[Owasp-leaders] Release of the "Container Security Verification Standard"

Rory McCune rory.mccune at owasp.org
Thu Sep 27 16:28:48 UTC 2018


Hi All,

It'd be interesting to see a container focused Top 10, although whether you
want to make it specific to a Container runtime product (e.g. Docker) or an
orchestration system product (e.g. Kubernetes) or instead do something more
generic (e.g. container runtime or container orchestration as a Top 10
target) is something that's probably worth considering.  There are quite a
few containerization systems that replace bits of the "traditional" Docker
stack (e.g. gVisor, Katacontainers, CRI-O, ContainerD) and also other
(although less popular) orchestration systems (e.g. Hashicorp Nomad, Docker
Swarm)

In terms of "prior art" which could be useful to draw on, there's obviously
the Kubernetes and Docker CIS Standards. The K8s one is pretty up to date
(we've got a new version hopefully out this week) but the Docker one is a
little behind the times and more in need of updating (as an aside anyone
interested can easily sign up on the CIS workbench :) )

The only thing I would say is that a containerization project seems a
somewhat marginal fit for OWASP as an organization?  Whilst obviously
containers are used in deployment of many web applications these days, a
lot of entirely unrelated tech. is also deployed that way...

If there is a top 10 either at the runtime, or orchestration level, I'd be
happy to chip in, as container security has been a lot of my focus for the
last couple of years.

Cheers

Rory

On Wed, Sep 26, 2018 at 1:43 PM Dirk Wetter <dirk at owasp.org> wrote:

>
> Hi,
>
> based on my talks in London and Brussels I wanted to start
> something similar, see https://www.owasp.org/index.php/OWASP_Docker_Top_10
>
> See
> https://www.owasp.org/images/1/17/Dirk_Wetter_-_Docker_Security_Brussels.pdf
>
>
> Cheers, Dirk
>
>
> On 9/26/18 7:18 AM, Kim Carter wrote:
> > Good work Sven
> >
> > There is also the book "Docker Security - Quick Reference" that I wrote:
> > (https://binarymist.io/publication/docker-security/)
> >
> > along with a blog post on a few parts of the book
> > (https://binarymist.io/blog/2018/03/31/docker-security/)
> >
> > and also a podcast I recorded with Docker Security Team Lead Diogo Monica
> > (https://binarymist.io/publication/ser-podcast-docker-security/)
> >
> > Enjoy!
> >
> >
> > Kim Carter
> >
> > OWASP New Zealand Chapter Leader (Christchurch)
> >
> > Author of *Holistic Info-Sec for Web Developers* <
> http://www.holisticinfosecforwebdevelopers.com>
> >
> > c: +64 274 622 607
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 26/09/18 11:19, Bil Corry wrote:
> >> Hi Sven,
> >>
> >> Container security isn't my area of expertise, but wanted to say thanks
> for putting this
> >> together!
> >>
> >> - Bil
> >>
> >>
> >> On Tue, Sep 25, 2018 at 6:29 AM sven vetsch <sven.vetsch at owasp.org
> >> <mailto:sven.vetsch at owasp.org>> wrote:
> >>
> >>     Hi Leaders
> >>
> >>     My company has just released an open "Container Security
> Verification Standard" (CSVS)
> >>     which we tried to keep as close as possible to the current
> development of the OWASP ASVS
> >>     v4.0. As we plan to hand over the full standard to OWASP for it to
> become an OWASP
> >>     project once it reaches a certain stability it would be great to
> have some OWASP people
> >>     that deal with container technologies already having a first look
> at it and provide feedback.
> >>
> >>     The CSVS in a v0.1 draft version can be found at
> https://github.com/redguard/csvs
> >>     (download PDF/docx at
> https://github.com/Redguard/csvs/releases/tag/v0.1)
> >>
> >>
> >>     Thanks for your support
> >>     Sven - OWASP Switzerland Co-Leader
> >>
> >>     _______________________________________________
> >>     OWASP-Leaders mailing list
> >>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org
> >
> >>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
> --
> OWASP Volunteer
> Send me encrypted mails (Key ID 0xD0A74569)
> @drwetter
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180927/b8b5dd1d/attachment-0001.html>


More information about the OWASP-Leaders mailing list