The real point, though, isn’t which technology is more secure per se. It’s that, for the most severe security problems, containers and VMs have about the same level of security. Indeed, Bottomley thinks, “it is perfectly possible to have containers that are more secure than hypervisors and lays to rest, finally, the arguments about which is the more secure technology.”
“The next step,” he continued, “is establishing the full extent of exposure to a malicious application and to do that, some type of fuzz testing needs to be employed”
In addition, Bottomley’s work is only the start. He’s shown it’s possible to objectively measure an application’s security. As he said, “I don’t expect this will be the final word in the debate, but by describing how we did it I hope others can develop quantitative measurements as well.”
I highly recommend reading the source post here: Measuring the Horizontal Attack Profile of Nabla Containers. It’s about as long but more technical than the above article.
I’ve not kept up with containers much in the last few years. I was taken by the technology and the approach to the point of having a rather nice lab set up at home on a spare BSD box I had kicking around. I remember someone presenting a talk on using containers (specifically, Docker instances) on the desktop for better process isolation of web browsers and security testing tools. I almost wish I had the cycles to dive back in.
p.s. — Steven J. Vaughan-Nichols, the author of the first article, should donate, some, of his, many, extra, commas to James for his post. 😉