https://community.isc2.org/t5/Tech-Talk/Application-Container-Security-Basics/m-p/34680#M2572 <P>Thank you for the reply. There is a lot to say about supply chain, even just in this context, so that might make for a good deeper dive post. I did have something in their about signing images, I must have removed it during editing, so that needs mentioned for sure. Also, I do work with programs that use&nbsp;<SPAN>"private repositories", so that is a thing...maybe discussing/explaining that would make a good deep-dive post too. Thanks again for the feedback!</SPAN></P> Sat, 11 Apr 2020 01:33:31 GMT scanlon 2020-04-11T01:33:31Z https://community.isc2.org/t5/Tech-Talk/Application-Container-Security-Basics/m-p/34618#M2561 <P>Hi all,</P><P>&nbsp;</P><P>I am sharing an article I recently wrote for SEI Insights, an online journal/blog from CMU:</P><P><A href="https://insights.sei.cmu.edu/sei_blog/2020/04/7-quick-steps-to-using-containers-securely.html" target="_blank">https://insights.sei.cmu.edu/sei_blog/2020/04/7-quick-steps-to-using-containers-securely.html</A></P><P>&nbsp;</P><P>It is free of charge to read, we are a non-profit, I don't get anything from this. So this not a marketing thing, just sharing.</P><P>&nbsp;</P><P>Anyway, the intended audience was someone just getting into containerization (and not necessarily a big security budget) so just some basic security things for them to consider. Please share with anyone you think might benefit. Any feedback is welcome, good or bad, especially if you think there are some other obvious things that could&nbsp; be done that aren't mentioned. Also, if there is any container security areas you think warrant a deeper dive, please mention as I have been asked to eventually write a follow-on post for more advanced users.</P><P>&nbsp;</P><P>Thanks you,</P><P>Tom Scanlon, CISSP</P><P>Software Engineering Institute</P><P>Carnegie Mellon University</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 09 Apr 2020 23:54:04 GMT https://community.isc2.org/t5/Tech-Talk/Application-Container-Security-Basics/m-p/34618#M2561 scanlon 2020-04-09T23:54:04Z https://community.isc2.org/t5/Tech-Talk/Application-Container-Security-Basics/m-p/34624#M2562 <P>Nice article for people that still equate the cloud to VM's. Figure 4 shows some promise. You are on the right path. Now, how about saying something about the security of the supply chain? That is where our containers originate. No one uses their own "private repositories". What about signed images? People need to know what to trust. I'll read the references for the details, thank you!</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Source: Thomas Scanlon" style="width: 400px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/4000i89AFD96309F66074/image-size/medium?v=v2&amp;px=400" role="button" title="containersupplychain.png" alt="Source: Thomas Scanlon" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Source: Thomas Scanlon</span></span></P><P>&nbsp;</P> Fri, 10 Apr 2020 02:10:04 GMT https://community.isc2.org/t5/Tech-Talk/Application-Container-Security-Basics/m-p/34624#M2562 AppDefects 2020-04-10T02:10:04Z https://community.isc2.org/t5/Tech-Talk/Application-Container-Security-Basics/m-p/34680#M2572 <P>Thank you for the reply. There is a lot to say about supply chain, even just in this context, so that might make for a good deeper dive post. I did have something in their about signing images, I must have removed it during editing, so that needs mentioned for sure. Also, I do work with programs that use&nbsp;<SPAN>"private repositories", so that is a thing...maybe discussing/explaining that would make a good deep-dive post too. Thanks again for the feedback!</SPAN></P> Sat, 11 Apr 2020 01:33:31 GMT https://community.isc2.org/t5/Tech-Talk/Application-Container-Security-Basics/m-p/34680#M2572 scanlon 2020-04-11T01:33:31Z