OWASP Docker/Container Top 10



next talk will be in English.

After a bit of discussion we'll do an experiment: A talk in English by a native German (see below). As a potential future speaker this shouldn't discourage you if you have a suggestion for a talk to DM/PM me. Talks in German are still fine.

Title: "OWASP Docker/Container Top 10"
Speaker: Dirk Wetter
Location: XING. 8th floor
Start: 6:30 pm
Place for networking afterwards: TBD

Docker and Containerization in general offer several advantages for developers: They fit better in software development processes. They enable fast, reproducible deployments and e.g. when properly done with one change the same container could run either in a test or production environment. Also, sysadmins are not stopping developers' zest for action.

As far as security is concerned Docker itself provides several security
advantages. However containerization technology is not as straightforward if you run more than one container. It becomes more complex to handle as the attack surface becomes bigger. A typical mistake is that the developers get blinded by the easiness and neglect to see beyond their container, or security features are just not being used.

In addition marketing is giving you a feeling that without containerization
your IT stinks and is downplaying risk.

So, what now?

To avoid security pitfalls and having solid security baseline a proper
fundamental approach is needed.

This is the point where the Docker OWASP Top 10 (WIP) chimes in. By using a threat model approach, first the attack surface will be defined and based on that, 10 bullet points as controls will be presented. They start from important Do's and Dont's to advanced controls which can be used to tighten security further.

OWASP Stammtisch in General
Our meeting is about web applications and their (in)security and/or about IT security in general. People come together who care as a hobby or in their job about information security: developers, managers, pentesters and everybody else who's interested. The atmosphere is open and relaxed. Who's coming to sell products or services: Move on, this is not the right place. OWASP is about education and sharing (mostly) technical information.
Feel free to forward our meetup information to your colleagues or friend. They are welcome, too. Participation is free and open -- as the O in OWASP.

Cheers, Dirk


(English see below)

Moin! Ich wurde von einigen Leuten angesprochen, ob wir nicht auch Vorträge in Englisch anbieten. Auch in Hamburg soll es ja Fachkräfte geben, die eher Englisch als Deutsch sprechen. Daher möchte ich mal was versuchen: Wenn sich genug Leute finden, die des Deutschen weniger mächtig sind, meldet euch gerne, dann kann ich meinen Vortrag am 27.3. auch in Englisch halten. Wenn Ihr meint ~"urgs, wie blöd -- in Englisch??", könnt ihr euch natürlich auch melden. Beides entweder hier oder per PM. Ich würde bis ~Ende nächster Woche euer Feedback abwarten und dann folgt die Einladung.

Hello there. I was asked by a couple of people whether we also offer talks in English. Sometimes we do, but then mostly by foreign speakers. So, here comes an experiment. I am willing to hold my talk about the OWASP Docker Top 10 @ March 27th in English if you raise your hand here and say "oh, yes" (below or via DM). To be fair, in the German part above I also offered people which rather would refrain from coming to speak up. So please let me know what you think by the ~end of next week. Then comes the official invitation.