Cloud Incident Response Blog | Cado Security

What are Distroless Containers?

Written by Calum Hall | May 16, 2024 2:07:54 PM

Traditional container images package everything an application needs to run: the application, its runtime environment, libraries, and any extra utilities it needs. This approach offers convenience, but it also comes with some downsides:

  •  They can be large: Traditional containers include the entire operating system along with your application as well as things such as dependencies, utilities, and other extras. This can add up to significant resource costs when dealing with a large number of containers.
  • Large attack surface: Traditional containers can contain a lot of different software, more software equals more potential vulnerabilities. Leading to a higher risk of security incidents occurring.
  • Complex to manage: Traditional containers can be complex to manage due to package managers and potential configuration issues, this again increases the risk that there will be something an attacker can exploit.  

Distroless containers look to improve on this, which is why usage has grown in popularity amongst organizations. These slimmed-down images only contain the bare necessities needed; the application and its essential runtime dependencies. They ditch the extra baggage, like package managers, binaries, libraries, and shell utilities, that you would usually see bundled into a traditional container. As a result, organizations can take advantage of unique benefits including faster deployment times, reduced disk usage, and increased innate security against vulnerabilities. 

 

What are the Benefits of Distroless Containers?

The benefits of Distroless containers are significant, especially from a security perspective:

  • Reduced attack surface: Fewer components translate to fewer potential vulnerabilities. This makes it harder for attackers to exploit vulnerabilities and gain a foothold.
  • Limited privilege escalation: Distroless containers typically don't include a shell, a common entry point for attackers. Without a shell, attackers will have a much harder time escalating privileges and compromising your system.
  • Clearer dependency management: With only essential libraries included, it's easier to identify and update dependencies, ensuring your application stays secure with the latest patches.

But security isn't the only perk. Distroless containers are also highly efficient:

  • Smaller image size: By doing away with unnecessary components, Distroless containers gain significantly smaller image sizes. This translates to faster downloads, deployments, and reduced storage requirements.
  • Lower resource consumption: Smaller images and fewer components leads to lower resource usage at runtime. Distroless containers may require less CPU and memory, improving overall system performance.

 

What are the Downsides?

While Distroless containers offer numerous advantages, there are some trade-offs to consider:

  • Visibility: Distroless containers typically lack shells, making traditional forensics techniques more challenging. Debuggable variants exist with this functionality, but they sacrifice some of the size and security benefits.
  • Logging: They also often lack the usual logging and monitoring capabilities, and the logs that are available are difficult to acquire. This makes putting together a timeline of an incident more complicated.
  • Flexibility: Traditional container images often come with pre-installed utilities for convenience. Distroless containers require a more specific approach, potentially demanding more steps for the same results.

Distroless containers offer a compelling argument for security-conscious deployments. Their small size and reduced attack surface make them attractive for environments where security is crucial. However, the lack of a shell and potential configuration overhead require careful consideration.

 

Cado and Distroless Containers

Cado recently added the world's first capability to enable forensic investigations in distroless container environments. Security teams can now use the Cado platform to seamlessly investigate the root cause, scope, and impact of malicious activity detected within distroless container environments to gain greater visibility into cloud risk.

Now customers can take advantage of the latest and greatest cloud technologies without worrying about introducing additional risk.

If you want to see this and other ways that the Cado Platform can help secure your container environments, contact our team to schedule a demo.