You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: data/BuildandDeployment.yml
+6-4Lines changed: 6 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -237,17 +237,17 @@ Patch Management:
237
237
usefulness: 3
238
238
level: 2
239
239
samm2: o-environment-management|B|1
240
-
Usage of a maximum life for containers:
241
-
risk: Vulnerabilities in running containers stay for too long and might get exploited.
242
-
measure: The periodically builded images are deployed minimum every 30 days (better hourly/daily/weekly). Meaning a container does not lives longer than 30 days.
240
+
Usage of a maximum lifetime (age) for images:
241
+
risk: Vulnerabilities in images of running containers stay for too long and might get exploited.
242
+
measure: The periodically builded images are deployed minimum every 30 days (better hourly/daily/weekly). Meaning an image is not in production for longer than 30 days.
243
243
difficultyOfImplementation:
244
244
knowledge: 3
245
245
time: 4
246
246
resources: 2
247
247
usefulness: 3
248
248
level: 3
249
249
samm2: o-environment-management|B|1
250
-
Usage of a short maximum life for containers:
250
+
Usage of a short maximum lifetime for images:
251
251
risk: Vulnerabilities in running containers stay for too long and might get exploited.
252
252
measure: The nightly builded images are deployed minimum every 1 day.
253
253
difficultyOfImplementation:
@@ -257,6 +257,8 @@ Patch Management:
257
257
usefulness: 3
258
258
level: 4
259
259
samm2: o-environment-management|B|1
260
+
implementation:
261
+
- "Sample concept:<br/>(1) each container has a set lifetime and is killed / replaced with a new container multiple times a day where you have some form of a graceful replacement to ensure no (short) service outage will occur to the end users.<br/>(2) twice a day a rebuild of images is done. The rebuilds are put into a automated testing pipeline. If the testing has no blocking issues the new images will be released for deployment during the next "restart" of a container. What has to be done, is to ensure the new containers are deployed in some canary deployment manner, this will ensure that if (and only if) something buggy has been introduced which breaks functionality the canary deployment will make sure the "older version" is being used and not the buggy newer one."
260
262
Reduction of the attack surface:
261
263
risk: Dependencies might have Vulnerabilities, but the component or dependency is not needed.
262
264
measure: Removal of not needed components or dependencies.
0 commit comments