SEC584: Cloud Native Security: Defending Containers and Kubernetes

  • In Person (3 days)
18 CPEs

SEC584 will perform a deep dive into defending key infrastructure deployment components, focusing on containerization and orchestration exploits. Students will be thrust directly into detailed issues related to misconfiguration and known attack patterns and will learn how to properly harden and protect against these exploits.

Course Authors:

What You Will Learn

Deploy Securely At The Speed Of Cloud Native

Cloud native infrastructure and service providers are enabling organizations to build and deliver modern systems faster than ever. The end-to-end toolchain supporting the systems includes managed services to create cloud infrastructure, store source code, build containers, and manage clusters. For information security professionals, the attack surface created by these modern systems can be difficult to defend and monitor. SEC584 explores Docker and Kubernetes, key components of the cloud native infrastructure stack, providing in-depth analysis of the attack surface, misconfigurations, attack patterns, and hardening steps. Students will gain hands-on experience building, exploring, and securing real-world modern systems through an offensive lens.

SEC584 starts by painting a portrait of the modern cloud-native infrastructure hosted in Google Cloud. After deploying cloud resources, students examine methods of compromise, walk through attack scenarios, and then shift their focus to defending and remediating infrastructure services. This includes hardening Kubernetes orchestrator and workload configuration, deploying security testing and monitoring software in pipelines and clusters, cryptographically signing images and build pipelines, and applying AppArmor and Seccomp profiles to containerized workloads.

The course then shifts its focus to defending a live Kubernetes deployment. After students identify several Kubernetes weaknesses, hands-on exercises attacking and remediating security and network policies and admission controllers will help them lock down the lab environment. Attacks and controls are threat-modeled to ensure they are applied correctly, tested out-of-band to ensure their efficacy, and applied at multiple stages throughout the pipeline to enhance engineers' productivity and feedback loops.


  • Understand why many cloud native services have evolved quickly and without security as a top consideration
  • Secure containerized applications and defend orchestration workloads
  • Leverage automated testing tools to perform security testing and harden your deployments


  • Use real-world exploits to target key application deployment components
  • Understand the risks involved in running cloud native infrastructure
  • Explore vulnerabilities to cloud native deployments through authentication, pipeline, and supply chain exploits
  • Exploit and then secure application deployments via Docker and Kubernetes
  • Determine how vulnerabilities are exploited and how defenses are designed


  • Printed and Electronic courseware
  • Course virtual machine with all class labs

Syllabus (18 CPEs)

Download PDF
  • Overview

    Section 1 covers the cloud native security model, threat model, and associated infrastructure security practices. This includes deploying and rooting Jenkins to gain remote code execution on a Google Cloud virtual machine to illustrate security considerations of container workloads, introducing and deploying our first Kubernetes cluster, and starting to learn how to defend it by attacking.


    Cloud Account Setup

    • Create Google Cloud Platform (GCP) Project
    • Deploy Lab Infrastructure with Terraform

    Deploy and Root Jenkins

    • Deploy Jenkins in a GCE Virtual Machine
    • Exploit a Remote Code Execution vulnerability in Jenkins
    • Steal Secrets from Docker
    • Break Out of the Jenkins Container
    • Root the GCE virtual Machine

    Kubernetes 101

    • Installing Kubernetes
    • Installing a Sample Application

    Attacking Kubernetes

    • Port Scanning and Banner Detection
    • Gaining a foothold
    • Container escapes and Kubernetes pivots
    • etcd Exfiltration

    What is Cloud Native Security

    • Introduction to Cloud Native Security
    • The Cloud Native Security Model

    Modern Infrastructure Security Practices

    • Pipeline-Driven Security
    • Cloud Native Threat Model

    Kubernetes 101

    • Introduction to Kubernetes
    • Kubernetes Attack Surface and Vulnerabilities

    Attacking Kubernetes

    • Kubernetes Attack Surface
  • Overview

    Section 2 covers concepts related to the containerization of applications, including the risks and benefits of deploying applications in containers. We look at Docker containers, examining how they are created, maintained, and deployed. Then we review the risks associated with deploying applications in Docker containers, and explore ways that Docker containers and CI/CD can be hardened and secured.


    Container Security

    • Build Container Images
    • Prioritize Resources with cgroups
    • Isolate Using Namespaces

    Container Image Security

    • Configure Docker, Kubernetes, GitHub, and Jenkins
    • Use distro-less Container Base Images
    • Lint Dockerfiles to Enforce Policy

    Hardening Kubernetes

    • Admission Control
    • Pod Security Policies
    • Hardening Security Contexts
    • Finding Secrets

    Securing the CI Pipeline

    • Securing the CI Server
    • Attacking Image Delivery and Registries

    Container Security

    • DevSecOps and Containers
    • Attacking Containerized Workloads

    Container Image Security

    • Building Docker Images Safely
    • Base Images and Patching

    Hardening Kubernetes

    • Hardening the Orchestrator
    • Admission Control
    • Secure Secrets Management

    Securing the CI Pipeline

    • Securing the CI Server
    • Attacking Image Delivery and Registries
  • Overview

    Section 3 focuses further on attacking containerized applications, and protecting them with Kubernetes-native solutions. We look at the potential risks and vulnerabilities associated with Kubernetes workloads, as well as how we can secure them through automated scans, proper policy definitions, and continuous intrusion detection.


