Department of the Air Force Integrity Service Excellence
- Slides: 7
Department of the Air Force Integrity - Service - Excellence Do. D Enterprise Dev. Sec. Ops Initiative Ask Me Anything Event Container Security Mr. Nicolas Chaillan Chief Software Officer, U. S. Air Force Co-Lead, Do. D Enterprise Dev. Sec. Ops Initiative V 1. 0 – UNCLASSIFIED 1
CSO Website – Continuously Updated! n Want to find information about the Dev. Sec. Ops initiative and the CSO? n Our latest documents/videos: https: //software. af. mil/dsop/documents/ Our latest training videos/content at: https: //software. af. mil/training/ n Platform One Services: https: //software. af. mil/dsop/services/ n More information about : n Platform One On Boarding: https: //software. af. mil/team/platformone/ n Cloud One: https: //software. af. mil/team/cloud-one/ n Repo One: https: //repo 1. dso. mil n Iron Bank: https: //ironbank. dso. mil n Registry One: https: //registry 1. dso. mil n Dev. Star: https: //software. af. mil/dsop-devstar/ n Our Events/News: https: //software. af. mil/events/ n Integrity - Service - Excellence 2
Platform One Services n Full details at: https: //software. af. mil/dsop/services/ n Repo One – Do. D Centralized Container Source Code Repository (DCCSCR) Container source code, Infrastructure as Code, K 8 S distributions, etc. n Repo One is the central repository for the source code to create hardened and evaluated containers for the Department of Defense. It also includes various source code opensource products and infrastructure as code used to harden Kubernetes distributions. n Repo One is currently operated at https: //repo 1. dso. mil/dsop/. n n Iron Bank – Do. D Centralized Artifacts Repository (DCAR) 350+ containers available. n Iron Bank is the Do. D repository of digitally signed, binary container images (COTS/FOSS/GOTS) that have been hardened according to the Container Hardening Guide coming from Iron Bank. Containers accredited in Iron Bank have Do. D-wide reciprocity across classifications. n Iron Bank is currently operated at https: //ironbank. dso. mil/. n Integrity - Service - Excellence 3
Contribute your containers and get your COTS/FOSS containers accredited! n Containers are the easiest way to get accredited Do. D-wide across multiple classifications. n Containers accredited in the Iron Bank repository have Do. D-wide reciprocity across classifications. n Check out the vendor on-boarding guide at: https: //repo 1. dsop. io/dsop/dccscr/tree/master/contributoronboarding n By being compliant with the Do. D Enterprise Dev. Sec. Ops Container Hardening guide (last version at https: //software. af. mil/dsop/documents/), you can have your containers (FOSS/COTS/GOTS) accredited for Do. D use. n Recommend using the hardened STIG UBI 8 images (Universal Base Image which is lightweight RHEL but doesn’t need a license) or distroless from the Iron Bank repo as your base image so you don’t have to STIG your container base OS: Use the binary signed version on Iron Bank, do not rebuild it. n Key aspects: n Your container must be able to build offline. If you have dependencies, they will be listed in the hardening manifest. You are responsible for updating your dependencies! Mitigation isn’t enough, updating dependencies is critical. n Container must be able to be built offline, no downloads in Dockerfile! n Must automate the push to Iron Bank so we always have access to latest release Integrity - Service - Excellence 4
What is the Sidecar Container Security Stack? Two scanning solutions are mandated to avoid false positives/negatives. We find that results are too disparate otherwise. SCSS: n Baked-in Zero Trust security down to the Container/Function level with m. TLS strong identities using Istio (Envoy), n Automated centralized logging and telemetry with Elasticsearch, Beats/Fluentd, Kibana (EBK), n Container security: Continuous CVE scanning, Behavior detection both in development and production (Build, Registry, Runtime), and Alerting with Aqua, Prisma, Neu. Vector or Stack. Rox. n Container security and insider threat (custom policies detecting unapproved changes to Dockerfiles) with Anchore; n Automated STIG compliance with Open. SCAP. Integrity - Service - Excellence 5
How to pick a Container Security Stack? n Must be containerized on Iron Bank and company must automatically update its Iron Bank container n Supports traditional CVE scanning at Build, Registry and Runtime and assess what data/signature feeds they support/ingest. n Runtime is FOUNDATIONAL: must be capable of detection drift of behavior in runtime with a prevention mode (kill container) and not just detection mode. n Must be easily injected across workloads without tight coupling with workload containers. n Must support various compliant CNCF Kubernetes distributions n Must be able to run on our premise (no Saa. S), air gapped and provide a capability to sneaker-in feeds n Dashboards can bring a lot of value, particularly if capable of displaying real-time traffic between containers and ingress/egress. n Must be able to integrate with Service Meshes like Istio to provide an end to end north/south, east/west visibility. n Should help enforce security of Kubernetes as well (nodes/master/etcd etc. ) n Should embrace Git. Ops mentality (no change in production through UI!!!) n Should enable into Open Policy Agent policies and Admission Controller enforcement n Support non Kubernetes workloads can be a plus for legacy stacks Integrity - Service - Excellence 6
Thank You! Nicolas Chaillan Chief Software Officer, U. S. Air Force af. cso@us. af. mil – https: //software. af. mil Integrity - Service - Excellence
