Distroless talk in large enterprise & open questions

[Michael Wager]

Hi!

Yesterday I held a talk about distroless in a large enterprise and there were two questions I couldnt really answer, maybe I can find some inspiration here 😊

1. Are there any special security issues, additional attack surfaces opened by distroless?

I could not really answer this, but I said as there is way less components inside

I would answer it with "No".

2. In which cases should distroless not be used?

This as well I could not answer. IMO for all standard applications (node.js backends, java spring apps -> most apps there are using these stacks) it should be a no-brainer to use it.

Thank you for the good work!

Michael

[Andrew Latham]

Michael

1. Yes, There should be some retraining of the Security team to understand the reduced risk. Training around a new OS design might work. (Security teams will want to install inspection software on new platforms to inspect.)

2. Assuming the application or service can be containerized, there are no real reasons not to review Distroless. 

--
You received this message because you are subscribed to the Google Groups "Distroless Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to distroless-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/a6c0e505-bbb0-4a57-9310-2fc379ff9ed7n%40googlegroups.com.

--

- Andrew "lathama" Latham -