    Defending Containerized Workloads

    • Investigate Filesystem Layers of a Container
    • Harden Applications with AppArmor Profiles
    • Block System Calls with seccomp

    Policy and Controls

    • Admission controllers
    • Security Policies, Application Delivery, and Secrets Management
    • Cluster Compliance and CIS Benchmarks

    Container Security Testing

    • Base image testing and management
    • Security test harnesses from dev to CI
    • Configuration testing

    Attacking Image Delivery and Registries

    • Docker Trust Sandbox
    • Enabling Notary with Docker
    • Harbor and Notary


    Attacking Containerized Workloads

    • Attacking Containerized Workloads
    • CVEs and Image Vulnerability Scanning

    Policy and Controls

    • Kubernetes security boundaries
    • Security Testing Kubernetes and DevSecOps
    • Network Policy
    • Runtime Security and Intrusion Detection

    Container Security Testing


    • Unit Testing Containers
    • Integration Testing Containers and Pods
    • Network Scanning

    Attacking Image Delivery and Registries

    • Container Image Signing
    • Artefact Repository Security Considerations


SEC584 performs a deep dive into defending containerized workloads (Docker) and orchestrators (Kubernetes). Courses or equivalent experiences should include:

  • SEC540 Cloud Security and DevOps Automation (familiarization with DevOps automation, CI/CD tools and processes, and how containers are used to package software)
  • Experience with Linux command shell
  • Experience with Docker and Kubernetes
  • Familiarity with Google Cloud Platform (GCP)

For those looking to prepare ahead of time, check out the following resources:

Docker QuickStart:

Kubernetes Basics:

Terraform Getting Started Guide:

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Mandatory: Students must bring their own GCP account to complete the exercises. Please ensure that you have done the following before class starts:

Google Cloud Platform

  1. Create a Google account.
  2. Sign up for a GCP free trial.


A properly configured system is required for each student participating in this course. Before starting the course, carefully read and follow these instructions exactly:

  • Download and install VMware Workstation or VMware Fusion on your system prior to the start of the class.
  • If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 15+, VMware Fusion 11+.
  • If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Host Hardware Requirements

  • CPU: 64-bit 2.5+ GHz multi-core processor or higher
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
  • Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! 16GB of RAM is MANDATORY)
  • Working USB 2.0 or higher port (for in-person events only)
  • Wireless Ethernet 802.11 B/G/N/AC
  • Local Administrator Access within your host operating system

Mandatory Host Operating System Requirements

You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:

  • Windows (8 or 10)
  • Mac OS X (Catalina, Mojave) Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Mandatory Software Requirements

Prior to class, ensure that the following software is installed on the host operating system:

  • VMware Workstation Pro 15+, VMware Fusion 11+
  • Zip File Utility (7Zip or the built-in operating system zip utility)

In summary, before beginning the course you should:

  • Have a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system
  • Install VMware (Workstation or Fusion)
  • Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled
  • Register a NEW GCP free-tier account prior to the start of class at

If you have additional questions about the laptop specifications, please contact

Author Statement

"The proliferation of containers and the growth of Kubernetes and its supporting ecosystem offer a new opportunity for organizations looking to adopt modern development, deployment, and security practices. Containers share their host's kernel and so are more efficient and lightweight than VMs, but they provide a different set of security guarantees. And as cloud providers have built out their managed offerings, the shared responsibility model puts the ultimate responsibility for the security of users' infrastructure on their shoulders.

Highly scalable and resilient distributed systems bring additional complexity, and DevSecOps security can only be achieved with a solid DevOps engineering foundation on which to build. Once this is established, automated security verification can prove the absence of known regressions and reduce the likelihood of unknown vulnerabilities.

Attackers have exploited misconfigured Docker and Kubernetes instances, container and application supply chains, and the cloud infrastructure with which they integrate. This course examines all of these attacks in detail, shows attendees how to undertaken them, and provides detailed remediation and testing steps to ensure cloud native infrastructure is locked down, while still providing value to the business."

- Andy Martin & Eric Johnson

"Very knowledgeable, especially appreciate the extra anecdotes and background as that was especially useful in my learning experience today." - Jacob Austin


Great content. Loads of new things to learn. Relevant to real world tasks.
Nii Akai-Nettey
Lots of information and lots of content. I learned a lot, and I thought I knew a lot about dockers and containers.
SEC584 Beta 1 Student
Lots of content for the course and all valuable and useful for my learning.
Jacob Austin

    Register for SEC584

    • In Person

    Training events and topical summits feature presentations and courses in classrooms around the world.

    Learn more
    • Live Online

    Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

    Learn more
    • OnDemand

    Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

    Learn more