Managing Container Security

«The cloud-native ecosystem typically has the four C’s of cloud security: cloud, clusters, containers and code. Each layer builds on the next and insecurities at any layer can impact the layers that follow, such as applications deployed on insecure containers.» Csoonline sais.

Scan them with, e.g., Open-source options such as Anchore and Trivvy during or before deployment.

Wiki for Cloud Security

NotSoSecure have made this wiki for cloud security, with tools and methods for how to research and develop knowledge in this topic. I find it quite useful when browsing various cloud security research blogs they refer to, tools and methods. E.g., for AWS a lot of defensive and offensive tools are listed such as ScoutSuite in which I have great experience with.

Threat Modeling Tools

MS Threat modeling tool, Cairis, Iriusrisk, Kenna, OWASP pytm, OWASP threat dragon, threagile are some of the most known threat modeling tools I know.

Personally I like OWASP Threat Dragon for being supported on most common platforms, and because of its flexibility in designing and registering threats. MS Threat modeling tool provides a lot of out-of-the-box threat scenarios with details based on the model designed.

OWASP Threat Dragon
MS Threat modeling