MSSP, DevOps, Critical Infrastructure Security, Supply chain, Container security

Minimus Adds to Platform for Securing Container Images

Minimus came out of the gates at April’s RSA Conference armed with $51 million in seed money and an application security platform that features secure and minimal container images that eliminates more than 95% of vulnerabilities typically found in most images.

Three months later, the Baton Rouge, Louisiana-headquartered company is coming to Black Hat USA 2025 in Las Vegas with four new features that will enable developers and security teams to secure software supply chains, including support for the Vulnerability Exploitability eXchange (VEX), dashboards for government agencies and companies in highly regulated industries, and charts to help users more simply configure security microservice deployments to more quickly run secure containers in production.

In addition, organizations can integrate Minimus with Microsoft Entra ID for secure authentication and streamlined access control.

The vendor is aiming to address a growing problem with security flaws in container images that are used for cloud applications. Minimus builds and maintains “minimalistic container images” that come directly from upstream sources, according to co-founder and CXTO John Morello.

“We solve a real problem that is universal to customers deploying modern cloud apps, and we solve it in a way that’s very easy to consume and fast to realize value from,” Morello told MSSP Alert.

The Problem with Image Vulnerabilites

Vulnerabilities in containers images is an issue that needs to be addressed as more companies move operations into the cloud. By 2023, 63% of enterprises have already adopted a cloud-native business strategy, and by 2027, it’s expected that more than 90% of organizations worldwide will be running containerized applications, according to cybersecurity firm Trend Micro.

“An enterprise’s move to the cloud and its use of container technologies introduces a plethora of variables, complicating the balance between operational needs and security priorities,” Alfredo Oliveria, senior threat researcher for the vendor, wrote in a report. “As enterprises move their operations to the cloud and even further into cloud-native applications through the software-as-a-service (SaaS) model, misconfigurations are gaining the same or even more relevance than traditional vulnerabilities. ... Yesterday and today’s misconfigurations could be an enterprise’s unnoticed yet significant and expensive vulnerability tomorrow.”

Chainguard offers developers and security pros hardened and secure images, and Docker in May jumped into the mix with Docker Hardened Images. Minimus joined the fray a month earlier with secure container images and virtual machines that replace existing artifacts in the development workflow. Doing so not only reduces the number of vulnerabilities that need to be addressed but speeds up remediation efforts for the ones that still exist.

Collecting Customers

Morello said in a statement that the company has seen more than 1,000 users adopt Minimus since it launched, with many of them in regulated environments like government, health care, and financial services, where they need to prove compliance with programs and standards such as FedRAMP, PCI, CIS, and NIST.

“These industries typically have higher levels of security awareness and risk, but are also frequently leaders in the adoption of cloud-native tech like containers,” he said.

'MSSPs Can Be the Hero'

MSSPs can also use the tools, benefitting “from Minimus images because they provide a fast, low-risk, and easy way to drastically reduce the CVEs [Common Vulnerabilities and Exposures] that impact their customers. By using Minimus images, MSSPs can be the hero for their customers, driving down risk registers and tangentially improving their security posture.”

With the new features, Minimus not only offers a cryptographically signs software bill-of-materials (SBOM) for each image, but it now publishes VEX data for each one in the image gallery to make integration with other tools easier and simpler to see what risks remain in a given image.

The new dashboards mean users can view specific compliance regime and controls that images configurations are mapped to, while the helm charts help ease secure microservice deployments to make running containers securely in production faster.

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds