I've been thinking a lot about security practices lately. We often hear about patching and addressing zero-day vulnerabilities, but I'm curious about the idea of shipping applications on pre-hardened images or VMs that only include necessary components. Has anyone implemented this approach in production? How has it worked out for you?
5 Answers
I'm not a fan of using pre-hardened images made by others because I can't be sure what’s been done to them. For instance, FIPS compliance might break some of my applications. I prefer writing my own scripts for security settings based on CIS guidelines, then build a VM template from that. This way, I can reuse the script for bare metal systems too.
We actually use Minimus pre-hardened images, and they're great! You just pull and deploy them, and most CVEs are already taken care of. It definitely speeds up our workflow.
We tried them on a couple of production services, and I can confirm the builds were faster, plus the security baseline stayed consistent!
This approach is already in practice! But don’t forget, even hardened images still need regular patching because they can have vulnerabilities too.
We pre-harden our images too, but we don’t create new machines often enough to warrant frequent updates to those images. Our strategy is to run a patch schedule post-deployment to keep everything up to date.
It feels like a lot of work to keep up with this. I think the focus should really be on providing automated configuration and maintaining security baselines instead.
For compliance, you might still have to use those images, but if it's a VM, it should be manageable. Just remember, stress-testing is crucial to see what doesn’t work before you can finalize the setup.