Turning Container security up to 11 with Capabilities
A compromised sidecar container sniffs traffic between your services. See the attack in action and learn the one setting that stops it cold.
#1about 8 minutes
Demonstrating a man-in-the-middle attack between containers
A proof-of-concept shows how a malicious container can sniff unencrypted traffic between other containers running on the same host.
#2about 5 minutes
Introducing Linux capabilities for granular privilege control
Traditional Unix permissions are an all-or-nothing model, whereas Linux capabilities split root privileges into distinct units for finer control.
#3about 4 minutes
Differentiating between file and process capabilities
Capabilities can be set on files to elevate privileges for specific binaries or on processes to reduce them, with the latter being key for containers.
#4about 3 minutes
Managing default container capabilities in Docker
Docker grants a default set of powerful capabilities to containers, which can be restricted using `cap-drop` and `cap-add` flags.
#5about 4 minutes
Securing deployments by dropping unnecessary capabilities
By dropping all capabilities and only adding back the essential ones, the man-in-the-middle attack is successfully prevented in both Docker and Kubernetes.
#6about 3 minutes
Using capabilities as a defense-in-depth measure
Limiting capabilities does not prevent an initial exploit but significantly reduces the potential impact and blast radius of a compromised container.
Related jobs
Jobs that call for the skills explored in this talk.
Dev Digest 138 - Are you secure about this?Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Daniel Cranney
The Overflow: 5 Security and Privacy Tools for DevelopersWe’re back again with another edition of the Overflow, where we share some of the best tools we’ve found from around the web that we just couldn’t cram into the already jam-packed editions of the Dev Digest.
So let’s take a look at five security and ...
Daniel Cranney
Understanding and Mitigating Common Web VulnerabilitiesVulnerabilities exist in many forms on the web, and attackers continue to find creative ways to exploit them.
Technological advances like the proliferation of AI are of course exciting nd filled with opportunities, they equally present opportunities ...
Daniel Cranney
Dev Digest 216: CyberSec + Mythos, Stack Overflow for Agents & DOOM in TTFInside last week’s Dev Digest 216 .
🧠 Prompts are now tools in Chrome
📜 The AI Coding Agent Manifesto
🔐 How Claude Mythos changes Cyber Security
🧱 GitHub Stacked PRs to battle AI slop
⚙️ Git commands to run before reading code
🐍 A Python framework f...
From learning to earning
Jobs that call for the skills explored in this talk.
42:45
46:36
42:25
44:00
30:33
40:00
32:55
43:39
