It has been eight years since the NIST Special Publication 800-190: Application Container Security Guide was published, and its recommendations remain central to container security today. As cloud-native applications have become the foundation of modern enterprise IT, securing containers has shifted from an afterthought to a critical priority.

In this episode, Richard Stiennon, Chief Research Analyst at IT-Harvest and host of Security Strategist, discusses container security with John Morello, CTO and Co-Founder of Minimus, and Murugiah Souppaya, Former Computer Scientist at the National Institute of Standards and Technology (NIST). Together, they focus on NIST Special Publication 800-190, exploring its role in providing best practices for securing containers, the recommendations outlined in the guide, and the approach required for effective container security.

The conversation also examines current best practices and the future of container security, emphasizing the importance of compliance and the integration of security throughout the development lifecycle.

Why NIST SP 800-190 Still Matters

NIST’s framework was designed for both government and industry, offering guidance on how to:

• Integrate security early in the application lifecycle.
• Apply a holistic approach from hardware to workload.
• Build with minimalistic and secure container images.
• Maintain compliance with regulations and standards.
• Continuously monitor and update security practices.
• Understand the full container lifecycle from creation to retirement.

“We want to make sure that people think of container security holistically, and also think about the full lifecycle management of the container itself. Like anything else in the enterprise, you want to look at this end-to-end and fill those gaps.”

Insights on the Development of Container Security

NIST SP 800-190 arrived at a time when containers were new to most organizations. Now, they have become the standard way to deploy applications at scale.

John Morello recalls:

“Around 2016 or so, containers were pretty new in the world. Containers and containerization in other forms had existed in the past, but it was really becoming a mainstream technology that was commonly used across many organizations.”

This fast-paced adoption forced organizations to rethink their security culture. Containers required not only new technical controls, but also a shift in mindset: security had to be built-in from the start.

Takeaways

• Container security became critical with the rise of cloud-native applications.
• NIST aims to provide guidance for both government and industry.
• The 800-190 guide offers a framework for securing containers.
• Security must be integrated early in the application lifecycle.
• Containers require a shift in security culture and practices.
• Holistic security involves securing hardware to workload.
• Best practices include using minimalistic and secure images.
• Compliance with regulations is essential for container security.
• Continuous monitoring and updating of security practices are necessary.
• Understanding the full lifecycle of containers is crucial for security.

Chapters

00:00 Introduction to Container Security and NIST 800-190

02:58 The Importance of NIST in Container Security

05:52 Key Recommendations from the NIST Guide

08:44 Holistic Approach to Container Security

11:53 Current Best Practices in Container Security

14:47 Future of Container Security and Continuous Improvement

About Minimus

Minimus solves the endless treadmill of cloud software vulnerabilities by simply preventing them from existing. Minimus provides secure, minimal container and VM images, rebuilt from scratch daily to eliminate over 95% of CVEs.Founded by the team behind container security pioneer Twistlock, Minimus raised $51 million seed funding from YL Ventures and Mayfield. The company is headquartered in Baton Rouge with offices in New York, Tel Aviv, and Portland, OR. To learn more, visit minimus.io.