Docker-Security icon indicating copy to clipboard operation
Docker-Security copied to clipboard
verified publisher icon OWASP

Other threats (+testing guide)

Open javixeneize opened this issue 5 years ago • 7 comments

Hi

I have some other threats to add to this (good) list

  • Untrusted base images
  • Supply chain poisoning
  • This is not related to docker itself, but it might be good to add Kubernetes issues too (maybe a kubernetes top 10 is too much)

I dont know if those qualify for the top 10, but for sure in a docker security guide.

Would you be accepting a PR where i add those? I have contributed before to the mobile testing guide and i will be glad to contribute here too :)

javixeneize avatar Sep 21 '20 10:09 javixeneize

Thanks!

You're right. partly however it is there - in the threat model at least., see https://github.com/OWASP/Docker-Security/blob/master/001%20-%20Threats.md.

The concrete point belongs to D08. This needs to be filled with content and it was planned in the spring, when I had more time than I have now. Feel feel starting with that with what you intended, similar to the scheme of the other points which have content. PR's are appeciated.

For k8s: Sigh, yes. What I had in mind is at least add something like a remark in the respective points, like "you should use a ~proper network policy", "pod security policy" and "not rely on the IMO defaults". So in a sense mention the weak points but do not go too much in detail.

drwetter avatar Sep 22 '20 15:09 drwetter

Can this issue be closed?

Aut0R3V avatar Jan 05 '21 06:01 Aut0R3V

Hi

I have t had time to do this, apologies. Yes, close it and at some point I will try to complete it

javixeneize avatar Jan 05 '21 08:01 javixeneize

I'd rather leave this open at the moment as I on my list was a review of the vector specific threats and maybe then an addition of specific threats.

drwetter avatar Jan 05 '21 08:01 drwetter

Sure, sounds great. I just wanted to know if there's anything I could do.

On Tue, Jan 5, 2021, 14:14 Dirk Wetter [email protected] wrote:

I'd rather leave this open at the moment as I on my list was a review of the vector specific threats and maybe then an addition of specific threats.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OWASP/Docker-Security/issues/23#issuecomment-754494397, or unsubscribe https://github.com/notifications/unsubscribe-auth/APCUXRIXJYEM3LJNJQPLQ2DSYLGNBANCNFSM4RUL7MKQ .

Aut0R3V avatar Jan 05 '21 09:01 Aut0R3V

@Aut0R3V : if you want to spend some cycles: you could work on a threat map like the one Timo contributed: https://raw.githubusercontent.com/OWASP/Docker-Security/master/assets/threats.png

First, that should be in an editable format, preferably SVG. Then: It's halfway between the general threats / vectors as I described in the text and specific threats. So either it should be one or the other. ;-)

To give you an idea I am attaching an SVG I used for a talk a while back which can be used as a starting point

Threats_v0.1.orange.svg.gz

PS + OT: Seems for security reasons I needed to gzip the SVG

drwetter avatar Jan 05 '21 09:01 drwetter

Thanks a lot! I'll get started in sometime.

Aut0R3V avatar Jan 05 '21 09:01 Aut0R3V