SANS Network Security offers 40+ cyber security courses in Las Vegas or Live Online. Save $300 thru tomorrow.

SEC584: Defending Cloud Native Infrastructure Beta

Find ways to take this course: Online
Course Syllabus  ·  18 CPEs  ·   Laptop Description

Cloud native infrastructure and service providers are enabling organizations to build and deliver modern systems faster than ever. The end-to-end toolchain supporting the systems includes managed services to create cloud infrastructure, store source code, build containers, and manage clusters. For information security professionals, the attack surface created by these modern systems can be difficult to defend and monitor. SEC584 explores Docker and Kubernetes, key components of the cloud native infrastructure stack, providing in-depth analysis of the attack surface, misconfigurations, attack patterns, and hardening steps. Students will gain hands-on experience building, exploring, and securing real-world modern systems.

SEC584 starts by painting a portrait of the modern cloud-native infrastructure hosted in Google Cloud. After deploying cloud resources, students examine methods of compromise, walk through attack scenarios, and then shift their focus to defending and remediating infrastructure services. This includes hardening Kubernetes orchestrator and workload configuration, deploying security testing and monitoring software in pipelines and clusters, cryptographically signing images and build pipelines, and applying AppArmor and Seccomp profiles to containerized workloads.

The course then shifts its focus to defending a live Kubernetes deployment. After students identify several Kubernetes weaknesses, hands-on exercises attacking and remediating security and network policies and admission controllers will help them lock down the lab environment. Attacks and controls are threat-modeled to ensure they are applied correctly, tested out-of-band to ensure their efficacy, and applied at multiple stages throughout the pipeline to enhance engineers' productivity and feedback loops.


  • Understand why many cloud native services have evolved quickly and without security as a top consideration
  • Secure containerized applications and defend orchestration workloads
  • Leverage automated testing tools to perform security testing and harden your deployments


  • Use real-world exploits to target key application deployment components
  • Understand the risks involved in running cloud native infrastructure
  • Explore vulnerabilities to cloud native deployments through authentication, pipeline, and supply chain exploits
  • Exploit and then secure application deployments via Docker and Kubernetes
  • Determine how vulnerabilities are exploited and how defenses are designed


  • Electronic courseware
  • Course virtual machine with all class labs

Course Syllabus


Section 1 covers the cloud native security model, threat model, and associated infrastructure security practices. This includes deploying and rooting Jenkins to gain remote code execution on a Google Cloud virtual machine to illustrate security considerations of container workloads, as well as a corresponding discussion of defending containerized workloads.

  • Cloud Account Setup
    • Create Google Cloud Platform (GCP) Project
    • Deploy Lab Infrastructure with Terraform
  • Deploy and Root Jenkins
    • Deploy Jenkins in a GCE Virtual Machine
    • Exploit Remote Code Execution in Jenkins
    • Steal Secrets from Docker
    • Break Out of the Jenkins Container
    • Root the GCE virtual Machine
  • Container Security
    • Build Container Images
    • Prioritize Resources with cgroups
    • Isolate Using Namespaces
  • Defending Containerized Workloads
    • Investigate Filesystem Layers of a Container
    • Harden Applications with AppArmor Profiles
    • Block System Calls with seccomp

CPE/CMU Credits: 6

  • What is Cloud Native Security
    • Introduction to Cloud Native Security
    • The Cloud Native Security Model
  • Modern Infrastructure Security Practices
    • Pipeline-Driven Security
    • Cloud Native Threat Model
  • Container Security
    • DevSecOps and Containers
    • Attacking Containerized Workloads
    • Vulnerability Scanning

Section 2 covers concepts related to the containerization of applications, including the risks and benefits of deploying applications in containers. This day will focus specifically on Docker containers, examining how they are created and deployed, reviewing the risks associated with deploying applications in Docker containers, and exploring ways that Docker containers can be hardened and secured.

  • Container Security
    • Configure Docker, Kubernetes, GitHub, and Jenkins
    • Use "distro-less" Container Base Images
    • Lint Dockerfiles to Enforce Policy
  • Container Security Testing
    • Base Images and Goss
    • Security Test Harness with Docker Compose
    • kubesec, kubetest, and pod Security Policies
  • Image Delivery and Registries
    • Docker Trust Sandbox
    • Enabling Notary with Docker
    • Harbor and Notary

CPE/CMU Credits: 6

  • Container Image Security
    • Building Docker Images Safely
    • Base Images and Patching
  • Container Security Testing
    • "Unit Testing" Containers

      • inspec, serverspec, goss, kubesec
    • "Integration Testing" Containers and Pods

      • Docker-compose, Minikube
    • Network Scanning
  • Securing the CI Pipeline
    • Container Image Signing
    • Artifact Repository Security Considerations

Section 3 covers the use of orchestration tools to manage the deployment of containerized applications. This day will focus on the Kubernetes platform. We will look at the potential risks and vulnerabilities associated with Kubernetes as well as how we can secure it through automated scans, proper policy definitions, and continuous intrusion detection.

