Monday, February 14, 2022

There is no attack surface like NO attack surface


Ben Hughes has a funny and insightful blog post about the endless recapitulation of DevSecOps concepts over the last 25 years.  He mentions one of my deep-held beliefs that simplicity and component removal instead of complexity and constant addition are more secure.

The hotness du jour is Distroless (congratulations, you've reinvented using chroot from 1997), where the goal is to have no userland you don't need in the image. For compiled applications like GoRust and the likes this is easy as they do/can spit out static binaries so you don't have to worry about libraries (as a whole). They can contain as little as ca-certificates/etc/passwd /tmp, and tzdata!% docker inspect gcr.io/distroless/static-debian11 | jq '.[0].Size' | numfmt --to iec --format "%.2f"2.26M


A relatively small 2.26 megabyte container has a much smaller attack surface than the huge containers we normally deploy.  This concept is similar to unikernels and immutable infrastructure for virtual machines.  Unikernels on VMs are more secure and better isolated from their parent and other tenants. However VMs are no longer en vogue. Kubernetes is the answer; what is your problem?

Ben goes on to rant about all the useless poop we cram into our docker images that bloat their size, slow us down in all of our processes & CI/CD pipelines, and contain dozens of security vulnerabilities.  As Elon keeps saying whenever he talks about engineering:  Try very hard to remove objects, components, and features you don't need.


No comments: