The Average Dev, Containers and Security

At the recent #INGLovesIT event in Bucharest, I gave a talk about Container Security. I went into details about features of Docker and the Linux kernel. This led Simon Brown (who gave a great keynote on the relationship between Agile and software architecture) to tweet:

Listening to @adrianmouat talking about Docker and security; scary stuff, another reason why your average dev shouldn’t mess with Docker!

— Simon Brown (@simonbrown) April 7, 2017

I definitely didn't mean to scare people off using containers, and I can only apologise for giving that impression. After some discussion with Simon, I think it's fair to say he was mainly thinking about deployment to production and was making that point that teams require ops skills to do this successfully and safely. I wouldn't disagree with this, but I would like to make some further points:

1. If you add containers to an existing system, you are increasing isolation and the tools available for enforcing security. You will not go backwards in security by adding Docker.
2. Developers definitely should play with Docker! That's the best way to learn by far. What they probably shouldn't do is deploy business critical systems to production without getting input from someone with operational experience.

In retrospect, I should probably avoid giving this talk to audiences with little Docker and Linux experience in order to avoid confusion and overwhelming newcomers with details they don't need to know.

If you would like to learn more about Docker security, the slides for the talk are available and there is also a video of a previous version from GOTO Berlin (I'm unsure what's happening with the video from this event). There are a lot of subtleties and extra information that comes out in the talk, so it's worth watching the video if you have the time.

The full twitter discussions are worth reading and can be found here, here and here