Time: 10:30 AM - 12:30 PM
This workshop introduces students to the security concepts associated with Docker. Docker is a popular software and it is widely used in Information Technology Industry. It’s popularity also brings a larger attack surface and thus it is important to understand it’s security aspects to be able to protect Docker containers. This workshop is designed for students with any experience. If you never used Docker, its fine we got you covered with the required basics. If you have used Docker for containerizing your applications, we have covered some advanced topics such as escaping from containers to host using misconfigured containers, installing kernel modules from the containers etc. Regardless of your experience with Docker, we have got you covered here.
Section 1: Fundamentals of Docker
• Lab setup
• Introduction to Docker
• Virtual Machines vs Containers
• Building your first docker image
• Running your first docker container
• Images vs Containers
• Cleaning up Docker images and containers
• Cgroups, namespaces and capabilities
Section 2: Docker Security
• Docker Attack surface
• Vulnerable images
• Backdooring existing images
• Privilege escalation using volume mounts
• Container escape using docker.sock
• Container escape using dangerous capabilities
• Abusing –privileged flag
• Abusing Docker remote API
• Accessing Secrets
• Automated tools for vulnerability assessments
• Defending using apparmor and seccomp profiles
Pre-requisites for the attendees:
• Students must bring a laptop with VirtualBox installed.
Srinivas, who works for a bank as Red Team member is an Offensive Security Certified Professional(OSCP) and passionate about Information Security. He authored a book titled “Hacking Android”. He worked as Penetration Tester in the past and has hands-on experience in DevSecOps, Container Security, Web Application Security, Infrastructure Security, Mobile Application Security, IoT Security and Embedded Software Exploit Development (ARM & MIPS). He is one of the authors of FuzzAPI, a REST API vulnerability scanner. He is a speaker at Defcon 26 IoT Village and he delivered several talks and hands-on workshops at regional infosec events in India and Singapore.
Abhijeth Dugginapeddi is an AppSec dude working as lead Security @Bigcommerce, Mentor @wesecureapp and an Adjunct lecturer at UNSW in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in need for more security awareness and free responsible disclosures. Got lucky in finding few vulnerabilities with Google, Yahoo, Facebook, Microsoft, Ebay, Dropbox, etc and one among Top 5 researchers in Synack a bug bounty platform. Got a chance to speak at Defcon, Blackhat, OWASP AppSec USA, c0c0n, Secure-2018 Poland, CISO Summit, etc.