Container Security

“Let’s move to containers” promised engineering simplicity, security, and easy scaling … but there was a catch. 🙊

The simplicity and security gains were only true if containers were used as intended. Turns out it’s really an entirely new system that replaced the equally complex old system, but with different tradeoffs to consider as we built new systems. That’s not a bad thing and it isn’t as complicated or scary as it sounds.

🧭 Let’s navigate the intersection of application security and containerization and systems design together. 🧭

Where we’re headed

This is the system we’re going to look at fully assembled. Using the map below, let’s dig into how to threat model and talk about the security risks at each part. Then we’ll look at how it gets put together and think about the security of this system as a whole.

click to enlarge

Coming soon

• Why this matters
• What’s a container, anyways?
• Host risks and shenanigans
• Runtime fun time
• Orchestrating chaos
• Where do images come from?
• … but what is in those images, though?
• A small collection of my favorite container escapes 😈
• Real world risks - or “not everything you read in an industry white paper is important” and other lessons learned the hard way

This is an expanded set of slides and resources since shown live on 13 June 2025 at BSides Boulder 2025 , as well as other posts on this topic, all in a reasonable order.

👷🏻‍♀️ (this page is a work in progress, to be assembled over summer 2025)