Docker-Security icon indicating copy to clipboard operation
Docker-Security copied to clipboard
verified publisher icon OWASP

draft for the intro section of D06 [WIP]

Open drwetter opened this issue 5 years ago • 10 comments

drwetter avatar Jan 02 '21 13:01 drwetter

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

Aut0R3V avatar Jan 02 '21 14:01 Aut0R3V

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

I think it is smarter to start with other sections like 'Threat scenarios' and ' How can I find out?'. 'How do I prevent' is then the result of both.

Abusing ENV is a typical point. Bad examples for this and others are helpful.

drwetter avatar Jan 04 '21 09:01 drwetter

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

I think it is smarter to start with other sections like 'Threat scenarios' and ' How can I find out?'. 'How do I prevent' is then the result of both.

Abusing ENV is a typical point. Bad examples for this and others are helpful.

Sure thanks

Aut0R3V avatar Jan 04 '21 17:01 Aut0R3V

Hi, can we merge pull requests on a regular basis? This way other people could collaborate on building the same document without too much conflicts

By the way, I've found these to be sources of secrets leakage:

image

The last one's threat is when an attacker has access to stopped containers in the host, for instance in shared CI systems

kamadorueda avatar May 24 '21 20:05 kamadorueda

@kamadorueda : This PR is still open because it is not yet complete.

Yes, passing by env is a common mistake.

drwetter avatar May 24 '21 22:05 drwetter

@drwetter I just wanted to help writing a few sections

kamadorueda avatar May 25 '21 01:05 kamadorueda

Indeed. And, infact, I wrote in the Node.js version of the secure docker image building how to use secrets to properly pass secrets to images: https://cheatsheetseries.owasp.org/cheatsheets/NodeJS_Docker_Cheat_Sheet.html

lirantal avatar May 25 '21 06:05 lirantal

Thanks!

Github works with PRs as you probably know. :-) If you want something to be added which would be appreciated, please submit a PR. I clarified the structure of the ten points in the contribution guidelines and in the introduction which hopefully clarifies how it should look like.

For this specific point it should work if your PR is against the d06_intro branch. Otherwise I can open a dev branch and let things mature there. Let me know how we can work on this

@lirantal : I got a 404.

drwetter avatar May 25 '21 09:05 drwetter

@drwetter here it is: https://cheatsheetseries.owasp.org/cheatsheets/NodeJS_Docker_Cheat_Sheet.html

lirantal avatar May 25 '21 11:05 lirantal

Okay thanks. Basically one has to go through this and add commits hereto (by "hereto" I don't mean necessarily D06 only. A helping hand for the broader scope would be great.

In general what I would suggest that is that I either create a dev branch where all commits which a development status can be merged into. Alternatively I create separate dev branches for each open Dxx item. Both would ease progress)

Pls let me what you think.

drwetter avatar Jun 03 '21 16:06 drwetter