Container Security
“Let’s move to containers” promised engineering simplicity, security, and easy scaling … but there was a catch. 🙊
The simplicity and security gains were only true if containers were used as intended. Turns out it’s really an entirely new system that replaced the equally complex old system, but with different tradeoffs to consider as we built new systems. That’s not a bad thing and it isn’t as complicated or scary as it sounds.
🧭 Let’s navigate the intersection of application security and containerization and systems design together. 🧭
Where we’re headed
This is the system we’re going to look at fully assembled. Using the map below, let’s dig into how to threat model and talk about the security risks at each part. Then we’ll look at how it gets put together and think about the security of this system as a whole.
A meandering stroll through container security
Coming soon
- Host risks and shenanigans
- Runtime fun time
- Orchestrating chaos
- Where do images come from?
- … but what is in those images, though?
- Real world risks - or “not everything you read in an industry white paper is important” and other lessons learned the hard way
Hands-on examples
- Do you really need a runtime?
- How to tell if you’re in a container
- Investigating my privileges
- A small collection of my favorite container escapes 😈
This is part of a series put together from client-facing conversations, conference talks, workshops, and more over the past 10 years of asking folks to stop doing silly things in containers. Many slides were taken from my talk at BSides Boulder 2025 and the hands-on exercises from my workshop at AppSec Village @ DEF CON 33 .
👷🏻♀️ (this page is a work in progress, to be assembled over summer 2025 🏖️)