Practical Course: Container Security
Introductory Meeting
Slides of the introductory meeting on February 5th.
Schedule
We will meet biweekly on Wednesday from 14:00 to 17:00 in 01.09.014. The dates are:
- Wednesday, 17.04
- Wednesday, 08.05
- Wednesday, 22.05
- Wednesday, 05.06
- Wednesday, 19.06
- Wednesday, 03.07
- Wednesday, 17.07
Content
Modern software architectures rely heavily on containers which represents one of the fundamental technologies for rapid and agile deployments. Containers can package applications into isolated, self-contained units, support dynamic up- and down-scaling, and are best known as “Docker” containers or in the context of the fleet orchestrator Kubernetes.
This course will cover all aspects of the container lifecycle, e.g., how to build more secure container images or how to operate containers more securely. By the end of the practicum, students have a thorough understanding of key security considerations for containers and are equipped with the skills and knowledge needed to design, deploy and manage container environments securely.The key topics to be covered in the course include:
- Attack surface reduction via multistage builds and minimized base images, e.g., Google distroless
- Runtime restrictions, e.g., via seccomp profiles and Linux capabilities
- Rootless container runtimes, e.g., podman
- Anomaly detection for containers, e.g., via falco
- Container image signing
- K8s native network restrictions
- Policy enforcement with Open Policy Agent
- Role-based access control on orchestrated container runtimes
- Secret and certificate management, e.g., Vault and cert-manager
- Secure logging
- Service meshes, e.g., Istio and Cilium
- Vulnerability scanning, e.g., trivy
Previous Knowledge Expected
Compulsory prerequisite courses for bachelor’s students:
- IN0006: Introduction to Software Engineering
- IN0009: Basic Principles: Operating Systems and System Software
- IN0010: Grundlagen Rechnernetze und Verteilte Systeme
- IN0042: IT Sicherheit
Objective
- Understand security measures in the context of software containers, and the underlying OS concepts
- Develop secure and reliable systems based on software containers
Teaching and Learning Method
On a biweekly basis, the students learn new concepts of container security and manifest the concepts by applying them in practical exercises. Furthermore, students work in groups of 3 on a given container project and apply the studied concepts there. The final grade is a combination of their performance in the practical exercises and the project’s result presentation.
You should expect to work 15-20 hours a week for this practical course.
Miscellaneous
Language: English
Level: B.Sc. und M.Sc. (IN0012, IN2106)
Lecturers: Benedikt Hofmann, Patrick Stöckle from Siemens Technology, Cybersecurity & Trust
If you have questions regarding the organization of this practical course, you can write an email.