  • Kubernetes 101
    • Installing Kubernetes
    • Installing a Sample Application
  • Attacking Kubernetes
    • Port Scanning and Banner Detection
    • Rooting the Host from a Privileged Container
    • Pivoting with Disabled Node Authentication
    • etcd Exfiltration
  • Hardening Kubernetes
    • Webhook Admission Controllers
    • Pod Security Policies
    • Harden Security Contexts
    • Remove Hard-Coded Secrets

CPE/CMU Credits: 6

  • Introduction to Kubernetes
    • Kubernetes 101
    • Kubernetes Attack Surface and Vulnerabilities
  • Attacking Kubernetes

    • Kubernetes Attack Surface
  • Hardening Kubernetes
    • CIS Benchmarks
    • Security Policies, Application Delivery, and Secrets Management
    • Container Native Intrusion Detection
  • Automated Security Testing and DevSecOps Workflows
    • Policy and Controls
    • Cluster Compliance
    • Security Testing Kubernetes from Jenkins

Additional Information


Mandatory: Students must bring their own GCP account to complete the exercises. Please ensure that you have done the following before class starts:

Google Cloud Platform

  1. Create a Google account.
  2. Sign up for a GCP free trial.


A properly configured system is required for each student participating in this course. Before starting the course, carefully read and follow these instructions exactly:

  • Download and install VMware Workstation or VMware Fusion on your system prior to the start of the class.
  • If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 15+, VMware Fusion 11+.
  • If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Host Hardware Requirements

  • CPU: 64-bit 2.5+ GHz multi-core processor or higher
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
  • Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! 16GB of RAM is MANDATORY)
  • Working USB 2.0 or higher port
  • Wireless Ethernet 802.11 B/G/N/AC
  • Local Administrator Access within your host operating system

Mandatory Host Operating System Requirements

You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:

  • Windows (8 or 10)
  • Mac OS X (Catalina, Mojave)

Mandatory Software Requirements

Prior to class, ensure that the following software is installed on the host operating system:

  • VMware Workstation Pro 15+, VMware Fusion 11+
  • Zip File Utility (7Zip or the built-in operating system zip utility)

In summary, before beginning the course you should:

  • Have a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system
  • Install VMware (Workstation or Fusion)
  • Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled
  • Register a NEW GCP free-tier account prior to the start of class at

If you have additional questions about the laptop specifications, please contact√¬†

If you have additional questions about the laptop specifications, please contact

This course is primarily targeted at

  • Information security professionals
  • DevOps engineers
  • System administrators
  • Operations engineers
  • Developers
  • Software architects
  • Anyone else who is responsible for deploying, managing, and securing modern tools like Docker and Kubernetes in the cloud

The course will also be helpful for security practitioners trying to understand the risks associated with these components.

SEC584 performs a deep dive into defending containerized workloads (Docker) and orchestrators (Kubernetes). Courses or equivalent experiences should include:

  • SEC540 Cloud Security and DevOps Automation (familiarization with DevOps automation, CI/CD tools and processes, and how containers are used to package software)
  • Experience with Linux command shell
  • Experience with Docker and Kubernetes
  • Familiarity with Google Cloud Platform (GCP)

For those looking to prepare ahead of time, check out the following resources:

Docker QuickStart:

Kubernetes Basics:

Terraform Getting Started Guide:

Author Statement

"The proliferation of containers and the growth of Kubernetes and its supporting ecosystem offer a new opportunity for organizations looking to adopt modern development, deployment, and security practices. Containers share their host's kernel and so are more efficient and lightweight than VMs, but they provide a different set of security guarantees. And as cloud providers have built out their managed offerings, the shared responsibility model puts the ultimate responsibility for the security of users' infrastructure on their shoulders.

Highly scalable and resilient distributed systems bring additional complexity, and DevSecOps security can only be achieved with a solid DevOps engineering foundation on which to build. Once this is established, automated security verification can prove the absence of known regressions and reduce the likelihood of unknown vulnerabilities.

Attackers have exploited misconfigured Docker and Kubernetes instances, container and application supply chains, and the cloud infrastructure with which they integrate. This course examines all of these attacks in detail, shows attendees how to undertaken them, and provides detailed remediation and testing steps to ensure cloud native infrastructure is locked down, while still providing value to the business."

- Andy Martin

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

Find ways to take this course