Container Security 2nd Edition - In-Depth Book Review

Container Security 2nd Edition - In-Depth Book Review

My in-depth review of Liz Rice’s Container Security, 2nd edition book

Introduction

With containers now widely adopted for running production workloads, container security has become a critical area of focus for IT and security teams. It’s also a topic I’m personally passionate about. While there’s no shortage of articles discussing container security, there are few books dedicated to the subject. One standout resource is Liz Rice’s book, Container Security: Fundamental Technology Concepts that Protect Containerized Applications. Liz is well-known in the cloud native security space, and I highly recommend exploring her work including her books and talks covering containers, eBPF, Cilium and more. Earlier this year, I published an in-depth review of the first edition of the book. Just this month, Liz released the second edition, which is the focus of this blog post.

While my of the first edition aimed at:

  • helping readers who are currently reading it get more out of the book
  • fixing some of the examples in the book
  • suggesting improvements to the book in case a second edition is released

this review aims primarily at highlighting what’s new in the updated edition, making this a relatively short post. Two entirely new chapters have been added:

  • Chapter 7: Supply Chain Security
  • Chapter 9: Infrastructure as Code and GitOps

In addition to the new chapters, most of the existing content has been updated to reflect current tooling and emerging trends in the container security space.

If you’ve read the first edition, I would probably recommend just going over the differences I’ve highlighted in this blog post and deep diving into them instead. If you haven’t, then I’d definitely recommend reading the second edition.

Even if you plan on jumping straight into the second edition, I strongly recommend reading my review of the first edition first, as many of the points raised there still hold true, in addition to useful details and links for deeper exploration on some of the topics.

Chapters

Chapter 1: Container Security Threats

This chapter maps to Chapter 1: Container Security Threats in the first edition of the book.

This chapter is nearly identical to the corresponding chapter in the first edition with some updated references such as a reference to the threat model carried out by researchers from the Singapore University of Technology and Design and ETH Zurich and titled Threat Modeling and Security Analysis of Containers: A Survey.

Chapter 2: Linux System Calls, Permissions, and Capabilities

This chapter maps to Chapter 2: Linux System Calls, Permissions, and Capabilities in the first edition of the book.

This chapter is very similar to the corresponding chapter in the first edition with minor changes.

Chapter 3: Control Groups

This chapter maps to Chapter 3: Control Groups in the first edition of the book.

The chapter has been updated to cover cgroups v2 instead of cgroups v1. The author goes into details on this (something I didn’t do in my review on the first edition of the book) and corrects the issues I identified in my review of the first edition.

Chapter 4: Container Isolation

This chapter maps to Chapter 4: Container Isolation in the first edition of the book.

This chapter is again my favorite chapter in the book. It is similar to what it was in the first edition with the following improvements:

  • more details on the use of user namespaces
  • a section on time namespaces
  • the cgroup namespaces section has been updated to reflect cgroups v2 and
  • a short section on Kubernetes pods and what namespaces are shared between containers in a given pod.

I still believe that covering some chroot escapes would have been useful to readers as I mentioned in my initial review. For more on this, refer to my review of the first edition.

Chapter 5: Virtual Machines

This chapter maps to Chapter 5: Virtual Machines in the first edition of the book.

This chapter is nearly identical to the corresponding chapter in the first edition. The main addition is the introduction of KubeVirt, an open-source project that allows us to run, deploy and manage virtual machines as Kubernetes resources. This is useful if we require a stronger security boundary than the one provided to us using native container security mechanisms.

Chapter 6: Container Images

This chapter maps to Chapter 6: Container Images in the first edition of the book.

This chapter is very similar to the corresponding chapter in the first edition with the following changes:

  • updates on specific tools used to build container images
  • using BuildKit support for build secrets to securely pass sensitive data at build time to an image without it being added as a layer.

The following sections were removed:

  • Dockerfile best practices section was removed a
  • signing images
  • attacks on the build machine
  • GitOps and deployment security

as they are included and expanded on in Chapters 7 and 9.

Chapter 7: Supply Chain Security

This is a new chapter. While some of the topics were covered in Chapter 6 in the first edition, they are expanded on in this chapter in the second edition. This chapter covers the following:

  • the Supply Chain Levels for Software Artifacts (SLSA) framework for securing software supply chains to increase the integrity, traceability and provenance (verifiable information on describing where, when and how something was produced) of software artifacts (containers and other application artifacts such as source code, configuration files, .jar files, etc.). It has 3 levels that track the maturity of your supply chain security. Enterprises interested in supply chain security should deep dive into this framework
  • Software Bill of Materials (SBOM) which provide us with a machine-readable inventory of all the different components that go into our container image. This helps us know exactly which components we have within our container image and can be used for more accurate vulnerability tracking and licensing purposes. You can create SBOMs for both your application artifacts and for your container images. Scanning tools such as Trivy can also help us do so if this was not generated at build time
  • signing images and software artifacts and SBOMs using sigstore. It also covers using it to verify these artifacts.

Chapter 8: Software Vulnerabilities in Images

This chapter maps to Chapter 7: Software Vulnerabilities in Images in the first edition of the book.

Chapter 8 in the second edition is largely similar to the first edition but with the following updates:

  • the pros and cons of AI in vulnerability research (how it is helping to find new vulnerabilities while also polluting the space with false findings)
  • how Vulnerability Exploitability eXchange (VEX) is helping us to better understand if a given piece of software is vulnerable to a CVE or not. Without something like VEX, determining this would be much more difficult. This helps minimize false positives provided by scanners
  • the vulnerabilty scanning tools section has been updated
  • a discussion of the challenges involved in analyzing statically linked executables to determine if they use vulnerable libraries was added.

Chapter 9: Infrastructure as Code and GitOps

This is a new chapter that covers Infrastructure as Code (IaC) with an emphasis on using GitOps to more securely deploy to your Kubernetes cluster. While these were covered lightly in the first edition (in Chapter 6), the author goes into more details and covers:

  • security implications and benefits and
  • GitOps security best practices.

Unfortunately, the chapter does not go into great detail but is still beneficial could be useful for those new to GitOps.

Chapter 10: Strengthening Container Isolation

This chapter maps to Chapter 8: Strengthening Container Isolation in the first edition of the book.

This chapter largely remains the same but with the following updates:

  • for Kubernetes, it mentions the Security Profiles Operator project to help us automate seccomp, AppArmor and SELinux profile generation
  • some updates on gVisor and how it can successfully run most applications without issues
  • the introduction of new VMM options (in addition to Firecracker) including:

Chapter 11: Breaking Container Isolation

This chapter maps to Chapter 9: Breaking Container Isolation in the first edition of the book.

Additions to this chapter include:

  • preventing the user within a container from escalating their privilege using --security-opt no-new-privileges in the case of Docker and securityContext.allowPrivilegeEscalation: false in the case of Kubernetes. This means that even if there are setuid binaries within the image (or any other LPE vector), users can not use them to escalate their privileges to root if the default USER set to run the container is not root
  • some updates on support for rootless containers which are now supported in Docker and containerd
  • the author goes into more details on sidecar limitations in addition to touching on debug containers and their pros and cons.

Chapter 12: Container Network Security

This chapter maps to Chapter 10: Container Network Security in the first edition of the book.

This version expands on the original by looking into greater details on eBPF-based solutions such as Cilium and how it handles both Layer 3/4 and Layer 7 filtering using eBPF without the need for iptables.

One important point that was highlighted here that was not in the first version is that NetworkPolicy objects are silently ignored if the Kubernetes CNI plugin does not support them.

Finally, the chapter goes into more details on Service Meshes, including the relatively new sidecarless options and how they compare to the traditional sidecar-based options.

Chapter 13: Securely Connecting Components

This chapter maps to Chapter 11: Securely Connecting Components with TLS in the first edition of the book.

While the first edition focused solely on TLS and mTLS, the second edition expands on this and looks at the following as well:

  • encrypting all network traffic between hosts using WireGuard and IPSec (some CNIs such as Cilium and Calico support this)
  • using service meshes to encrypt traffic between workloads and how the Secure Production Identity Framework for Everyone (SPIFFE) standard can be used to:
    • scale the issuing and management of identities (usually X.509 certificates) and
    • decouple workload identities from machine identities where workloads are short-lived and may be rescheduled to other nodes
  • controlling connections from outside the Kubernetes cluster to containers within it in addition to connections from containers to third party services such as external APIs using egress gateways.

Chapter 14: Passing Secrets to Containers

This chapter maps to Chapter 12: Passing Secrets to Containers in the first edition of the book.

While largely the same, the updated version touches on the following new topics:

  • the Kubernetes Secrets Store CSI Driver which allows us to use alternatives to Kubernetes Secrets and not have to store them in etcd
  • the External Secrets Operator, which allows us to sync secrets between different secrets providers (Vault, AWS Secrets, etc) to Kubernetes secrets. This allows us to manage our secrets externally while using them transparently within Kubernetes
  • how to rotate keys in Kubernetes using EncryptionConfig if we have enabled on-disk encryption of secrets.

Chapter 15: Container Runtime Protection

This chapter maps to Chapter 13: Container Runtime Protection in the first edition of the book.

There are some interesting additions in this chapter including a look at the following in relation to runtime protection:

  • Falco
    • While not mentioned in the book, Falco now has the ability to respond to events via Falco Talon. This is not inline like Tetragon but does open up a number of response actions including killing pods, applying egress network policies, capturing syscalls, etc.
  • Cilium Tetragon
    • Tetragon allows us to block actions inline and not just detect vulnerabilities. Liz also includes an example of detecting vulnerable versions of an application by detecting if the application actually accesses a vulnerable shared library or not)
  • Tracee
  • Inspektor Gadget
    • This provides us with gadgets to observe and debug Kubernetes workloads. Some of its capabilities include:
      • suggesting a network policy
      • suggesting a seccomp profile
      • tracing DNS queries and responses
      • logging new process executions
      • tracking TCP connect(), accept() and close() syscalls
      • etc

I’d recommend performing a deep dive into each of these to determine which best meets your security requirements.

The chapter also touches lightly on container forensics, something I mentioned was lacking in my review of the first edition. It covers:

  • collecting forensic evidence and
  • options for quarantining a container.

It would have been great to have a full example of handling an incident but alas, this was not to be.

Chapter 16: Containers and the OWASP Top 10

This chapter maps to Chapter 14: Containers and the OWASP Top 10 in the first edition of the book.

The chapter looks at the OWASP Top 10 and how we can apply them to containers. The chapter has been updated to reflect the OWASP Top 10 - 2021 Edition, while the first edition covered the older OWASP Top 10 - 2017 Edition. As mentioned by the author, the OWASP Top 10 - 2025 Edition should be released in late 2025.

I was somewhat let down by the Security Logging and Monitoring Failures section. Although the author covered some key container events that should be logged, she did not illustrate:

  • how to go about doing so (for example, logging "code injection" isn’t straight-forward)
  • how to strike the delicate balance between logging too much and too little in Kubernetes clusters as API servers enable extensive logging out the box and can easily consume your SIEM license without providing sufficient ROI if you aren’t logging the right API calls.

Conclusion

While the bulk of the book has not seen large changes, the book is still a solid read and is still currently the best book on the market focused on container security. If you’ve read the first edition, I would probably recommend just going over the differences I’ve highlighted in this blog post and deep diving into them instead. If you haven’t, then I’d definitely recommend reading the second edition.

© 2025. All rights reserved.