Industry Best Practices¶
Security-First by Design¶
Security is not an afterthought in our platform.
It is a foundational design principle that shapes how we build, test, release, and operate our software.
As a security-first company, all of our technical and operational processes are intentionally aligned around reducing risk, preventing misconfiguration, and enabling verifiable trust.
This applies not only to our application code, but equally to our build pipelines, container images, deployment configuration, and runtime behavior.
Rather than treating security as a separate layer or optional feature, we embed it directly into:
- architectural decisions
- development workflows
- CI/CD pipelines
- release processes
- runtime defaults
This approach ensures that security properties are enforced by design, not by convention or manual intervention.
Industry Best Practices and Standards¶
Modern containerized workloads require more than functional correctness.
They must be designed, built, and operated according to established security and operational best practices in order to reduce risk, improve resilience, and support regulatory and compliance requirements.
Industry best practices for container security focus on:
- minimizing attack surface
- enforcing least privilege
- ensuring build and runtime integrity
- preventing accidental exposure of sensitive data
- enabling continuous verification and traceability
Our container images and deployment model are aligned with these principles and follow the Center for Internet Security (CIS) Docker Benchmark as a recognized industry baseline. The CIS Benchmark provides practical, consensus-driven guidance for secure container image construction and runtime configuration.
The following table summarizes the key best practice areas implemented in our platform and maps them to the corresponding CIS focus areas.
Best Practice Areas and CIS Alignment¶
| Best Practice Area | Description | CIS Reference |
|---|---|---|
| Minimal Runtime Images | Runtime images contain only the binaries required for application execution. Package managers, network utilities, debugging tools, and auxiliary tooling are removed to reduce attack surface. | CIS Docker Benchmark Section 4 |
| Secure Build Pipeline | Images are built in controlled CI pipelines with reproducible builds, automated scanning, and signed artifacts. Security attestations are generated for every release. | CIS 4.4, 4.5, 4.12 |
| Secrets Management | Secrets are never embedded in images or Dockerfiles. Sensitive values are injected at runtime using file-based secret mounts, avoiding exposure via environment variables. | CIS 4.10, 5.x |
| Non-Root Execution | All application containers run as non-root users with explicit file permissions and restricted writable paths. | CIS 4.8, 5.4 |
| Read-Only Root Filesystem | Container root filesystems are mounted read-only. Writable locations are explicitly defined using tmpfs or dedicated volumes. | CIS 5.13 |
| Capability Restriction | Linux kernel capabilities are dropped by default. Containers are prevented from acquiring additional privileges at runtime. | CIS 5.4, 5.26 |
| Secure Runtime Configuration | Containers are started without privileged mode, host namespace sharing, or sensitive host mounts. | CIS 5.5–5.21 |
| Resource Controls | Memory and CPU limits are defined at runtime to prevent resource exhaustion and noisy-neighbor scenarios. | CIS 5.11, 5.12 |
| Network Exposure Control | Only required ports are exposed. Privileged ports and host networking are avoided unless explicitly justified. | CIS 5.8–5.10 |
| Supply Chain Integrity | Images are signed and accompanied by SBOMs and security attestations, enabling verification of provenance and integrity. | CIS 4.5, 4.12 |
| Continuous Verification | Image hardening and runtime configuration are continuously validated using automated policy and security checks. | CIS Continuous Compliance Principles |
Design Philosophy¶
The controls listed above are not implemented as isolated measures.
They are applied consistently across image build, configuration, and runtime deployment to form a layered defense model.
Rather than relying on a single mechanism, the platform emphasizes:
- explicit configuration over implicit defaults
- prevention of misconfiguration by design
- verifiable security controls instead of informal assurances
This approach ensures that security properties remain intact throughout the lifecycle of each release.
Further Reading¶
For detailed information on specific controls and their implementation, refer to the following sections:
- CIS Container Image Hardening
- Secrets Management
- Container Runtime Security
- Supply Chain Security and Attestations
Each section provides a deeper technical explanation of the applied controls and their alignment with CIS recommendations.