Slashdot Mirror
Security is an Important Coding Consideration Even When You Use Containers (Video)
Last month Tom Henderson wrote an article titled Container wars: Rocket vs. Odin vs. Docker. In that article he said, "All three are potentially very useful and also potentially very dangerous compared to traditional hypervisor and VM combinations."
Tom's list of contributions at Network World show you that he's not a neophyte when it comes to enterprise-level security, and that he's more of a product test/analytical person than a journalist. And afraid to state a strong opinion? That's someone else, not Tom, who got flamed hard for his "Container Wars" article, but has been proved right since it ran. Tom also says, in today's interview, that the recent Apple XcodeGhost breach should be a loud wake-up call for developers who don't worry enough about security. But will it? He's not too sure. Are you?
Tom's list of contributions at Network World show you that he's not a neophyte when it comes to enterprise-level security, and that he's more of a product test/analytical person than a journalist. And afraid to state a strong opinion? That's someone else, not Tom, who got flamed hard for his "Container Wars" article, but has been proved right since it ran. Tom also says, in today's interview, that the recent Apple XcodeGhost breach should be a loud wake-up call for developers who don't worry enough about security. But will it? He's not too sure. Are you?
Containers are even more dangerous than VMs since you lose even more virtualization. All these technologies sit on a spectrum of resource-cost-to-containment with the hardest containment being a different physical machine. Even process isolation yields some amount of containment (can't snoop cross-process memory) but this is typically trivial to breach for any malware.
A large part of the security problem can be solved with simple configuration cleanliness. Do you know what software you're running? If you don't then no amount of containment will help and it's just a matter of time before your network is pwned.
There are 11 types of developers when it comes to security.
00) Wot? 70% of them. Probably 95% of web designers.
01) I care about security, but I don't have to do anything about it in my layer. Another 20%.
10) I care about security and it is my problem. Just 10%. Maybe.
This guy is preaching to group 10 and trying to get group 01 to care. It's nice to see something else out there fighting the good fight.
Containers are even less separate than jails, of course they're near the bottom of the barrel in terms of security. Why the Container fad when the overhead of proper virtualization is now so very low it's negligible on any modern server processor?
never use gotos,
There's nothing wrong with GOTO statements, and there never was. This is a rather popular misconception.
Sixth, never ever use exception handlers. You have a non-deterministic path through the program and therefore no means of knowing if the state of the program is valid. You also want the program to crash if it encounters a situation that it shouldn't, it means there's a catastrophic fault in the machine or the software. There are no exceptions to this rule. Exception handling is one of the worst mistakes ever made in software engineering.
Oh, so you're trolling.