[OrvalWintermute]

Unfortunately, this reads like a 100 foot marketing document for Sysdig, not actual container security best practices.

If you want to look at actual container security best practices, check out CIS [1] & DISA [2], and NSA [3], with some theory at NIST [4], as well as the documentation from your preferred cloud vendors, be it AWS, Azure, GCP, or other, as well as the specific container security practices.

[1] https://www.cisecurity.org/

[2] https://public.cyber.mil/stigs/downloads/

[3] https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR...

[4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

[simonebrunozzi]

(disclaimer: I know the company and some of the early founders)

I wish all "marketing documents" were this detailed. In other words, I disagree with you. I've read the blog post and it doesn't seem too high level. The resources you indicate are nice, but a 60-pages kubernetes hardening guide by the US Government is perhaps one level deeper than a blog post on internet.

[capableweb]

Clearly sounds like a marketing document. Cites a survey from "Cloud Native Computing Foundation" and claims "92 percent of companies are using containers in production" + "Thus, Kubernetes, Openshift, and other container technologies are present everywhere" while ignoring the fact that the survey is heavily biased towards companies that run containers, of course.

Their own services and blog posts is also referenced in almost every section of the post, even when better external resources exists. Zero competitors are listed in any section. Doesn't sound very neutral to me.

[simonebrunozzi]

In this sense, yes, I agree with you. But a "100 foot marketing document" offers a certain negative connotation that reads like "no content, just fluff"; the content is there, and yes, it is biased, and yes, no competitors are mentioned.

I also agree with you on the fact that a "smarter" kind of content marketing would go beyond these limitations; it would mention competitors, or alternatives; and it wouldn't highlight its company's own services too much.

If someone from Sysdig is reading, these are suggestions for you, guys.

[ziddoap]

>but a 60-pages kubernetes hardening guide by the US Government is perhaps one level deeper

Perhaps "Ultimate guide" is a bit of a misnomer.

[OrvalWintermute]

> Perhaps "Ultimate guide" is a bit of a misnomer.

"Ultimate Guide, Executive Version" ?

[1B05H1N]

It's supposed to be an "Ultimate guide" though.

[ljm]

I guess Sysdig isn't a Y Combinator startup.

I read the entire article thinking it would be a shill, I saw little evidence that it was. In fact, I got to the end and I still don't know what the hell Sysdig is.

If anything, Sysdig fucking sucked at marketing this one, if it was supposed to be a puff piece for the product.

[adamgordonbell]

Container security should start with image security. Instead of runtime security stuff, you can statically analysis images before they are running somewhere and find what known exploits might exist in them. This is also easier to scale.

Nist gets it right by starting there.

[thinkharderdev]

One of the hardest things to get any dev organization to start taking seriously is supply chain security. That first scan which lights up like a Christmas Tree is always such a daunting obstacle to get over. It's a shame because it is probably the highest value SDLC practice that many are not doing.

[dijit]

Yet, the base Debian image _does_ light up like a Christmas tree when you run a snyk scan. Mostly with incorrect issues (version number causes a flag but the fix is backported) or are considered low priority and thus WONTFIX by upstream.

If you’re writing software against, say, dotnet3 (which has a docker image based on Debian) then you’re basically noised out.

[0xbadcafebee]

Even if it is a marketing document, it's still got incredibly valuable information. Almost nobody is going to read a government specification, but they will probably read this page.

[ziddoap]

>Almost nobody is going to read a government specification

Why is that?

Every company I have worked security in, including where I am at now, regularly reads government guidance. Especially NIST guidance, which is referenced all over the world.

[gunfighthacksaw]

Yet another (soon to be penultimate, etc) ultimate guide

[moochmooch]

It's funny that you use the term "actual" to describe the guidance from the US government. They don't really know what they are talking about. Their release process for guidance takes so long that by the time it's release, it's out of date. This is absolutely true for k8s guidance. Last I checked, they were suggesting everyone use "Docker Enterprise" on their guidance long after it no longer existed (are vendors supposed to magically know mirantis is now an option?)

[ziddoap]

I always have to laugh a little bit when someone says NIST, NSA, etc. just "don't really know what they are talking about".

They aren't perfect (you know, being humans and all), and can sometimes be slow in disseminating information to the public, but you're out to lunch if you think they "don't really know" anything.

[moochmooch]

I'm scoping my statement to container security & orchestration best practices, not their competency as a whole. I know the specifics of their guidance due to the industry I work in, so I feel comfortable speaking generally about specific guidance in regards to specific technology.

Your comments reads overly defensive to me.

[ziddoap]

>I'm scoping my statement to container security & orchestration best practices, not their competency as a whole.

vs.

>It's funny that you use the term "actual" to describe the guidance from the US government. They don't really know what they are talking about.

Perhaps you can understand why I thought you were speaking generally, when your comment is written generally. I can't read minds to figure out what your silently scoping your comment to.

But if saying I laughed and why I laughed is overly defensive, my apologies. I'm not sure how else I would tell someone I find their comment funny.

[blowski]

Yeah. Typical dev hyperbole.

In a similar vein, a fairly mid-level dev was recently trying to convince me that "Rob Pike is a clueless idiot who knows nothing about language design".

[y4mi]

I somehow think that their opinion was a little more nuanced then that.

And fwiw, Rob Pike definitely did make mistakes. Golang is a great language, but it's not perfect.

[blowski]

It really wasn’t more nuanced than that - I’m pretty much quoting verbatim. The argument stemmed from the lack of generics in Go, which apparently was a sign of incompetence.

My general point is that there a lot of people who see the world in binary - genius or idiot, perfect or incompetent.

[OrvalWintermute]

Sometimes they take a longer time to release a document officially in a final version, like NIST.

However, they regularly put out drafts and socialize them at an early stage.

Additionally, there is a huge amount of content that they produce that isn't widely disseminated outside of DoD/IC.