Is reducing the webserver stack from Caddy, NGINX and PHP-FPM to only Caddy and PHP-FPM a reduction in layered-security?

I have a situation where a webserver behind a network firewall is ran inside of Docker containers. It is setup in this order:

Caddy webserver – acts as WAF, GEOIP block, IP blacklist, HTTP Security Headers modifications, TLS termination, … Continue reading Is reducing the webserver stack from Caddy, NGINX and PHP-FPM to only Caddy and PHP-FPM a reduction in layered-security?

Why are the unsafe challenges in OWASP Juice Shop a security risk in containerized environments? [duplicate]

OWASP Juice Shop is a popular tool for web security training, demos and learning. I am using the provided docker container and hosting it in a dedicated computer. However, there are certain challenges that are disabled in containerized env… Continue reading Why are the unsafe challenges in OWASP Juice Shop a security risk in containerized environments? [duplicate]

What is the difference between enhanced container isolation projects like runq, Kata Containers, Firecracker and gVisor?

I’m diving into different solutions to use (virtual machine based) isolation for containers. I found these promising projects: runq, Kata Containers, Firecracker and gVisor. I think that runq, Kata Containers and Firecracker are in essence… Continue reading What is the difference between enhanced container isolation projects like runq, Kata Containers, Firecracker and gVisor?

Does it matter (and go widely unnoticed) that GitLab CI+docker-executor produces world-writable files, or do "we" need to raise awareness for that?

I have a vague feeling that there is a wide spread security problem which goes unnoticed. I’m trying to find out how to check the level of relevance and awareness out there or how to maybe raise it.
Situation:
When using GitLab CI with the… Continue reading Does it matter (and go widely unnoticed) that GitLab CI+docker-executor produces world-writable files, or do "we" need to raise awareness for that?

Should I house my organization’s root CA certificate in public github repostiory?

We have a public repository of a software that uses Docker container. Any thing that runs within the organization sees certificates signed by our org’s root CA. For the container to run properly within our org, the root CA certificate need… Continue reading Should I house my organization’s root CA certificate in public github repostiory?

DockerSpy: Search for images on Docker Hub, extract sensitive information

DockerSpy scans Docker Hub for images and retrieves sensitive information, including authentication secrets, private keys, and other confidential data. “DockerSpy was created to address the growing concern of sensitive data leaks within Docker im… Continue reading DockerSpy: Search for images on Docker Hub, extract sensitive information

Are libc security vulnerabilities in a Python web application actually exploitable in a private cloud environment?

We use a Python web framework and gunicornlibrary on top of Docker to power a web application with a frontend in a private cloud that can be accessed by a private network. Our security tools report many libc vulnerabilities for the Debian-… Continue reading Are libc security vulnerabilities in a Python web application actually exploitable in a private cloud environment?