1
00:00:03,110 --> 00:00:04,972
‫All right. First up is just running in

2
00:00:06,080 --> 00:00:07,080
‫Docker.

3
00:00:07,550 --> 00:00:10,789
‫This requires you to sort of create an argument,

4
00:00:10,820 --> 00:00:13,039
‫because this is probably...if you're having a barrier with

5
00:00:13,040 --> 00:00:15,097
‫this, right. Just using Docker, number one.

6
00:00:15,098 --> 00:00:16,933
‫If you can't get this done.

7
00:00:16,944 --> 00:00:18,773
‫Well, one, you're probably watching my show.

8
00:00:18,774 --> 00:00:21,709
‫But, that probably means you have a security team, or

9
00:00:21,710 --> 00:00:24,069
‫management, that has read something somewhere that there's

10
00:00:24,097 --> 00:00:27,149
‫security around Docker.

11
00:00:27,170 --> 00:00:29,816
‫The latest thing was, if you scroll down to the bottom

12
00:00:30,260 --> 00:00:33,369
‫of this issue, is

13
00:00:33,370 --> 00:00:35,799
‫that there are images out there now.

14
00:00:35,830 --> 00:00:38,979
‫And, you know, it's not news to anyone that

15
00:00:39,220 --> 00:00:41,139
‫if you run random software off the Internet without

16
00:00:41,140 --> 00:00:43,629
‫checking it first, you may end up with a virus.

17
00:00:44,140 --> 00:00:47,109
‫Basically, people are creating images on Docker

18
00:00:47,110 --> 00:00:49,951
‫Hub with cryptocurrency or cryptojacking

19
00:00:50,770 --> 00:00:53,290
‫tools inside them that will essentially run,

20
00:00:53,800 --> 00:00:55,959
‫you know...you think you're running this other piece of

21
00:00:55,960 --> 00:00:59,130
‫software, but you're really running something nefarious

22
00:00:59,140 --> 00:01:00,140
‫for the hackers.

23
00:01:00,490 --> 00:01:02,799
‫Well, this is not new, and Docker doesn't necessarily make

24
00:01:02,800 --> 00:01:04,389
‫this any easier than anything else.

25
00:01:04,720 --> 00:01:07,509
‫We all know the rules. Don't run random images, just like

26
00:01:07,510 --> 00:01:09,399
‫you wouldn't run random code on your server.

27
00:01:09,550 --> 00:01:11,020
‫You don't download random stuff

28
00:01:13,300 --> 00:01:15,115
‫from the Internet. So, don't do that in images.

29
00:01:15,310 --> 00:01:18,129
‫Only run official images or those that you absolutely

30
00:01:18,130 --> 00:01:19,723
‫trust. Meaning, you know the vendor.

31
00:01:19,724 --> 00:01:22,509
‫The vendor is staking their relationship with you on that

32
00:01:22,510 --> 00:01:25,205
‫image, and you don't necessarily have to scan the image

33
00:01:25,540 --> 00:01:27,459
‫with every line of code.

34
00:01:27,880 --> 00:01:30,969
‫But, you know, you're using reputable products from

35
00:01:30,970 --> 00:01:31,989
‫reputable companies, right.

36
00:01:33,010 --> 00:01:35,326
‫If you're doing that, this whole local...this all

37
00:01:36,430 --> 00:01:37,861
‫recent news thing that made a bunch of headlines, doesn't

38
00:01:39,160 --> 00:01:41,169
‫even matter. It wasn't a vulnerability in

39
00:01:42,130 --> 00:01:44,727
‫Docker. It was people configuring Docker by disabling

40
00:01:44,921 --> 00:01:47,439
‫security that was in and out-of-the-box and then going and

41
00:01:47,440 --> 00:01:49,059
‫downloading random software and images.

42
00:01:49,060 --> 00:01:51,782
‫Of course, they're going to have problems, right.

43
00:01:52,140 --> 00:01:53,702
‫I think the real news there is that hackers

44
00:01:55,690 --> 00:01:57,404
‫are getting more sophisticated. They know more of us are

45
00:01:57,405 --> 00:02:00,198
‫running containers, so they will start putting viruses in

46
00:02:01,330 --> 00:02:04,629
‫container images, right. And Docker Hub does not scan every

47
00:02:04,630 --> 00:02:07,178
‫image. It only scans for security issues in official

48
00:02:08,889 --> 00:02:11,680
‫images. That's not a feature of Docker Hub anymore.

49
00:02:11,820 --> 00:02:14,259
‫Well, they never did it for everyone because there's

50
00:02:14,260 --> 00:02:16,231
‫millions, there's, I don't know, 30 million images.

