From Hundreds of CVEs to Absolute Zero: Securing Containers at Build Time
by Mr. Nikhil Prabhakar
Mr. Nikhil Prabhakar
Founder of PodArmor
Nikhil Prabhakar is the founder of PodArmor and a security engineer with over a decade of experience securing large-scale software systems. His work spans application security, cloud infrastructure hardening, and securing software supply chains in high-velocity engineering environments.
He has led security programs at fintech startups, built security teams from scratch, and worked closely with developers to integrate security into modern CI/CD workflows. He has also presented at international conferences including Nuit du Hack, OWASP AppSec, COCON and many more.
He also leads Null Bangalore, one of India's largest open security communities, where he actively mentors and contributes to the broader infosec ecosystem.
Abstract
Every team scans for vulnerabilities. Very few manage to fix them, at least not consistently, or at scale.
Somewhere along the way, shipping containers with hundreds of known CVEs became normal. Not because we're careless, but because the systems we rely on to fix these issues are fundamentally broken, slow, noisy, and disconnected from how we build software today.
In this talk, we will look at building a workflow that took us from constant CVE fatigue to clean, production-ready zero CVE container builds, without burning out developers or slowing down shipping velocity. We'll dive into:
- Why most vulns don't get fixed (and it's not just "developer backlog")
- Where detection tools fall short: triage, prioritization, and context
- How we enforce zero-CVE policies at build time, not after
- Real patterns that worked, and the ones that absolutely didn't
- What it takes to ship hardened containers that survive audits and real attacks
This talk is about solving a problem that hits every engineering team eventually, and designing for secure-by-default as a baseline, not a bonus.