draft for the intro section of D06 [WIP] #38

drwetter · 2021-01-02T13:35:28Z

No description provided.

Aut0R3V · 2021-01-02T14:19:26Z

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

D06 - Protect Secrets.md

drwetter · 2021-01-04T09:51:56Z

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

I think it is smarter to start with other sections like 'Threat scenarios' and ' How can I find out?'. 'How do I prevent' is then the result of both.

Abusing ENV is a typical point. Bad examples for this and others are helpful.

Aut0R3V · 2021-01-04T17:19:50Z

This looks great. @drwetter can you give me a brief idea on what you're expecting for the "How Do I Prevent" section? Maybe I can put in some work there

I think it is smarter to start with other sections like 'Threat scenarios' and ' How can I find out?'. 'How do I prevent' is then the result of both.

Abusing ENV is a typical point. Bad examples for this and others are helpful.

Sure thanks

D06 - Protect Secrets.md

kamadorueda · 2021-05-24T20:26:29Z

Hi, can we merge pull requests on a regular basis? This way other people could collaborate on building the same document without too much conflicts

By the way, I've found these to be sources of secrets leakage:

The last one's threat is when an attacker has access to stopped containers in the host, for instance in shared CI systems

drwetter · 2021-05-24T22:54:14Z

@kamadorueda : This PR is still open because it is not yet complete.

Yes, passing by env is a common mistake.

kamadorueda · 2021-05-25T01:14:19Z

@drwetter I just wanted to help writing a few sections

lirantal · 2021-05-25T06:04:35Z

Indeed. And, infact, I wrote in the Node.js version of the secure docker image building how to use secrets to properly pass secrets to images: https://cheatsheetseries.owasp.org/cheatsheets/NodeJS_Docker_Cheat_Sheet.html

drwetter · 2021-05-25T09:46:38Z

Thanks!

Github works with PRs as you probably know. :-) If you want something to be added which would be appreciated, please submit a PR. I clarified the structure of the ten points in the contribution guidelines and in the introduction which hopefully clarifies how it should look like.

For this specific point it should work if your PR is against the d06_intro branch. Otherwise I can open a dev branch and let things mature there. Let me know how we can work on this

@lirantal : I got a 404.

lirantal · 2021-05-25T11:07:09Z

@drwetter here it is: https://cheatsheetseries.owasp.org/cheatsheets/NodeJS_Docker_Cheat_Sheet.html

drwetter · 2021-06-03T16:30:16Z

Okay thanks. Basically one has to go through this and add commits hereto (by "hereto" I don't mean necessarily D06 only. A helping hand for the broader scope would be great.

In general what I would suggest that is that I either create a dev branch where all commits which a development status can be merged into. Alternatively I create separate dev branches for each open Dxx item. Both would ease progress)

Pls let me what you think.

draft for the intro section

8e26a58

drwetter mentioned this pull request Jan 2, 2021

Add Introduction to D06 #37

Closed

Aut0R3V reviewed Jan 2, 2021

View reviewed changes