Mathias Tausig

Turning Container security up to 11 with Capabilities

A compromised sidecar container sniffs traffic between your services. See the attack in action and learn the one setting that stops it cold.

Turning Container security up to 11 with Capabilities
#1about 8 minutes

Demonstrating a man-in-the-middle attack between containers

A proof-of-concept shows how a malicious container can sniff unencrypted traffic between other containers running on the same host.

#2about 5 minutes

Introducing Linux capabilities for granular privilege control

Traditional Unix permissions are an all-or-nothing model, whereas Linux capabilities split root privileges into distinct units for finer control.

#3about 4 minutes

Differentiating between file and process capabilities

Capabilities can be set on files to elevate privileges for specific binaries or on processes to reduce them, with the latter being key for containers.

#4about 3 minutes

Managing default container capabilities in Docker

Docker grants a default set of powerful capabilities to containers, which can be restricted using `cap-drop` and `cap-add` flags.

#5about 4 minutes

Securing deployments by dropping unnecessary capabilities

By dropping all capabilities and only adding back the essential ones, the man-in-the-middle attack is successfully prevented in both Docker and Kubernetes.

#6about 3 minutes

Using capabilities as a defense-in-depth measure

Limiting capabilities does not prevent an initial exploit but significantly reduces the potential impact and blast radius of a compromised container.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Technical challenges of shipping a cross-platform browser
09:38 MIN

Technical challenges of shipping a cross-platform browser

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

The security challenges of building AI browser agents
06:33 MIN

The security challenges of building AI browser agents

AI in the Open and in Browsers - Tarek Ziadé

Crypto crime, EU regulation, and working while you sleep
01:15 MIN

Crypto crime, EU regulation, and working while you sleep

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Navigating the growing complexity of modern CSS
09:00 MIN

Navigating the growing complexity of modern CSS

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Why you might not need JavaScript for everything
02:33 MIN

Why you might not need JavaScript for everything

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Featured Partners

Related Videos

See all videos
Kubernetes Security - Challenge and Opportunity42:45

Kubernetes Security - Challenge and Opportunity

Marc Nimmerrichter

Hacking Kubernetes: Live Demo Marathon46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

Docker exec without Docker29:16

Docker exec without Docker

Oliver Seitz

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

A Hitchhikers Guide to Container Security - Automotive Edition 202421:49

A Hitchhikers Guide to Container Security - Automotive Edition 2024

Reinhard Kugler

Compose the Future: Building Agentic Applications, Made Simple with Docker50:09

Compose the Future: Building Agentic Applications, Made Simple with Docker

Mark Cavage, Tushar Jain, Jim Clark & Yunong Xiao

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Related Articles

View all articles
AG
Andre Braun, GitLab
Now is the time for industrialized software development
Now is the time for industrialized software development Recently, I received a letter from my car’s manufacturer alerting me to a recall. They had discovered a defective part and wanted to replace it. It was easily fixed, and I might have forgotten a...
Now is the time for industrialized software development
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Understanding and Mitigating Common Web Vulnerabilities
Vulnerabilities exist in many forms on the web, and attackers continue to find creative ways to exploit them. Technological advances like the proliferation of AI are of course exciting nd filled with opportunities, they equally present opportunities ...
Understanding and Mitigating Common Web Vulnerabilities

From learning to earning

Jobs that call for the skills explored in this talk.

Devops Container Engineer

Devops Container Engineer

Softwarezentrum Böblingen/Sindelfingen e.V.
Böblingen, Germany

Remote
Intermediate
GIT
Bash
Azure
Linux
+5