Open javixeneize opened 4 years ago
Thanks!
You're right. partly however it is there - in the threat model at least., see https://github.com/OWASP/Docker-Security/blob/master/001%20-%20Threats.md.
The concrete point belongs to D08. This needs to be filled with content and it was planned in the spring, when I had more time than I have now. Feel feel starting with that with what you intended, similar to the scheme of the other points which have content. PR's are appeciated.
For k8s: Sigh, yes. What I had in mind is at least add something like a remark in the respective points, like "you should use a ~proper network policy", "pod security policy" and "not rely on the IMO defaults". So in a sense mention the weak points but do not go too much in detail.
Can this issue be closed?
Hi
I have t had time to do this, apologies. Yes, close it and at some point I will try to complete it
I'd rather leave this open at the moment as I on my list was a review of the vector specific threats and maybe then an addition of specific threats.
Sure, sounds great. I just wanted to know if there's anything I could do.
On Tue, Jan 5, 2021, 14:14 Dirk Wetter notifications@github.com wrote:
I'd rather leave this open at the moment as I on my list was a review of the vector specific threats and maybe then an addition of specific threats.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OWASP/Docker-Security/issues/23#issuecomment-754494397, or unsubscribe https://github.com/notifications/unsubscribe-auth/APCUXRIXJYEM3LJNJQPLQ2DSYLGNBANCNFSM4RUL7MKQ .
@Aut0R3V : if you want to spend some cycles: you could work on a threat map like the one Timo contributed: https://raw.githubusercontent.com/OWASP/Docker-Security/master/assets/threats.png
First, that should be in an editable format, preferably SVG. Then: It's halfway between the general threats / vectors as I described in the text and specific threats. So either it should be one or the other. ;-)
To give you an idea I am attaching an SVG I used for a talk a while back which can be used as a starting point
PS + OT: Seems for security reasons I needed to gzip the SVG
Thanks a lot! I'll get started in sometime.
Hi
I have some other threats to add to this (good) list
I dont know if those qualify for the top 10, but for sure in a docker security guide.
Would you be accepting a PR where i add those? I have contributed before to the mobile testing guide and i will be glad to contribute here too :)