Container Security: Building Fortified Foundations with Minimal Attack Surfaces + pre-RSA 2025

Hello from the Cloud-verse!

This week's issue is sponsored by Varonis - Data Security Strategies for GenAI World.

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI CyberSecurity Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

This week, we're diving deep into container security with insights from two outstanding practitioners: Cailyn Edwards, Co-chair of Kubernetes SIG Security at Auth0 by Okta, and Mrunal Shah, Head of Cloud Security Engineering and Container Security at Warner Brothers Discovery. Their experiences provide a comprehensive view of container security strategies that balance security with developer productivity.

📰 THIS WEEK'S SECURITY NEWS

🤖 Google Unveils Sec-Gemini v1, New Cybersecurity-Focused AI Model

Google has announced Sec-Gemini v1, an experimental AI model specifically designed for cybersecurity applications. The model combines Gemini's advanced capabilities with near real-time cybersecurity knowledge and tooling. According to Google, it outperforms other models on key benchmarks, including the CTI-MCQ and CTI-Root Cause Mapping tests by at least 11% and 10.5% respectively. This specialized model will be made available to select organizations for research purposes. More Information here.

Why it matters: As cloud environments grow more complex, security teams need intelligent automation to manage threats efficiently. For cloud security practitioners, AI models like Sec-Gemini could significantly enhance capabilities for incident response, vulnerability prioritization, and threat analysis. This represents an important step toward addressing the "defender's dilemma" where security teams must defend against all possible attacks while adversaries only need to find one successful vector.

🚨 ConfusedComposer: New GCP Privilege Escalation Vulnerability Disclosed

Liv Matan, Tenable Research has disclosed a now-fixed privilege escalation vulnerability in Google Cloud Platform (GCP) dubbed "ConfusedComposer." The vulnerability could have allowed an attacker with permission to edit a Cloud Composer environment to escalate privileges to the default Cloud Build service account, which has extensive permissions to Cloud Build, Cloud Storage, and Artifact Registry. The vulnerability exploited how Cloud Composer handled the installation of custom PyPI packages. More Information here.

Why it matters: This vulnerability highlights the complex permissions models in cloud environments and the potential for confused deputy attacks. For cloud security teams, it emphasizes the importance of regularly auditing service-to-service permissions and understanding the entire chain of service integrations in your cloud infrastructure. As Mrunal Shah, our podcast guest noted in our feature interview, "you can't really just trust documentation to be accurate" - a thorough understanding of your environment's architecture is essential.

🔍 Verizon's 2025 DBIR Reports 44% of Breaches Now Involve Ransomware

The 2025 Verizon Data Breach Investigations Report reveals that 44% of cybersecurity breaches now involve ransomware, representing a 37% increase from the previous year. The median amount paid to ransomware groups was $115,000, though 64% of victim organizations did not pay the ransom. The human element remains a significant factor, involved in approximately 60% of breaches, with credential abuse and phishing as major vectors. More Information here.

Why it matters: These findings align with what our podcast guest Cailyn Edwards highlighted about the importance of securing container environments against unauthorized access. As more organizations migrate to container-based applications, securing credentials and implementing proper access controls becomes even more critical. Container security is not just about vulnerability management but also about preventing credential theft and lateral movement that could lead to ransomware deployment.

🔥 Google Cloud Announces 27 Security Enhancements at Next '25

At Google Cloud Next '25, the company unveiled "Google Unified Security," which brings together their visibility, threat detection, AI-powered security operations, continuous virtual red-teaming, and browser security capabilities into a converged solution. Among the 27 security announcements were new AI agents for alert triage and malware analysis, expanded Data Security Posture Management capabilities, and advanced Cloud Armor Enterprise features with hierarchical policies. More Information here.

Why it matters: These announcements reflect the growing trend toward integrated security platforms that provide comprehensive visibility across cloud environments. For container security professionals like our featured experts, tools that help visualize and secure the entire container lifecycle—from build to runtime—are becoming increasingly essential.

😱🎙️ LIVE Cloud Security Podcast Event at BSidesSF & RSA '25

At BSidesSF - Cloud Security Podcast will be hosting LIVE Podcast Panel talking about Securing AI Workloads with Kane & Jackie.

We will also be hosting our FIRST Cloud Security Meetup at BSidesSF. You can RSVP for Meet & Greet at BSidesSF here

Why it matters: You will get to see me & Ashish (CISO & Cloud Security Podcast host) and other like minded Cloud Security folks attending BSidesSF.

CLOUD SECURITY TOPIC OF THE WEEK

Securing Container Workloads: From Minimal Images to Runtime Protection

Container security represents a fundamental shift in how we approach vulnerability management, infrastructure protection, and security automation. This week, we explore strategies for reducing attack surfaces, implementing practical security controls, and enabling developers to build secure containerized applications.

Featured Experts This Week 🎤

• Cailyn Edwards: Co-chair of Kubernetes SIG Security at Auth0 by Okta,

• Mrunal Shah: Head of Container Security at Warner Brothers Discovery,

Definitions and Core Concepts 📚

Before diving into the analysis, let's clarify some key terms referenced throughout the discussion:

• Container Image: A lightweight, standalone, executable OS package that includes everything needed to run an application: code, runtime, system tools, system libraries and settings
  

• Golden Container Images: Container base images with only essential components required to run the application, reducing the attack surface (examples: Alpine Linux, distroless images)
  

• Bottlerocket: An AWS-managed container operating system designed for security and ease of management for container workloads
  

• Immutable Images: Container images that aren't modified after deployment; any changes require building and deploying a new image instead of patching existing containers
  

• Shift Left vs. Shift Down: "Shift left" refers to moving security earlier in the development lifecycle. "Shift down" is a newer concept suggesting security should be embedded into platforms and tooling to make secure practices effortless for developers

This week's issue is sponsored by Varonis.

Redefining Data Security Strategies for a Gen AI World

AI is transforming how we work — but is your data security keeping up?

Learn from our data security experts to better understand the AI risk landscape, how to protect your data without slowing down company progress, and better yet - how to use AI to your advantage for even better data protection.

Sign up today for our free session and get access to a free Generative AI risk assessment when you attend. 

Access the AI Data Security Session Here

🧠 Our Insights from These Practitioners

The Evolution of Container Security Thinking

Both of our experts emphasize that container security requires a different mental model compared to traditional infrastructure security. Mrunal Shah points out that "the traditional vulnerability management makes a little less sense on containers" because "there is no patching." Instead, container security focuses on:

1. Building minimal, purpose-built images
   
   Cailyn Edwards advocates for using minimal base images: "If you're picking some really minimal Linux OS such as Alpine, or if you even want to go further, you can use something called Distroless... you can really minimize the footprint of your application."
   
   The benefits are twofold: reduced vulnerability surface and improved operational security. As Mrunal explains, "Your container just has just enough packages for your application to work... you don't have packages that are not supporting your application running and offering vulnerabilities for the attackers to attack."
   

2. Leveraging cloud provider-managed container images
   
   Both experts highlight the value of using managed, minimal images from cloud providers:
   
   "At Auth0 we've been really leaning on the Chainguard images or, and no matter what, immutable images," explains Cailyn Edwards. "These are very slim basic images. You have to make a very intentional decision about everything that you add to the host and why."
   
   Mrunal similarly mentions Bottlerocket, AWS's minimalist container OS: "It is immutable and very regularly updated and patched by AWS, and depending on what your platform looks like, either they will do that automatically for you or you can make that decision to be slightly off of the latest release."
   

3. Shifting from patching to upgrading
   
   Rather than traditional patch management, container security focuses on regular image updates:
   
   As Cailyn Edwards explains: "You're offloading some of that work so that you're not doing the patches really. You're doing upgrades instead. So you're offloading a little bit, you're building that trust relationship. You're putting a bit of ownership onto the cloud platform."

Key Container Security Challenges and Tools

Our experts identified specific challenges in container security and recommended tools to address them:

1. Misconfigurations and API Security
   
   Configuration errors are a significant risk vector. Cailyn Edwards recommends several tools to address this:

   • Trivy: For vulnerability scanning for containers

   • TruffleHog: For secrets detection

   • Open Policy Agent (OPA): For enforcing security policies

   • Kube-bench: For Kubernetes security benchmarking

2. Development Pipeline is the Key to drive Security seamlessly

   Mrunal emphasizes the importance of automation here: "How can we have an automated pipeline? How can we make sure if a developer goes to make a service, they're pulling from a secure template, they're not pulling from some random source."
   

3. Runtime Protection Tradeoffs
   For runtime security, there are important decisions around agent-based vs. agentless approaches:
   Mrunal explains: "The pros [of agent-based] is they will be a little more comprehensive in being able to prevent and allowing you to be able to build rules within your cluster to prevent a threat from propagating within your environment. But the con is, it is an agent that you have to deploy... And when you have a lot of clusters they are not easy to manage."
   For agentless approaches like AWS GuardDuty, "it has its pros and cons, the pros is, you can quickly integrate it, it works seamlessly. You can scale it really quickly across... however many clusters you have." However, "What it lacks is the ability to prevent something on the cluster so it's more of a detection."

Practical Implementation Strategy

Based on our experts' insights, a practical container security implementation should include:

1. Establish a secure base with minimal images
   Cailyn Edwards recommends: "A great way to start is having a blessed image library, having your own private image registry... making sure that those changes, again, can't happen after the fact. And that means like right off the bat, your developers are going to be in a better spot."
   

2. Implement scanning across the entire pipeline
   "Have this pipeline, have a scan immediately on changes for as part of your GitHub, as part of your PR request, make sure that nothing absolutely awful is being added and then shape scanning in production," advises Cailyn.
   Mrunal adds: "I would break apart the container security as hey, vulnerability management, but there's also misconfiguration management... So I would really go heavy on shift left strategies first."
   

3. Apply policy as code with admission controllers
   For Kubernetes environments, Cailyn recommends: "OPA and admission control... they have validating and admission and mutating admission control policies... the mutating ones, which I think are really what you wanna do... it just changes that line from my insecure setting to my secure setting. And then the developers don't have to think about it."
   

4. Balance security with developer experience
   Both experts emphasize the importance of working collaboratively with developers. Cailyn notes: "We all want the same thing. We all want our companies to succeed, our applications to be safe, our applications to be reliable and we are going to learn things about our practices as well to be like, oh, like we have to balance security and reliability."
   Mrunal adds: "The most secure application is the one that's turned off. But how do you use a turned off application? So we crawl back and we meet developers. We're there. We understand their use cases."
   

5. Embrace the "shift down" philosophy
   As Cailyn summarized it: "I think the theme of KubeCon and maybe some of your other guests will say is, now we're not shifting left, we're shifting down. And I agree... We can't just keep shifting left. And I like this idea of coming together shifting down, making it easy to adopt, making it just less work really."

Container Security To-Do List

1. Evaluate your container base images - Consider replacing general-purpose OS images with minimal alternatives like Alpine, distroless images, or managed options like Bottlerocket or Chainguard

2. Implement comprehensive scanning - Set up vulnerability and misconfiguration scanning at multiple stages: during PR creation, in CI/CD, and in production

3. Define and enforce security policies - Use admission controllers and OPA to enforce security guardrails

4. Establish upgrade processes instead of patching - Rather than patching containers, establish a workflow for regular container image updates

5. Balance prevention with detection - Consider your strategy for runtime protection, weighing the tradeoffs between agent-based prevention and agentless monitoring

This newsletter issue's Takeaway for Practitioners and Leaders

Container security represents a fundamental shift from traditional security practices. Our experts emphasize moving from reactive patching to proactive image management using minimal, immutable container images. Key strategies include:

1. Use minimal base images to reduce attack surface (Alpine, distroless, Chainguard)

2. Leverage cloud provider-managed solutions (Bottlerocket, managed Kubernetes)

3. Implement automated scanning across the development pipeline

4. Deploy policy enforcement with admission controllers and OPA

5. Focus on developer experience by "shifting down" security into platforms

Rather than treating containers like miniature VMs that need patching, successful container security programs focus on regular image upgrades, comprehensive scanning, and guardrails that make secure practices the easiest path for developers.

📚 Related Resources

• Trivy - Comprehensive vulnerability scanner for containers

• Open Policy Agent - Policy-based control for cloud-native environments

• TruffleHog - Search for leaked credentials

• Kube-bench - CIS Kubernetes Benchmark testing tool

• Chainguard Images - Minimal, secure container images

• AWS Bottlerocket - AWS's purpose-built container OS

• Falco - Cloud-native runtime security

• Gatekeeper - Policy controller for Kubernetes

• Pod Security Standards - Kubernetes built-in security profiles

Related Podcast Episodes 🎧

Question for you? (Reply to this email)

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Cybersecurity Podcast