Vulnerability scanning — a decade ago it was a novel and indispensible tool for discovering any vulnerabilities in your fleet. Today, more often than not, these scanners are seen as a necessary evil and more a source of aggravation than actually beneficial. According to CVE.org, in 2015 there were under 6500 CVEs assigned. In 2024 that number was over 40000, a 515% increase in under ten years. With the proliferation of containers, a single CVE can “affect” one entity once or tens of thousands of times. Given the volume and ever-growing compute landscape, are vulnerability scanners still our best path …

When is a best practice not a best practice? Sadly, often when we talk about containers. Containers had a very simple promise: better security through discrete process isolation. One process or application per container. What have we done? Crammed as many things into a container to run together so we’ve basically turned containers into lightweight virtual machines. When did this happen? Why? And how can we realize the promise of better security using containers the way they were designed to be used? It starts by understanding what they are, and why a vulnerability in a properly-designed container is so …