Blog

From Vulnerable to Unbreakable: The Evolution of Container Security in Modern Software Development

Jonny Rivera

July 10, 2025

Containers fueled by open source software have become the de facto way for software development teams to package and deploy modern applications and services. But that robust foundation is at risk from vulnerabilities in the software supply chain, as many base container images in popular repositories are built from untrustworthy sources or updated infrequently.

Although a market for hardened container images has emerged, these base images contain only a fraction of what’s required to run most applications.

Security and DevOps teams need more than a secure starting point; they need to know that their container requirements, from the operating system level to app dependencies, are assembled regularly, from a known source, and free from CVEs.

The dream is to use end-to-end, vulnerability-free containers without burdening teams with the manual work usually required to get there.

In this on-demand webinar, Pete Garcin and Evan Prowse of ActiveState joined TNS Host Chris Pirillo to explore the advantages and risks of using open source in containers and how you can close critical gaps before they go into production and keep them closed for good.

What you’ll learn:

  • How to secure your containers from the OS level to app dependencies without burdening your development team.
  • How to proactively keep your containers up to date and vulnerability-free.
  • How to manage the lifecycle of open source software across your business and stay ahead of future threats.

Register for this on-demand webinar.

Frequently Asked Questions

Why has traditional container security failed to keep modern applications vulnerability-free?

Traditional container security relied on periodic image scanning and manual patching. This approach was designed for a slower development environment where applications were updated infrequently and the open source footprint was relatively small. Modern applications are built almost entirely on open source, with AI coding assistants accelerating the rate at which new dependencies are introduced. A static approach — build the image, scan it, patch what the scanner finds — generates a growing backlog of unresolved vulnerabilities as new CVEs are continuously disclosed against components already in production.

What does the evolution from reactive to proactive container security look like in practice?

Reactive container security starts with what is already in the environment and tries to reduce the vulnerability count through patching. Proactive container security starts before any component enters the image — governing what open source can be included, building from verified source with signed attestations, and automating continuous monitoring and remediation under contractual SLAs. The practical difference is that proactive teams start from near-zero CVEs at build time and maintain that posture through automated rebuilds, while reactive teams start from whatever the public registry provides and work backward from scanner findings.

How do nightly rebuilds and VEX advisories contribute to container security over time?

A container image that passes scanning at build time begins accumulating new CVE exposure the moment new vulnerabilities are disclosed against its components. Nightly rebuilds ensure that patched versions of affected components are incorporated automatically rather than waiting for a manual update cycle. VEX — Vulnerability Exploitability eXchange — advisories provide machine-readable documentation of which CVEs in a container are actually exploitable given its specific build configuration, allowing scanners to filter false positives. Together, nightly rebuilds and VEX advisories convert the container security posture from a point-in-time measurement into a continuously maintained standard.