Comment by VectorLock
5 years ago
Sounds like a pretty nice way to get around having to constantly patch minor CVEs in base OS/distributions to maintain compliance - cut out the OS entirely.
5 years ago
Sounds like a pretty nice way to get around having to constantly patch minor CVEs in base OS/distributions to maintain compliance - cut out the OS entirely.
No, it's not. You can deploy a very minimal Linux while also keeping the services that are actually good for security, like logging, IDS/IPS, certification compliance tooling, monitoring.
Unless you are running unnecessary daemons exposed on the Internet, 99% of the attack surface is from your application and the kernel itself.
Both parts that you can't remove.