51
00:02:16,470 --> 00:02:19,479
‫You could pay them in the past, and you know, you can't

52
00:02:19,480 --> 00:02:20,760
‫pay them anymore for that. All right.

53
00:02:21,330 --> 00:02:22,800
‫Step one is just using Docker.

54
00:02:23,210 --> 00:02:26,230
‫In case you didn't know, when you use Docker

55
00:02:27,280 --> 00:02:29,387
‫out-of-the-box, it is already hardening the

56
00:02:31,060 --> 00:02:34,419
‫application in there. One, that application can't see the

57
00:02:34,420 --> 00:02:36,970
‫rest of what's running on the system. So, it can't even

58
00:02:36,971 --> 00:02:39,091
‫access the rest of this stuff running.

59
00:02:39,220 --> 00:02:40,636
‫It's just only what's in that container, right.

60
00:02:42,320 --> 00:02:44,889
‫The real big thing there, though, is that a container in

61
00:02:44,890 --> 00:02:47,072
‫Docker enables a bunch of Linux

62
00:02:48,760 --> 00:02:50,021
‫security features that normally, if you just run apps on

63
00:02:50,022 --> 00:02:51,841
‫the host, aren't enabled by default.

64
00:02:52,190 --> 00:02:54,192
‫That includes Seccomp, AppArmor,

65
00:02:55,190 --> 00:02:58,149
‫SELinux and kernel capabilities.

66
00:02:59,500 --> 00:03:01,754
‫Those four things are all inside of Docker and

67
00:03:03,220 --> 00:03:04,950
‫enabled by default, assuming your host supports them

68
00:03:05,080 --> 00:03:08,379
‫because not every Linux distribution supports every

69
00:03:08,380 --> 00:03:11,264
‫security tool. But those four things, especially AppArmor,

70
00:03:11,650 --> 00:03:13,650
‫Seccomp and Linux

71
00:03:15,490 --> 00:03:17,709
‫capabilities are enabled out-of-the-box for every container

72
00:03:17,710 --> 00:03:21,189
‫you run. Which is why sometimes certain

73
00:03:21,190 --> 00:03:22,680
‫applications, you know you have to run it like --privilege.

74
00:03:23,830 --> 00:03:25,310
‫You kind of have to run it with the privilege mode.

75
00:03:27,050 --> 00:03:29,142
‫That's because those defaults are conflicting with whatever

76
00:03:29,143 --> 00:03:30,999
‫that app wants to do. Because those defaults that Docker

77
00:03:31,000 --> 00:03:32,000
‫sets are common for

78
00:03:33,970 --> 00:03:35,762
‫most applications to work correctly.

79
00:03:35,900 --> 00:03:38,059
‫So, Docker basically went through a whole bunch of tools

80
00:03:38,060 --> 00:03:40,853
‫way back in the day, scanned a whole bunch of common open

81
00:03:41,500 --> 00:03:43,754
‫source software, and figured out what they all

82
00:03:44,740 --> 00:03:47,709
‫tend to have in common in terms of rights, in

83
00:03:47,710 --> 00:03:49,843
‫terms of permissions on the host. They took the rest of

84
00:03:49,844 --> 00:03:52,637
‫them, you know, hundreds of other things that the regular

85
00:03:52,720 --> 00:03:53,720
‫applications can have access to,

86
00:03:54,069 --> 00:03:55,069
‫and they took them away.

87
00:03:55,430 --> 00:03:56,900
‫That resulted in Docker having

88
00:03:58,610 --> 00:04:00,900
‫a very secure default profile.

89
00:04:00,920 --> 00:04:03,889
‫So, if you just run Nginx on a host, it has access

90
00:04:03,890 --> 00:04:06,349
‫to everything in the kernel that that user has access to,

91
00:04:06,350 --> 00:04:07,909
‫which is usually most of everything.

92
00:04:08,600 --> 00:04:10,819
‫But, if you run it in a container, it locks so much of that

93
00:04:10,820 --> 00:04:13,183
‫down that it's automatically secure, more

94
00:04:14,030 --> 00:04:17,089
‫secure, out-of-the-box, even if you didn't customize

95
00:04:17,120 --> 00:04:20,119
‫any of those things. That's my argument for like why Docker

96
00:04:20,149 --> 00:04:22,819
‫for security. Just do it, and you automatically get all

97
00:04:22,820 --> 00:04:25,940
‫these things enabled. Most people don't know about

98
00:04:25,970 --> 00:04:27,971
‫how to use AppArmor or how to use Seccom, or

99
00:04:29,510 --> 00:04:31,850
‫SELinux, how to customize those things for each

100
00:04:31,910 --> 00:04:34,880
‫application. But, Docker did, and that's what they do

101
00:04:35,060 --> 00:04:35,375
‫out-of-the-box.