and that’s why you build redundancy and image scanning into your pipeline.
to not use a technology like containers based entirely on a generalization of “security” ignores the obvious security benefits of using a sandboxed environment that can run almost anywhere.
it used to take an hour to release new code into the services I own where I work. with containerized services it takes me five minutes. sure, the builds and scans and qa takes a day but the apps have never been this stable before.
rollbacks would take all fucking night. now? five minutes.
the benefits are a boon to solvency with very little impact to security if managed correctly.
This worry exists for literally every 3rd party dependency, not just docker, and is addressed the same way - by running tests and vulnerability scans in a sandboxed test environment before shipping to prod
ddos is vaguely related to a supply chain attack in the sense that it can be used as a distraction to implement said chain attack. it was pretty common tactic at one point.
disrupt services
implement bad library in backups as all focus turns to production
destroy production enough to require a restore
I think this is what they meant, but it’s a stretch.
The biggest problem that I have with docker is honestly, the fear of a supply-chain attack.
and that’s why you build redundancy and image scanning into your pipeline.
to not use a technology like containers based entirely on a generalization of “security” ignores the obvious security benefits of using a sandboxed environment that can run almost anywhere.
it used to take an hour to release new code into the services I own where I work. with containerized services it takes me five minutes. sure, the builds and scans and qa takes a day but the apps have never been this stable before.
rollbacks would take all fucking night. now? five minutes.
the benefits are a boon to solvency with very little impact to security if managed correctly.
but wouldnt that be an issue regardless of docker
Enterprise security folks will back you up on that concern.
Enterprise folks also shouldn’t be pulling updates down to production environments.
CrowdStrike: lmao let’s brick half the world running on Windows PCs
You mean compromised code sneaking into Docker images? Or a DOS on dockerhub?
They worry about someone replacing the docker image on the hosting server with a malicious modified version for people to pull down during updates.
This worry exists for literally every 3rd party dependency, not just docker, and is addressed the same way - by running tests and vulnerability scans in a sandboxed test environment before shipping to prod
I was just answering a question. I had the same response above.
And I was just adding extra details
Supply chain attack has a definition. And it has nothing to do with DDoS.
ddos is vaguely related to a supply chain attack in the sense that it can be used as a distraction to implement said chain attack. it was pretty common tactic at one point.
I think this is what they meant, but it’s a stretch.