Opportunity42:45

Kubernetes Security - Challenge and Opportunity

Marc Nimmerrichter

Hacking Kubernetes: Live Demo Marathon46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

A practical guide to writing secure Dockerfiles42:25

A practical guide to writing secure Dockerfiles

Madhu Akula

A solution to embed container technologies into automotive environments30:33

A solution to embed container technologies into automotive environments

Falk Langer & Lukas Stahlbock

Enhancing Workload Security in Kubernetes44:00

Enhancing Workload Security in Kubernetes

Dimitrij Klesev & Andreas Zeissner

Open Source Secure Software Supply Chain in action32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Local Development Techniques with Kubernetes40:00

Local Development Techniques with Kubernetes

Rob Richardson

Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
Learning Kubernetes made easy with KubeCampus
Learning to use Kubernetes? KubeCampus by Kasten offers free educational content for all skill levels to get you started!Kubernetes is an open-source system for deploying, scaling and managing containerized applications. It allows you to deploy your ...
Learning Kubernetes made easy with KubeCampus
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security

From learning to earning

Jobs that call for the skills explored in this talk.

Full-Stack Developer

Full-Stack Developer

Friedrich Kicherer GmbH & Co. KG
Ellwangen (Jagst), Germany

Junior
Intermediate
Senior
GIT
Docker
JavaScript
PPH33

PPH33

SabIna compys
Vienna, Austria

Intermediate
Docker
Kubernetes
Amazon Web Services (AWS)