Fork me on GitHub

Test and Verification -> Static depth for infrastructure: Check for malware

Risk and Opportunity

Risk: Third party might include malware. Ether due to the maintainer (e.g. typo squatting of an image name and using the wrong image) or by an attacker on behalf of the maintainer with stolen credentials.
Opportunity: Check for malware in components (e.g. container images, VM baseline images, libaries).

Exploit details

Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low

Additional Information

OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping: