Tech Backgrounder: Slim.AI Makes Container Hardening Easier

The Slim Developer Platform aims takes the pain out of vulnerability remediation and management for container-based applications. The platform can reduce vulnerability counts by 80% (on average) and equips developers and security professionals with tools to understand which vulnerabilities matter and which don’t. Using proprietary “container hardening” algorithms based on the ultra-popular SlimToolkit open source project, Slim removes unnecessary libraries, packages and binaries, thus minimizing a container’s attack surface and the potential for zero-day attacks.

Differentiator

Top differentiators of Slim.AI’s platform include the following:

1. Slim.AI provides proactive vulnerability remediation. While most software supply-chain companies are focused on generating awareness of existing vulnerabilities (through vulnerability scanning or Software Bills of Material a.k.a “SBOMs”), Slim.AI reduces production applications to a minimal footprint proactively, removing potential future threats.
2. Slim.AI is focused on automation for any technology stack. Previous approaches to slimming containers can result in manual effort for developers or ask developers to change their base image, distribution, or package ecosystem. Slim’s goal is to let developers work however they want and to provide trustworthy automations that run in CI/CD with every build. This approach decreases the friction between developer teams and security/compliance teams — a win-win.
3. The Slim Developer Platform is built on SlimToolkit open source software (16K GitHub stars and growing), which many organizations have already embraced as a valuable tool for modernizing their cloud native workflows. Slim.AI makes using SlimToolkit easier, faster and more scalable for teams of developers worldwide.

Automated vulnerability remediation is gathering steam. Several startups — such as RapidFort, Chainguard and EndorLabs — are focused on the problem, though all have different approaches. Additionally, there are several existing methods for managing container vulnerabilities, including:

1. Alternative base images: Alpine Linux, Distroless and Scratch images ask developers to start with a minimal image and add the tools, packages and libraries they need to it. For some developers, these approaches are challenging due to low-level differences in the distributions or lack of understanding as to how these techniques work.
2. Vulnerability scanners and SBOMs: While a critical part of a secure posture, these technologies are point-in-time and reactive solutions to security. They can create friction for development teams and don’t address other aspects of attack surface outside of vulnerabilities and package information.
3. Policy engines: These rules-based engines can prevent risky containers or configurations from reaching production and are necessary to ensure compliance. However, they tend to be a “red light” approach to security and can have a negative impact on developer velocity.

Slim.AI is focused on containers as the atomic unit of a secure cloud native posture and is the only company offering a proven, trusted method for automatically hardening containers en route to production. Being a SaaS service lets Slim.AI connect with multiple cloud providers (Amazon Web Services, GCR, Azure, etc.), but also facilitates team collaboration, sharing and reuse of important artifacts for delivery and security.

Problem Space

Large, unoptimized containers can be rife with vulnerabilities and additional attack surface (see Slim.AI’s annual Public Container Report for more information); yet, to date, hardening containers is a highly specialized and labor-intensive job.

Benefits of Slim.AI

Slim.AI seeks to be a communication platform between container producers (software companies shipping products to customers in the form of containers) and container consumers (their customers). By reducing the attack surface of a container (i.e., removing shells and package managers), the exploitability of a given vulnerability is greatly reduced.

Company

In 2015, the Docker community held a Global Hack Day in Seattle. Kyle Quest’s concept for “DockerSlim,” which he described as “a magic diet pill for your containers,” won first place in the local event and second place in the global “plumbing” category that year.

That’s how the seeds were sown for an open source community that now supports SlimToolkit. Around 2019, the project had achieved so much momentum that users were regularly asking for extended features and additional functionality. That spurred Kyle and John Amaral to put together a business plan. Quest and John Amaral launched Slim.AI in 2020 (as founding CTO and founding CEO, respectively) on the premise that true software security comes from within. The company’s vision is to empower developers to employ container best practices to deliver not only more efficient and performant software but more secure software, as well.

Stack

The Slim platform can analyze and harden any OCI-compliant container image, regardless of its base image, package ecosystem or build origin. While the SlimToolkit open source software requires the Docker daemon, Slim’s Automated Container Hardening doesn’t and can be used with any runtime, including ContainerD/Kubernetes.

Images should be hosted in one of the many cloud registries supported by Slim (e.g., Docker Hub, AWS Elastic Container Registry, Google Container Registry, Microsoft/Azure, RedHat Quay, GitHub Container Registry and others). Additionally, Slim supports several CI/CD system integrations including GitHub Actions, CircleCI Orbs, GitLab and Jenkins.

While Slim supports both Linux/AMD- and ARM-based image architectures, cross-architecture builds are currently not supported. Additionally, Slim’s core hardening capability requires a secured connection to the Slim platform, though air-gapped and on-premises solutions are on the near-term roadmap.

Partnerships/Customers

Numerous Slim.AI design partners have testified to the impact of the Slim.AI platform; here are a few who have documented their experiences and results:

• BigID: BigID automates container security with Slim.AI to reduce vulnerabilities and maximize security posture. Learn more about BigID and Slim.AI on this episode of TFiR.
• PaymentWorks: PaymentWorks used Slim.AI to eliminate 80% of container vulnerabilities with no additional developer overhead. Read the PaymentWorks case study.
• Jit: Jit achieved a step change in DevX with minimal integration effort, reducing container size by 90% and cutting bootstrap time in half. Read the Jit case study.
• Security Risk Advisors: SRA sought to deploy modern processes like containerization, slimming, SBOMs (software bills of materials) and vulnerability management without having to largely expand the DevOps team, and it found the ideal solution in Slim.AI.

Pricing

The Slim.AI platform is currently in beta and available for free to developers. Developers can log in to the Slim.AI platform to analyze their containers, get vulnerability reports from multiple scanners and automatically harden their container images for production.

Additionally, Slim.AI has been adding functionality for teams and is accepting a limited number of organizations into its Design Partner Program.

For more information, contact ian.riopel@slim.ai.