5 点作者 ahmedaley3 个月前

We have been working on tools for safe debloating of software for a few years now at the university. BLAFS is one of our first tools to release for file debloating, a bloat-aware filesystem for container debloating. It detects the files used by the container, and the debloats the container removing the unused files. The debloated containers are fully functional and can run the same workload as the original containers, but with a much smaller size and faster deployment.Check the paper for more details: <a href="https://arxiv.org/abs/2305.04641" rel="nofollow">https://arxiv.org/abs/2305.04641</a>

4 条评论

wwaheed3 个月前

I have some thoughts here, if the team needs their tool to be well recognized, they must adopt any of the industry best practices for security benchmarks. As I believe that the software should address security concerns, as it addresses performance concerns, or its intended business need. Security is the hot potato, by which companies are leveraging and developing their spaces in the market. It is one of the key principles by which big companies are deciding to go forward or reject new software.Beginning with the Container Security, I suggest NIST Special Publication 800-190 for Container Security to be adopted; "<a href="https://csrc.nist.gov/pubs/sp/800/190/final" rel="nofollow">https://csrc.nist.gov/pubs/sp/800/190/final</a>" While NIST publications/standards are extremely recognized and followed in the US, they are considered an industry best practice worldwide.Thanks, Waleed Waheed. SR Mgr GRC, RSA Security.

wwaheed3 个月前

Third thought, adopting the principles of the CISA (Cybersecurity and Infrastructure Security Agency) Secure By Design Pledge, even if the new startup is not intended to sign the pledge with CISA it is very beneficial to take the pledge's principles into consideration. Big and Giant Software manufacturers are signing this pledge with CISA. <a href="https://www.cisa.gov/securebydesign/pledge" rel="nofollow">https://www.cisa.gov/securebydesign/pledge</a>Thanks, Waleed Waheed. Sr Mgr GRC, RSA Security.

wwaheed3 个月前

Fourth and final thought - for now-, from a cost-benefit analysis standpoint, it is not beneficial to hire full time Application Security personnel. BUT, it is extremely beneficial to have someone overlooking the tool/SW from an application security perspective, either on an ad-hoc or part-time basis. That's very important to have a secure software, trusted by the purchasing entities.Thanks, Waleed Waheed. Sr Mgr GRC, RSA Security.

wwaheed3 个月前

Second thought, I would like to recommend adopting a Secure Development Lifecycle approach. Going for NIST related framework also (SP 800-218), I recommend adopting the principles of this framework: <a href="https://csrc.nist.gov/pubs/sp/800/218/final" rel="nofollow">https://csrc.nist.gov/pubs/sp/800/218/final</a>Thanks, Waleed Waheed Sr Mgr GRC, RSA Security.

Show HN: We have just released our first Debloating tool for Containers

5 点作者 ahmedaley3 个月前

4 条评论

wwaheed3 个月前