Why Prevention with Minimal Images Beats Detection in Container Security and DevSecOps

John Morello, CTO and co-founder of Minimus, interacted with TechNadu to explain how a preventative approach that eliminates over 95% of vulnerabilities before they appear differs from traditional CVE scanning tools. He addressed questions related to the real adoption challenges enterprises face when moving to minimal images, and how minimal images fit into the development and deployment pipeline.

Morello has more than two decades of cybersecurity experience, including engineering roles at Microsoft and leadership at Palo Alto Networks.

This mix of engineering depth, enterprise defense, and startup innovation helps bring insight into why prevention-first security models are critical. 

He highlights customer frustration with “visibility without answers” and explains how Minimus addresses this through preventative design.

Morello discusses the challenges of legacy applications, how DevSecOps teams adapt, and why vendor partnerships increase value for customers.

This dialogue captures the friction in cybersecurity, from everyday tools like password managers on personal laptops to enterprise platforms like SIEM systems in SOCs.

Vishwa: Minimus claims to eliminate over 95% of vulnerabilities in container and VM images. We’d like to understand how this preventative approach differs from traditional CVE scanning tools, which often focus on detecting and patching issues after discovery. Can you explain what makes Minimus’s method more effective?

John: Let’s illustrate this with an example.  Someone using the nginx web server today is going to have 95 CVEs in that image, 35 of which are high or critical severity. So they run a scan and see 95 results. 

Now there’s time spent prioritizing - 

• Do you fix all 35 high/critical and leave the rest? 
• Do you fix additional ones? 
• Do you fix a subset of the high/critical?  

After that, there’s the time spent on remediation as well. With Minimus’ nginx image, that same scan returns 0 results - there aren’t any CVEs. 

No time spent triaging, no time spent fixing

Vishwa: For readers who may not be familiar, what exactly are minimal images, and how do they reduce vulnerabilities so significantly compared to conventional base images?

John: A minimal image contains only the necessary bits needed to run. No added dependencies or additional tools. 

We build these images from source continuously, including only the needed components. Because there’s no complex web of dependencies, the images are significantly smaller, and the reduction in dependencies translates into a reduction in attack surface, and thus CVEs as well.

Vishwa: You emphasize building secure minimal images. For legacy applications that rely on large operating system libraries, what are the real adoption challenges enterprises face when moving to minimal images, and how can those be overcome?

John: For older, monolithic applications, the main difficulty isn't just using minimal images, but transitioning to a microservices or cloud-native architecture. This involves separating different parts of the application stack and reassembling them as independent, cooperating services. 

There's no single solution for this migration; some applications thrive as monoliths, while many others don't. The most successful teams are those that carefully match their infrastructure to their application's architecture.

Vishwa: Minimus positions itself within DevSecOps workflows. Can you walk us through how minimal images fit step by step into the development and deployment pipeline, from build to runtime, and what kind of dashboard data or visibility teams gain to track their risk reduction?

John: Minimus images seamlessly replace traditional images. Developers simply adjust a line in their deployment configuration to use a Minimus image. 

This doesn't disrupt existing workflows, as the images are compatible with container scanners and cloud security tools. 

Scans, CI pipelines, and deployment jobs function as usual. Each image also highlights the reduced risk by comparing our CVE count to that of the public image.

Vishwa: Having co-founded Twistlock, you saw how container security evolved from reactive scanning. What lessons from Twistlock’s journey directly shaped Minimus’s preventative-first design?

John: Twistlock solved a problem of visibility for our customers, allowing them to see the CVEs present in their container environments. But the most common question we got from customers was “Now what?” as they tried to figure out how to prioritize their remediation efforts.  

That experience led us to the preventative approach, which takes the burden of that question off the customers’ shoulders.

Vishwa: Your platform integrates with Exploit Prediction Scoring System (EPSS) and CISA Known Exploited Vulnerabilities. How does combining minimal images with real-time threat intelligence improve security outcomes in highly regulated industries?

John: Our images contain 97-100% fewer CVEs than their conventional counterparts. While unfixed CVEs in upstream projects still appear in Minimus images, we help teams assess their risk posture and make informed mitigation and remediation decisions by integrating intelligence about actively exploited vulnerabilities. 

For customers in regulated industries, we provide built-in reporting that demonstrates how each Minimus image aligns with standards like CIS or NIST, simplifying audit compliance.

Vishwa: You’ve partnered with Orca Security to extend visibility into minimal images. Rather than broad collaboration, where do you see the most immediate value in vendor partnerships, for example, in metadata sharing or compliance reporting?

John: Vendor partnerships should simplify customers' lives. When we partner with cloud security solutions like Orca, they provide a platform for customers to assess risk across their entire cloud environment. 

Our minimal images reduce the number of risks within that environment. This collaboration amplifies the benefits: Our images not only reduce risk but also lead to fewer scan results. 

Fewer scan results in Orca means less time spent triaging and prioritizing risk, allowing more of the remaining risks to be effectively mitigated or remediated, ultimately resulting in even greater risk reduction.

Vishwa: Finally, what cybersecurity tools or apps would you recommend, including password managers for newcomers and advanced platforms such as SIEM or CSPM for experts?

John: It doesn’t matter if it’s a password manager on your personal laptop, or a SIEM used by a team of SOC analysts - the most important thing is that the tool fits the way you work.The more friction a cybersecurity tool introduces, the less it ends up being used. And the best cybersecurity tools are the ones that people actually use.