The biggest security risk may not be the application code, but the base image you ship it with as it may contain even more CVEs over time. But fixing vulns in situ is a road to nowhere: you will waste engineering time, delay deploys, and race against the clock as new CVEs emerge constantly. The only viable solution is to harden the container image from the start.

This session explores what hardened images are and how this approach cuts the CVEs to almost zero, reduces MTTP, scanner noise, and operational toil. We will walk through containerizing a Java service on a hardened base with the best security practices in place and compare the CVE numbers before and after. The outcome: lean, transparent, deterministic container image that is secure by design, not by word.

Join Cat Edelveis and DaShaun Carter live!

Coffee + Software

Container images are a major but often overlooked security surface. The average container image contains 600+ vulnerabilities, and 44% of Java services contain known exploited CVEs. Hardened container images — offered by vendors like BellSoft (Liberica JDK on Alpaquita Linux), Chainguard, and Docker Hub — address this by providing minimalistic, distroless-friendly base images with low-to-zero CVEs and continuous vendor-managed patching. Key features include no package manager, non-root defaults, software bill of materials (SBOM), and digital signatures for supply chain integrity. Migration is as simple as changing the FROM line in a Dockerfile. The talk also covers Docker multi-stage builds (JDK for build, JRE for run), Cloud Native Buildpacks as a more secure alternative to Dockerfiles (with rebasing support), SLSA compliance levels, and Cosign for image signature verification. BellSoft's hardened images are free to use, with commercial support available for SLA-backed patching.

Secure by Design: How Hardened Images Make Your Java Services Bullet-Proof