[OWASP-Bangalore] Docker Application Pen Testing

N. V. R. K. RAJU nvrkraju4 at gmail.com
Thu Jul 30 16:59:17 UTC 2015


Thank you for correcting my Docker understanding,

I would like to know if there are any vulnerability scanners available or
how can we assess security for each docker container? It is Docker which
makes one single OS with many application packages(containers), I would
like to understand how can we scan or assess each containers? Because, each
container will have different application dependencies and how can we make
sure all containers are safe against known vulnerabililties.

If there are any vulnerability scanners available to do the job? We use
QualysGuard and Nexpose for our vulnerability scanning. Please let me know
if these has features of scanning Docker containers.

Regards,
Raju

On Thu, Jul 30, 2015 at 1:53 AM, Timo Goosen <timo.goosen at owasp.org> wrote:

> Look for misconfigurations.
>
> Docker is just what is used to put the code in. Any persistent storage
> will be in a docker volume on the actual host.
> Also docker is not a vm, its a container.
>
> Some people think docker adds to security. Thats not true.
>
> Regards.
> Timo
>
> On Thu, Jul 30, 2015 at 7:24 AM, N. V. R. K. RAJU <nvrkraju4 at gmail.com>
> wrote:
>
>>
>> Hi All,
>>
>> I am trying to learn security/pen testing applications deployed in Docker.
>>
>> How will a pen test of application deployed in Docker differ from regular
>> web app/ cloud app?
>>
>> What are all the tools available to test Docker deployed app?
>>
>> Should we testing or how should we be testing the application VM for any
>> known vulnerabilities?
>>
>> Please share your experience working with Docker application security.
>>
>>
>> --
>> Regards,
>> Raju
>>
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> Twitter : @owaspbangalore
>>
>>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> Twitter : @owaspbangalore
>
>


-- 
Regards,
Raju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20150730/78296244/attachment.html>


More information about the OWASP-Bangalore mailing list