Minimus Makes Hardened Container Images Freely Available to All Developers
Minimus today announced it is making its entire catalog of hardened container images available for free without requiring an application developer to even register to download them.
Company CTO John Morello said giving developers access to any container image hosted in the Community Edition of the Minimus repository will eliminate any friction that might prevent application development teams from downloading secure versions of a container image.
This broad access to the full Minimus image catalog enables application developers to standardize on the same set of hardened images used by production teams without waiting for procurement, approvals, or requiring an enterprise contract to be in place. Unlike other image catalog providers, Minimus doesn’t limit how many images developers can download.
The overall goal is to make it easier for organizations to better secure their software supply chains at a time when advances in artificial intelligence (AI) are making it possible to discover vulnerabilities in applications in a matter of minutes, said Morello.
Instead of charging to access the container images that Minimus has curated, the company will focus its efforts on offering support services via an Enterprise Edition of the platform to the organizations that have downloaded those images, he added.
Minimus provides access to thousands of container images that its team has removed any known vulnerabilities from. Minimus images are drop-in replacements for commonly used container images, allowing teams to improve security and reduce vulnerabilities without redesigning applications or workflows. Every image is also continuously built from source without requiring a specific distribution of Linux to minimize the attack surface area. Via a command line interface (CLI), dubbed minicli, developers and AI agents can discover images, understand their configuration, and automate migrations to more secure container images.
Mitch Ashley, vice president and practice lead for software lifecycle engineering at the Futurum Group, said free, unrestricted access to a full hardened-image catalog turns secure base images into a commodity. The contested value shifts to who keeps those images continuously rebuilt, patched, and supported at scale, he added. The decision moves from how fast you scan and patch to how little you ship that needs scanning at all, said Ashley.
It’s not clear to what degree developers of cloud-native applications have adopted hardened container images, but as application security becomes a more pressing concern in the age of AI, it’s now more a question of when and how frequently they will be used rather than if. Cybercriminals are now able to use AI models to not only discover vulnerabilities, but also reverse engineer the exploits needed to compromise application environments in a matter of hours.
The challenge is that, historically, far too many application developers have been downloading container images from a repository with little to no regard for application security issues. It’s more important to ensure application developers are using hardened container images versus providing instances of libraries that are still likely to have many of the same vulnerabilities found in the upstream open source project that created them, noted Morello.
Each application development team will need to determine for itself to what degree it will need to revisit its DevSecOps workflows, but tolerance for knowingly including vulnerabilities in code that makes it into a production environment is clearly dropping. In fact, it won’t be too long before organizations start finding ways to hold the developers who make these mistakes more accountable. In the meantime, however, organizations should focus their efforts on making it as simple as possible for application developers in the first place to do the right thing as often as possible.
