Why container security only works when the platform owns it

Container security has evolved into a fundamental aspect of cloud application platforms, with the announcement of Docker's hardened container images reflecting the growing importance of secure-by-default containers. However, real security at scale requires more than just hardened images; it involves ongoing operational responsibilities that must be automated and governed by the platform itself. Upsun exemplifies this approach by maintaining hundreds of container images across various runtimes and versions, ensuring they are updated and secure through a fully automated, declarative system. This model allows application teams to focus on their code without worrying about the complexities of OS-level security, as the platform manages updates and testing in a predictable and controlled manner. The emphasis is on stability and predictability, separating the building of updates from their deployment, with a fast-tracked path for critical vulnerabilities. This division of labor between the platform and application teams reduces cognitive load and risk, though platforms must still enforce the upgrade of obsolete software, as no automation can secure unsupported systems. Docker's move to provide free and open-source hardened images validates the necessity of a platform-centric approach to container security, emphasizing that security should be an inherent property of the platform, rather than an add-on, thereby allowing teams to innovate without increasing risk.