My focus for the rest of the day (and the main reason that I am really here at DockerCon this year) was to learn more about container security, a subject I'm still fairly new to. The funny thing about container security though is that it isn't really all that different from non-container application security. You are still dealing with finding vulnerabilities in the compiled code, you are still monitoring your processes to make sure they aren't executing suspicious operations, and you are still are trying to keep on top of vulnerabilities in all your dependencies so that when new vulnerabilities are found, you know exactly what applications are affected and you can start your remediation plan to address the issues.
I could go into laborious detail of all the individual sessions I attended, but I won't. Because really, security is something that you either know how to do because you have been effectively doing it already, or if you are just starting your container journey, you are better off exploring solutions that experts in the field have developed that do the hard work for you - scanning your images, updating the database of known vulnerabilities, and monitoring processes on all your severs.
I talked to several vendors in the field, including TwistLock, Sysdig, Aqua, Black Duck, and Data Dog, and the offerings are all really good. You are going to have to meet with them, discuss your security needs and what kind of apps you are going to be running, and you are going to find that some of these tools are more focused on monitoring and some of these tools are more focused on scanning and alerting you to known vulnerabilities. You might have to mix and match some tools to address the requirements of your developers and your operations staff.
One session, however, talked about security best practices, and it goes beyond having tools in place to prevent attackers from exploiting vulnerabilities. It's more about every step in your software development lifecycle, and the content was so useful that I'm going to write it up as it's own blog entry. Stay tuned for that one, but in the mean time, they pointed us to a github site where there are some tools that you can use to put security checks into your development processes right away - simple vulnerability checks that don't require bringing in vendors or working with your IT department to allocate resources to run the tools. They are simple tools that you just plug in to your other tools that you are already using. Check it out here:
That was day 2 of DockerCon, and there is still another full day of fun stuff coming up tomorrow. Docker may still have some new and exciting announcements, so I'm really looking forward to it. If you attended DockerCon in 2017, you will recall that they announced several projects like the Moby Project and LinuxKit on the second full day, so I wouldn't be shocked if they have something as fun and powerful as that saved up for tomorrow.
I'll be live tweeting again during the general session that starts at 9am PST, so follow me on Twitter at @openshiftninja. Looking forward to talking to you all more tomorrow!