draft for the intro section of D06 [WIP]

[Aut0R3V]

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

[drwetter]

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

I think it is smarter to start with other sections like 'Threat scenarios' and ' How can I find out?'. 'How do I prevent' is then the result of both.

Abusing ENV is a typical point. Bad examples for this and others are helpful.

[Aut0R3V]

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

I think it is smarter to start with other sections like 'Threat scenarios' and ' How can I find out?'. 'How do I prevent' is then the result of both.

Abusing ENV is a typical point. Bad examples for this and others are helpful.

Sure thanks

[kamadorueda]

Hi, can we merge pull requests on a regular basis? This way other people could collaborate on building the same document without too much conflicts

By the way, I've found these to be sources of secrets leakage:

The last one's threat is when an attacker has access to stopped containers in the host, for instance in shared CI systems

[drwetter]

@kamadorueda : This PR is still open because it is not yet complete.

Yes, passing by env is a common mistake.

[kamadorueda]

@drwetter I just wanted to help writing a few sections

[lirantal]

Indeed. And, infact, I wrote in the Node.js version of the secure docker image building how to use secrets to properly pass secrets to images: https://cheatsheetseries.owasp.org/cheatsheets/NodeJS_Docker_Cheat_Sheet.html

[drwetter]

Thanks!

Github works with PRs as you probably know. :-) If you want something to be added which would be appreciated, please submit a PR. I clarified the structure of the ten points in the contribution guidelines and in the introduction which hopefully clarifies how it should look like.

For this specific point it should work if your PR is against the d06_intro branch. Otherwise I can open a dev branch and let things mature there. Let me know how we can work on this

@lirantal : I got a 404.

[lirantal]

@drwetter here it is: https://cheatsheetseries.owasp.org/cheatsheets/NodeJS_Docker_Cheat_Sheet.html

[drwetter]

Okay thanks. Basically one has to go through this and add commits hereto (by "hereto" I don't mean necessarily D06 only. A helping hand for the broader scope would be great.

In general what I would suggest that is that I either create a dev branch where all commits which a development status can be merged into. Alternatively I create separate dev branches for each open Dxx item. Both would ease progress)

Pls let me what you think.