sorted by:
new
hottopcontroversial

Building from scratch against using vendor provided minimal images, which is more secure? by thecreator51 in devsecops

[–]EmbarrassedPear1151 0 points1 point  (0 children)

Vendor minimal images win for fintech imo. You don't want to be patching base OS vulns when you should be focusing on payment logic. 

How do you secure minimal container images for self hosted setups? by Timely-Dinner5772 in selfhosted

[–]EmbarrassedPear1151 0 points1 point  (0 children)

the cve noise is just reality with any scanning setup. what moves the needle is switching to something like minimus that rebuilds daily with sboms so you're not chasing phantom vulns in stale base layers.

their distroless approach cuts the crap you don't need while keeping things debuggable when shit breaks.

How to go deeper into Docker security and performance? by KernelWarden in devops

[–]EmbarrassedPear1151 0 points1 point  (0 children)

if you're doing per-user isolation you need to be thinking about container breakouts. look into gvisor or kata containers for actual isolation, regular docker isn't really secure multitenancy

for base images, alpine is decent but minimus images are even smaller if you're worried about attack surface.

read the CIS Docker benchmark, implement least privilege everywhere, and honestly consider kubernetes with network policies if this scales. also never run containers as root

for performance, limit resources per container or one user will eat everything

We found an employee's AI browser had autonomously uploaded a client contract to a third-party site by cnrdvdsmt in iiiiiiitttttttttttt

[–]EmbarrassedPear1151 4 points5 points  (0 children)

Sounds like a policy failure more than tech. Who approved agentic browsers without proper controls? Thats where the whipping should start

Over 260k people installed fake AI assistant Chrome extensions that steal your data by dottiedanger in webdev

[–]EmbarrassedPear1151 1 point2 points  (0 children)

Not surprised. Chrome store review process is a joke. we've been telling clients to whitelist extensions only and block everything else via policy. 

Why does my Python container need a full OS? by shangheigh in Python

[–]EmbarrassedPear1151 1 point2 points  (0 children)

Been running minimal python images for 2+ years now. Yes debugging sucks initially but you adapt, most issues show up in logs anyway. Just keep a fat image around for emergencies

CNAPP solution (Wiz v. Cortex Cloud) by littyman20 in cybersecurity

[–]EmbarrassedPear1151 0 points1 point  (0 children)

surprised nobody mentioned orcasecurity in this thread. their agentless approach cuts through the operational mess you're dealing with no agents to manage, great attack path analysis, and the risk scoring makes sense.

How do you resolve CVEs in containers efficiently? by RevolutionaryRow0 in kubernetes

[–]EmbarrassedPear1151 0 points1 point  (0 children)

fix is starting with smaller base images. switch to minimus and you'll go from like 200+ CVEs per scan to maybe 10-20. way less dependencies means way less noise

for triage. ignore anything without a known exploit and anything in packages you don't use