-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Other threats (+testing guide) #23
Comments
Thanks! You're right. partly however it is there - in the threat model at least., see https://github.com/OWASP/Docker-Security/blob/master/001%20-%20Threats.md. The concrete point belongs to D08. This needs to be filled with content and it was planned in the spring, when I had more time than I have now. Feel feel starting with that with what you intended, similar to the scheme of the other points which have content. PR's are appeciated. For k8s: Sigh, yes. What I had in mind is at least add something like a remark in the respective points, like "you should use a ~proper network policy", "pod security policy" and "not rely on the IMO defaults". So in a sense mention the weak points but do not go too much in detail. |
Can this issue be closed? |
Hi I have t had time to do this, apologies. Yes, close it and at some point I will try to complete it |
I'd rather leave this open at the moment as I on my list was a review of the vector specific threats and maybe then an addition of specific threats. |
Sure, sounds great. I just wanted to know if there's anything I could do.
…On Tue, Jan 5, 2021, 14:14 Dirk Wetter ***@***.***> wrote:
I'd rather leave this open at the moment as I on my list was a review of
the vector specific threats and maybe then an addition of specific threats.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/APCUXRIXJYEM3LJNJQPLQ2DSYLGNBANCNFSM4RUL7MKQ>
.
|
@Aut0R3V : if you want to spend some cycles: you could work on a threat map like the one Timo contributed: First, that should be in an editable format, preferably SVG. Then: It's halfway between the general threats / vectors as I described in the text and specific threats. So either it should be one or the other. ;-) To give you an idea I am attaching an SVG I used for a talk a while back which can be used as a starting point PS + OT: Seems for security reasons I needed to gzip the SVG |
Thanks a lot! I'll get started in sometime. |
Hi
I have some other threats to add to this (good) list
I dont know if those qualify for the top 10, but for sure in a docker security guide.
Would you be accepting a PR where i add those? I have contributed before to the mobile testing guide and i will be glad to contribute here too :)
The text was updated successfully, but these errors were encountered: