Secure containers - Do component reduction strategies fix your container security nightmares?
2023-10-15 , WestIn - Partenkirchen

Container security issues are an ongoing topic in organizations. Containers often remain a “black box” and vulnerabilities can often not easily be resolved by simply updating base images. Security scanners typically do detect a lot of findings in a container and even for critical issues updates are not always readily available which creates lot of effort for security and development teams. We explore different options and best practices to reduce the attack surface in your containers and will take you down the full path of removing all unnecessary components to go fully distroless. We explore whether the concept of "distroless" is the solution to your security nightmares, what are expectations, challenges and potential disappointments.


Container security issues are an ongoing topic in organizations. Containers often remain a “black box” and vulnerabilities can often not easily be resolved by simply updating base images. Security scanners typically do detect a lot of findings in a container and even for critical issues updates are not always readily available which creates lot of effort for security and development teams. We explore different options and best practices to reduce the attack surface in your containers and will take you down the full path of removing all unnecessary components to go fully distroless. We explore whether the concept of "distroless" is the solution to your security nightmares, what are expectations, challenges and potential disappointments.


Which keywords describe your submission?:

distroless container security

See also: Slides

IT Security Consultant with 10+ years of experience in software engineering. In love with all things JavaScript, since 2009.

More info at mwager.de/about

I am security consultant and founder of secureIO GmbH, a consulting company that focuses on building application security programs and consulting clients from different industries on secure software development, GRC and Data Protection. I am interested in DevSecOps, secure development, security testing, exploiting, vulnerability management processes and developing product security programs in organizations.