 This is the main points that I will draw, I will make an inclusion to continue security, I will present it in two main container solutions like games containers and lockers. Also I will talk about the security pipeline and other main containers like we can finally a set of tools that we can find for auditing container image and auditing the host where we are running our auditing. Well we will try to compile the transition containers, basically the main difference between these two architectures is that containers are isolated and have sharp docking system, libraries and so on. In Dockerforce we have the Docker engine and in other systems we have another engine for running applications over the same operating system. Well we will try to compile, we have the visualization, we have different containers and in containers we have the signal kernel, signal kernel and the containers are what is called syscalls, syscalls are for communication between containers. And containers provide other solutions that I am commenting now that provides the security of these systems. These are the basic security mechanics that provide containers, in general we can see that provides main solutions like capabilities, the classical inus capabilities that we can find in inus containers and in Docker for example the syscrux, the enemy species, the root file system, all these capabilities, we can add the main features that are implemented in containers. I am commenting, I will go into details, for example in a specific, basically what provides an intuitive view of the system where processes cannot see other processes in other containers. Basically it's container also it's own network stuff. And the other features are signal loops. Basically it's the main kernel feature that provides a limitation, limiting and isolating the resources of the machine. That's in the CPU, memory, network and basically the process that are running in our machine. And inus capabilities basically what it does is it divides the previous of root into two distinct units and it's better than the previous. Inus container for example it is one of the first solutions. These all these features that I comment like enemy species, kernel capabilities and so on. Inus containers provide all these features. Also what's another solution like for security, like Aparmol and Selenux. Basically these are the main features that provides the inus containers for security. Inus containers provide basically with LXC command we can start a single process in a container or with LXC start we can mount a specific operating system with applications and dependencies in that image. For limiting resources in inus containers we can use the configuration for inus containers. For example if we want to limit the memory usage or the CPU we can use specific commands, specific configuration for configuring these use cases. For example if we want to limit the memory what we have to do is in this example we can see that we are checking the free memory in our machine and when we secure the inus container over this machine we can see that we can limit the memory. With the limits of memory configuration we can secure the container limiting the memory in an inus way. Docker for example provides in a similar way that we have the LXC start command. We have the Docker run. It provides also basically the Docker command is a combination of same groups, name, species, and image. All three or all these components provide what is where we are running our Docker container or Docker image. This is the classical container per line. When we are working with Docker we have a Docker client with the commands that we can find in Docker. All the commands and we have also the Docker server. This is where we are executing the Docker run. The Docker run is the main process that Docker use for executing the image in the container that we are running. This pipeline is complete with communication with the repositories. The repositories that we have is the public repository that we have in Docker. We can also have our own repositories, private repositories in our organization or in our servers. We can in Docker Hub we can find the main image from operating systems, servers, and so on. And this image when we are downloading this image the execution of this image origin what is called a container. This container basically is an image that is running in our integer Docker host. Basically the image are layers that when you are pulling an image from a public or private repository you are downloading an image that in reality is a file that contains many layers. Depending on your application for example if we are downloading the image, for example with Ubuntu, for example with other systems or servers. And what we do for working with Docker is adding applications, adding layers over the main base image. From the security point of view Docker provides, as I mentioned before, isolation, dependent spaces, additional layer of security with a lot more as a Linux. This container gets its own network stack for communications and also provides control rules for resources in the meeting. Another interesting feature like for example when we are pulling from Docker Hub, this is an interesting feature that created in 1.8 version that is called Docker Container that we can verify the integrity of the image. This feature what it does is checking the checksum of the image when we are pulling from Docker Hub. And in this way we can verify that that image is consistent with the repository that we are downloading. In this example we can see that for using this feature we have to enable Docker content trust environment variable and in this way we can verify that when we are downloading or pulling from the Docker Hub, in the public repository, the Python image, we verify the information. This feature basically what is that is protecting that from that you are downloading an image that is not modified and it's an image with a full integrity from a security point of view. We have also a new command in the new versions of Docker. We have the Docker trust command. This is an experimental way. We can manage in a different way our Docker image. We do this command. We can manage the keys from sending Docker image. We can manage entities to check who is sending the Docker image. This is an experimental command but you can try for checking this kind of security. Also Docker provides what is called Docker capabilities. Basically capabilities is a Linux kernel feature and Docker gets this feature for implementing in Docker. Basically capabilities is a unis action that you should perform. The main can have a lot of capabilities that by default are loaded when you install Docker and you run the first time. You have by default capabilities but you can for example restrict these capabilities. In this example we can see that we have the capabilities that are enabled by default when we are running container. But we can limit to restrict the default configuration that provides Docker by default. For doing this we can add, we can use the cap drop flag for restrict this configuration. In this example we can see that we are dropping the main row function that what it does is basically restrict the function. In this example I disabled the main function in our container and in general functions related with the network. In general what is container security? Container security if we try to go in general for example with the main ideas that we have is that it's about limiting and controlling the attacks you face on the kernel. This means that we have this previous principle that where we have this principle it says that the best practice at this point is not do a process in a container as root to avoid root access for attackers in a convolutional space. Roots file system as real only so that attackers cannot override data or save malicious scripts to file. And in general limiting the kernel system calls that a container can make to reduce the potential attacks you face. This is the main idea in container security. For example for limiting for this is a flag that we can enable in containers. In docker for example is the flag that we can use for avoiding that attacker can override the image creating files and in general modify that image. Other solutions that we have is for example SETCOM, SETCOM provides a limiting the system calls with a restricted system calls basking on a policy file. And now we will see an example. Basically SETCOM blocks and limits things like kernel manipulation, executing more points, change permissions, change the owner and see groups. This is an example where we define a policy action with the commands with the system calls that we want to disable to block when we are executing the docker or docker image. Basically we can use the security of flag and as a parameter we put a policy issue on file. And in this way we are blocking for example the commands like sianmosh, sation, encadir for example and in this way we can see that we can block this kind of command and system calls. Well for the security point of view we have two kind of tools for security for example the docker host that is the machine where docker is running. We have tools like docker and security, this allows auditing our docker environment and containers and it's our open source tool for running automatic pace. Isabel in indica and checks basically what this task is checking for many configurations that comes by default when we are running docker and it shows a report where we can see what are the configurations that we must review for running the docker container. In a more secure way. In this script culture we can see that we are running which shows what is related with the memory usage, the CPU. We can see also that we are running our container with Radoli and in a first view we can see that if our docker container can be a problem or not. And can be useful for a first point of view. We have also other tools like linux linux is not specific of docker but it has an option for auditing our docker file. Basically linux is a unique security auditing for a system hardware tool that includes that option and in a nice way we can see the state of our docker diamond. What are the containers that are running, what are stock linux linux file permissions, it will have any specific options like RRMOS linux it shows that information in this report. Well regarding the security pipeline when we are working with docker we can have this view of the pipeline. Basically we are working in our machine and we have our software repository with a linux repository for example. And we can have for example a continuous integration server like JVS for example for building, testing and package that image before push that image to the docker registry for example. And in this way we can ensure that the image are tested and packaged in a more reliable and security way. We have very many solutions like Jenkins, Ten City, Ambu depending on the project configuration we can use very continuous integration tools for allowing this process. Relative continuous threads basically when we are running our docker image in the docker container we must be careful with these kind of threads that can be for example kernel exploits that can be deployed. So depending we have update our kernel this exploits it will function or not. We can have also vulnerabilities like the GNC buffer overflow that we can see in some image for example if we download an image for example the Python image it has these vulnerabilities because it has a GNC version vulnerability. And others threads like SQL injection or MongoDB and elastic shares from somewhere attacks. Well this is for remember and finally commenting the main auditing containers image that we have in the docker ecosystem. With these tools basically we can scan our image from non vulnerabilities. We have the docker security scanning that is using the docker half for analyzing the image. Basically what this does is analyze the image for the 30 vulnerabilities in binaries, in packets and what this does is compare these binaries with the CME database, the common vulnerabilities and specials database for scanning the variation of the image. This is an example we can see that we are analyzing an image and we detect that some components have specific vulnerabilities because of the regions that is using the image. For example the GNC that I commented before is a thread for if we find this problem can be a critical thread when we are working with that image. As we have another solution like answer open source engine this provides a solution for scanning also vulnerabilities in our image. It detects the binary packets, what is the things and more information related with the packets that the image is running. Finally we are commenting what are the main start-ups that we have in general in containers that these start-ups basically provide a solution in the cloud for managing the thread, the vulnerabilities that have in our image. Thank you.