Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Other threats (+testing guide) #23

Open
javixeneize opened this issue Sep 21, 2020 · 7 comments
Open

Other threats (+testing guide) #23

javixeneize opened this issue Sep 21, 2020 · 7 comments

Comments

@javixeneize
Copy link

Hi

I have some other threats to add to this (good) list

  • Untrusted base images
  • Supply chain poisoning
  • This is not related to docker itself, but it might be good to add Kubernetes issues too (maybe a kubernetes top 10 is too much)

I dont know if those qualify for the top 10, but for sure in a docker security guide.

Would you be accepting a PR where i add those? I have contributed before to the mobile testing guide and i will be glad to contribute here too :)

@drwetter
Copy link
Collaborator

drwetter commented Sep 22, 2020

Thanks!

You're right. partly however it is there - in the threat model at least., see https://github.com/OWASP/Docker-Security/blob/master/001%20-%20Threats.md.

The concrete point belongs to D08. This needs to be filled with content and it was planned in the spring, when I had more time than I have now. Feel feel starting with that with what you intended, similar to the scheme of the other points which have content. PR's are appeciated.

For k8s: Sigh, yes. What I had in mind is at least add something like a remark in the respective points, like "you should use a ~proper network policy", "pod security policy" and "not rely on the IMO defaults". So in a sense mention the weak points but do not go too much in detail.

@Aut0R3V
Copy link

Aut0R3V commented Jan 5, 2021

Can this issue be closed?

@javixeneize
Copy link
Author

Hi

I have t had time to do this, apologies. Yes, close it and at some point I will try to complete it

@drwetter
Copy link
Collaborator

drwetter commented Jan 5, 2021

I'd rather leave this open at the moment as I on my list was a review of the vector specific threats and maybe then an addition of specific threats.

@Aut0R3V
Copy link

Aut0R3V commented Jan 5, 2021 via email

@drwetter
Copy link
Collaborator

drwetter commented Jan 5, 2021

@Aut0R3V : if you want to spend some cycles: you could work on a threat map like the one Timo contributed:
https://raw.githubusercontent.com/OWASP/Docker-Security/master/assets/threats.png

First, that should be in an editable format, preferably SVG. Then: It's halfway between the general threats / vectors as I described in the text and specific threats. So either it should be one or the other. ;-)

To give you an idea I am attaching an SVG I used for a talk a while back which can be used as a starting point

Threats_v0.1.orange.svg.gz

PS + OT: Seems for security reasons I needed to gzip the SVG

@Aut0R3V
Copy link

Aut0R3V commented Jan 5, 2021

Thanks a lot! I'll get started in sometime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants