Sunday, April 3, 2022

Again: There is no attack surface as good as NO attack surface


Here is another reminder about why simple base images are more secure.  The new word for smaller, simpler, more secure base images is "quiet" because they flag fewer false positives in security scanners, are easier to maintain, and typically contain fewer security flaws.

In software & information security, as in software design, simplicity is paramount.  Whenever I read criticisms of microkernels or minimal docker images that do not separate kernel from user space with enough security layers or "security issues" in tiny distros that don't do enough to assure UID 0 separation from unprivileged UIDs, I shake my head.  If your docker container has a remote execution exploit such that bad actors can use all of its resources to access and launch further attacks, none of these "security vulnerabilities" matters.  Even the workhorse 106KB small 300+ commands BusyBox that I personally use frequently can be secured.  In real estate your top three priorities are "Location, location, location." In software design and in software security, the top three priorities are: "Simplify, simplify, simplify."

No comments: