Container Security
Fundamentals for Securing Containerized Applications
Liz Rice's first-principles introduction to how Linux containers actually work — namespaces, cgroups, capabilities, seccomp, image layering — and the security implications that fall out of those mechanics.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Liz Rice
- Published
- 2020
- Publisher
- O'Reilly Media
- Pages
- 200
- Language
- English
Read this if
Engineers and security people who use containers daily but treat them as boxes. The book is the rare introduction that explains containers as compositions of Linux primitives rather than as a Docker-shaped product, and that is exactly what makes the security argument legible.
Skip this if
Readers needing in-depth Kubernetes, supply-chain (SLSA, in-toto, Sigstore), or cloud-runtime-specific (Fargate, Cloud Run, ECS) coverage; pair with the Kubernetes books and current SLSA documentation. Also light on Wasm-runtime alternatives, which are an increasing fraction of the field.
Key takeaways
- A container is not a box; it is a process with curated views of namespaces and resources, and most container vulnerabilities live in the gap between that mental model and the box mental model.
- Capability dropping, read-only root filesystems, and seccomp profiles are not optional — Rice makes the case persuasively with concrete examples.
- Image-supply-chain hygiene is half the security story; the book pre-dates SLSA but motivates it cleanly.
Notes
Pair with Kubernetes Security (Rice/Hausenblas) for the orchestrator layer and with Brendan Gregg's BPF Performance Tools for the underlying Linux observability material. Rice's KubeCon talks are the live companion. The single best printed introduction to container security and a useful gift for any platform team that hasn't yet had the namespace conversation.
What to read before
What to read before Container Security →Intermediate · 2018
Kubernetes Security
Liz Rice and Michael Hausenblas's freely-available O'Reilly short on the Kubernetes-specific security model: API server, RBAC, network policy, secrets, and the typical hardening steps that move a cluster from default to defensible.
Beginner · 2020
Alice and Bob Learn Application Security
Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.
Intermediate · 2018
Pentesting Azure Applications
Matt Burrough on attacker behaviour against Azure tenants: identity, storage, VMs, key material handling, and the recon paths that work against real subscriptions.
What to read next
What to read after Container Security →Intermediate · 2018
Kubernetes Security
Liz Rice and Michael Hausenblas's freely-available O'Reilly short on the Kubernetes-specific security model: API server, RBAC, network policy, secrets, and the typical hardening steps that move a cluster from default to defensible.
Advanced · 2021
Kubernetes Security and Observability
Brendan Creane and Amit Gupta's combined treatment of Kubernetes security and observability — RBAC, network policy, runtime detection, and the telemetry needed to make any of it operationally real.
Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
Explore similar books
Alternatives to Container Security →Intermediate · 2018
Kubernetes Security
Liz Rice and Michael Hausenblas's freely-available O'Reilly short on the Kubernetes-specific security model: API server, RBAC, network policy, secrets, and the typical hardening steps that move a cluster from default to defensible.
Advanced · 2021
Kubernetes Security and Observability
Brendan Creane and Amit Gupta's combined treatment of Kubernetes security and observability — RBAC, network policy, runtime detection, and the telemetry needed to make any of it operationally real.
Intermediate · 2018
Pentesting Azure Applications
Matt Burrough on attacker behaviour against Azure tenants: identity, storage, VMs, key material handling, and the recon paths that work against real subscriptions.