A Minimal Talk on Distroless Containers
2024-12-14 , Rookie track 2

Distroless containers only contain your application and its dependencies. In theory, they’re a great security best-practice.


But in practice, it’s really hard to find examples of companies outside of the tech giants that have successfully adopted distroless containers.

Minimal, hardened containers have huge benefits for security teams: reduced attack surface, cleaner vulnerability scans, improved isolation, and simpler supply chains. But how can a security engineer achieve them without the resources of a tech giant?

At Sourcegraph, we faced a lot of pain with vulnerability management in containers, prompting our switch to distroless. In this talk I’ll cover:

  • Distroless containers from scratch
  • The tooling that’s available
  • Real-world experience from migrating a complex SaaS application to distroless - what went well, and what was unexpectedly hard

Please confirm that I am a first time speaker and have not spoken in public and will not be before the Bsides London event date (14th December 2024).:

Yes

Security Engineer