Your Backstop in Hardening Against Runtime Threats

March 25, 2023

It is important to find a way hardening your computer against runtime threats. Fortunately, there are plenty of resources available to help you get started. This article discusses some of the issues that you might face and provides recommendations to help you deal with them.


One of the more interesting tasks involved in running a modern day container cluster is defending against malware laden containers – and it is no small feat. In particular, applications that attempt to modify the container filesystem will have their work cut out for them. Fortunately, the NSA and CISA have provided a helpful checklist and checklist to help mitigate the risks associated with running a micro-services based container environment. The list is not exhaustive, but it should provide a solid foundation on which to build your container ecosystem. A good start is to implement a standardised set of best practices that can be refactored and re-evaluated when a new threat erupts.


Hardening against runtime threats means ensuring that your code is not susceptible to exploits. This can be done by separating parts of your application into multiple processes, using a low-level mechanism to restrict privileges, and decomposing your application into several components. You should also review your applications for vulnerabilities and update their dependencies to avoid introducing vulnerabilities.

It is important to protect your container images and your runtime from security loopholes. There are several methods for doing this, including dependency scanning, limiting access to running containers, and running the container inside a hypervisor. You can also use package management tools to provide warnings about problematic dependencies.

An application’s components should be separated from one another, and if they have a common interface, they should be granted different capabilities. This will reduce the risk of a flaw affecting all of the components. If some components require elevated privileges, you can limit them to run on a separate machine or on the same server.


References for hardening against runtime threats include memory protections and the use of return oriented programming techniques. These measures can limit the ability of an attacker to change the control of a mutable object during the course of a method. Other methods of limiting a container’s execution include preventing tampering with the container’s file system. The NSA/CISA Kubernetes Hardening Guidance highlights the need to use readOnlyRootFileSystem as a way to limit the damage of container tampering.

The NSA/CISA Kubernetes hardening guidance also recommends the use of tmpfs volume mounts to limit the read/write activity of an application. This will also help prevent crash situations. Having a read-only filesystem is also recommended to protect against anomalous behavior or post-exploitation activities.

In addition, it is advisable to separate programmatic interfaces from ease-of-use features, such as the ability to perform actions without a user’s input. While these can provide valuable convenience, they are not always appropriate for use in programming.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us