Setting Docker Hardened Images free (Changelog Interviews #675)

Docker's initiative to provide free hardened container images is explored, addressing the increasing threat of supply chain attacks. Tushar Jain, EVP of Engineering at Docker, explains the move from a paid product to a largely free offering, emphasizing the ethos of broad community access and secure starting points for developers. Docker Hardened Images include SBOMs, SLSA build pipeline, and cryptographic signing, while enterprise features like SLAs and FIPS images remain paid. The discussion covers the tension between usability and security, the importance of transparency through VEX statements, and the long-term vision of securing the entire software supply chain. Future plans involve hardened system and language packages, secure build pipelines, and AI-driven agents to aid migration and security management.

Outlines

Part 1: Introduction, Context

Part 2: Docker Hardened Images (DHI) Deep Dive

Part 3: Industry Impact, Strategy

Part 4: Vulnerability Management, Transparency

Part 5: Ecosystem, Implementation

Part 6: Principles, Future Vision

Part 7: AI, Next-Gen Security

Part 8: Conclusion, Wrap-up

Sign in to continue reading, translating and more.

Continue

Changelog Master Feed

Part 1: Introduction, Context

00:08Introduction to Docker Hardened Images and Supply Chain Security

Introduction to Docker Hardened Images and Supply Chain Security

00:50Agentic Postgres: Simplifying AI Agent Data Management with TigerData

Agentic Postgres: Simplifying AI Agent Data Management with TigerData

03:09Docker's Response to Supply Chain Attacks: Free Hardened Container Images

Docker's Response to Supply Chain Attacks: Free Hardened Container Images

Part 2: Docker Hardened Images (DHI) Deep Dive

04:54Minimizing CVEs: Docker Hardened Images as a Secure Starting Point

Minimizing CVEs: Docker Hardened Images as a Secure Starting Point

08:12SBOMS, Salsa, and Cryptographic Signing: Securing the Build Pipeline

SBOMS, Salsa, and Cryptographic Signing: Securing the Build Pipeline

12:26Docker's Ethos: Community Standards and a Business Model for Security

Docker's Ethos: Community Standards and a Business Model for Security

15:11Adoption of Docker Hardened Images: A No-Brainer for Security

Adoption of Docker Hardened Images: A No-Brainer for Security

Part 3: Industry Impact, Strategy

17:32The Ripple Effect of Docker's Changes on Industry Standards

The Ripple Effect of Docker's Changes on Industry Standards

19:47Securing the Entire Supply Chain: Docker's Vision and Responsibility

Securing the Entire Supply Chain: Docker's Vision and Responsibility

21:42Namespace: Faster Builds for GitHub Actions

Namespace: Faster Builds for GitHub Actions

23:13From Whiteboard to Free Tier: The Timeline and Tension Behind Docker Hardened Images

From Whiteboard to Free Tier: The Timeline and Tension Behind Docker Hardened Images

26:38Addressing the Tension: Docker's Commitment to Transparency and Responsibility

Addressing the Tension: Docker's Commitment to Transparency and Responsibility

Part 4: Vulnerability Management, Transparency

28:40VEX: Transparency in Vulnerability Reporting and Exploitability

VEX: Transparency in Vulnerability Reporting and Exploitability

30:30Docker's Role in the Supply Chain: A Long-Term Play for Broad Adoption

Docker's Role in the Supply Chain: A Long-Term Play for Broad Adoption

33:43Learning from Supply Chain Attacks: Docker's Responsibility and Long-Term Vision

Learning from Supply Chain Attacks: Docker's Responsibility and Long-Term Vision

Part 5: Ecosystem, Implementation

35:09Expanding the Breadth and Coverage: Hardened System and Language Packages

Expanding the Breadth and Coverage: Hardened System and Language Packages

37:55Security Summary and Scout Health Score: Evaluating Docker Hardened Images

Security Summary and Scout Health Score: Evaluating Docker Hardened Images

43:47Containers are the Way: Docker's Commitment to Security and Innovation

Containers are the Way: Docker's Commitment to Security and Innovation

45:09Partner Involvement: Integrating with the Ecosystem for Broad Impact

Partner Involvement: Integrating with the Ecosystem for Broad Impact

47:39Boots on the Ground: How Docker Collaborates with Partners

Boots on the Ground: How Docker Collaborates with Partners

Part 6: Principles, Future Vision

49:13Extracting Principles: A Framework for Securing Registries Across the Board

Extracting Principles: A Framework for Securing Registries Across the Board

52:37The What and Why: Defining the Intellect Behind Security

The What and Why: Defining the Intellect Behind Security

55:28Building Trust: Docker's Vision for the Future

Building Trust: Docker's Vision for the Future

56:07Start Green, Stay Green: Making Security the Default Starting Point

Start Green, Stay Green: Making Security the Default Starting Point

58:23Creating a Movement: Making Security the Inevitable Choice

Creating a Movement: Making Security the Inevitable Choice

Part 7: AI, Next-Gen Security

1:00:04Docker and AI: Adapting to a Changing SDLC

Docker and AI: Adapting to a Changing SDLC

1:02:04A Secure Runtime for Untrusted Workloads: Docker Sandboxes

A Secure Runtime for Untrusted Workloads: Docker Sandboxes

1:04:47The Stakes are High: Security Concerns in the Age of AI

The Stakes are High: Security Concerns in the Age of AI

1:08:09Local and Cloud: Seamless Security and DX

Local and Cloud: Seamless Security and DX

1:09:59Docker's Position: Strengthening Trust and Solidifying Containers as the Way

Docker's Position: Strengthening Trust and Solidifying Containers as the Way

Part 8: Conclusion, Wrap-up

1:11:34Build Once, Run Anywhere, Trust Always: Docker's Ethos

Build Once, Run Anywhere, Trust Always: Docker's Ethos

1:13:21The Fun Gig: Leading Change in the Software World

The Fun Gig: Leading Change in the Software World

1:15:08Changelog++ Bonus Segment and Episode Wrap-up

Changelog++ Bonus Segment and Episode Wrap-up