Other threats (+testing guide)

OWASP / Docker-Security

Getting a handle on container security

https://owasp.org/www-project-docker-top-10/

Other

628 stars 130 forks source link

Other threats (+testing guide) #23

Open javixeneize opened 4 years ago

javixeneize commented 4 years ago

I have some other threats to add to this (good) list

Untrusted base images
Supply chain poisoning
This is not related to docker itself, but it might be good to add Kubernetes issues too (maybe a kubernetes top 10 is too much)

I dont know if those qualify for the top 10, but for sure in a docker security guide.

Would you be accepting a PR where i add those? I have contributed before to the mobile testing guide and i will be glad to contribute here too :)

drwetter commented 4 years ago

Thanks!

You're right. partly however it is there - in the threat model at least., see https://github.com/OWASP/Docker-Security/blob/master/001%20-%20Threats.md.

The concrete point belongs to D08. This needs to be filled with content and it was planned in the spring, when I had more time than I have now. Feel feel starting with that with what you intended, similar to the scheme of the other points which have content. PR's are appeciated.

For k8s: Sigh, yes. What I had in mind is at least add something like a remark in the respective points, like "you should use a ~proper network policy", "pod security policy" and "not rely on the IMO defaults". So in a sense mention the weak points but do not go too much in detail.

Aut0R3V commented 3 years ago

Can this issue be closed?

javixeneize commented 3 years ago

I have t had time to do this, apologies. Yes, close it and at some point I will try to complete it

drwetter commented 3 years ago

I'd rather leave this open at the moment as I on my list was a review of the vector specific threats and maybe then an addition of specific threats.

Aut0R3V commented 3 years ago

Sure, sounds great. I just wanted to know if there's anything I could do.

On Tue, Jan 5, 2021, 14:14 Dirk Wetter notifications@github.com wrote:

I'd rather leave this open at the moment as I on my list was a review of the vector specific threats and maybe then an addition of specific threats.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OWASP/Docker-Security/issues/23#issuecomment-754494397, or unsubscribe https://github.com/notifications/unsubscribe-auth/APCUXRIXJYEM3LJNJQPLQ2DSYLGNBANCNFSM4RUL7MKQ .

drwetter commented 3 years ago

@Aut0R3V : if you want to spend some cycles: you could work on a threat map like the one Timo contributed: https://raw.githubusercontent.com/OWASP/Docker-Security/master/assets/threats.png

First, that should be in an editable format, preferably SVG. Then: It's halfway between the general threats / vectors as I described in the text and specific threats. So either it should be one or the other. ;-)

To give you an idea I am attaching an SVG I used for a talk a while back which can be used as a starting point

Threats_v0.1.orange.svg.gz

PS + OT: Seems for security reasons I needed to gzip the SVG

Aut0R3V commented 3 years ago

Thanks a lot! I'll get started in sometime.