-
OWASP#1 Insecure Workload Configurations
- Trivy checks - KSV001, KSV014, KSV017
-
OWASP#2 Supply Chain Vulnerabilities
- Manual - Image Integrity
- Manual - SBOM
- Manual - Image Signing
- Manual - Image Composition
- Trivy image scan - Known Software Vulnerabilities
-
OWASP#3 Overly Permissive RBAC Configurations
-
OWASP#4 - Lack of Centralized Policy Enforcement
- Manual - Pod Security Admission Controller
- Trivy checks - https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes/policies/pss
-
OWSAP#5 - Inadequate Logging and Monitoring
- Trivy checks - AVD-KCV-0019, KCV0020 and others
- Manual - logging and monitoring
-
OWASP#6 Broken Authentication Mechanisms
- Manual - Avoid using certificates for end-user authentication
- Manual - Never roll your own authentication
- Manual - Enforce MFA when possible
- Manual - Authenticate users and external services using short-lived tokens
- Trivy check - KCV0002 - Don’t use Service Account tokens from outside of the cluster
-
OWASP#7 Missing Network Segmentation Controls
- NetworkPolicies - Trivy checks - KSV038 and KSV056
-
OWASP#8 Secrets Management Failures
- Trivy Secret Scanning https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/
-
OWASP#9 Misconfigured Cluster Components
- Trivy misconfiguration scan
- KCV0003
-
OWASP#10 Outdated and Vulnerable Kubernetes Components
- Manual or Cloud provider dependent
Created
September 13, 2022 10:10
-
-
Save nilesh-akhade/8b96effb51329289ed365b511339434a to your computer and use it in GitHub Desktop.
Attempt to map OWASP Top10 security risks with Aqua's Trivy Scanner
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment