Hello again dear reader. Unless you have been living under the proverbial rock for the past years, you are aware that containers have taken the world by storm. More likely than not, your favorite web site/application is a collection on containers running on an orchestrator (read at the time of writing: Kubernetes), interacting with assorted components.
It is true that containers do solve a lot of traditional deployment problems, dependency management not being the least, however common misconceptions might introduce subtle security errors. This book by Liz Rice attempts to dispel a lot of these misconceptions and help the astute reader increase their container security posture. So, without further ado, let’s peek at the table of contents:
- Container Security Threats
- Linux System Calls, Permissions and Capabilities
- Control Groups
- Container Isolation
- Virtual Machines
- Container Images
- Software Vulnerabilities in Images
- Strengthening Container Isolation
- Breaking Container Isolation
- Container Network Security
- Securely Connecting Components with TLS
- Passing Secrets to Containers
- Container Runtime Protection
- Containers and the OWASP Top 10
- Conclusions
- Appendix: Security Checklist
By even just glancing over the table of contents, it is obvious that this book does not beat around the bush, wasting pages in introductory topics that are discussed elsewhere. Liz writes with laser-like precision and in a concise way so that keeps the overall page count in a lean just-below-200 number. The counterpoint to this is that it assumes a lot of background knowledge from the reader, so while this book can be used as an introduction to container security (and beyond!), it does not really serve as an introduction to the container world – as it should not.
What I really like about this book is the writing style and its “down to basics” approach – while this book at the time of writing is almost three years old, most of the information contained therein is still applicable. I liked the diagrams and illustrations, making for an overall pleasant and informative pedagogical experience. The level of information contained inside is useful for both security engineers, as well as SREs – this implies experienced engineers on both sides. The security checklist appendix contains a set of useful questions you can ask regarding your container deployment strategies.
Overall, this is yet another quality release from O’Reilly. Owing to the writing style and abstraction level, while containers are a moving target (orchestrators even more so), this book has excellent shelf life and should be read by every container practitioner. It has earned its rightful place in my bookshelf at least. Until next time dear reader, keep your applications safe.
Athanasios Kostopoulos 