IDG Contributor Network: Are VMs more secure than containers?


We often say, “HTTPS is secure,” or “HTTP is not secure.” But what we mean is that “HTTPS is hard to snoop and makes man-in-the-middle attacks difficult” or “my grandmother has no trouble snooping HTTP.”

Nevertheless, HTTPS has been hacked, and under some circumstances, HTTP is secure enough. Furthermore, if I discover an exploitable defect in a common implementation supporting HTTPS (think and ), HTTPS can become a hacking gateway until the implementation is corrected.

HTTP and HTTPS are protocols defined in IETF RFCs – and . HTTPS was designed as a secure HTTP, but saying HTTPS is secure and HTTP is not still hides important exceptions.

Virtual machines (VMs) and containers are less rigorously defined, and neither was intentionally designed to be more secure than the other. Therefore, the security issues are still murkier.


A layered architecture like virtualization separates the execution stack of each application all the way down to the hardware, eliminating the possibility of applications interfering with one another through the shared OS. In addition, the interface between each application stack and the hardware is defined and limited to prevent abuse. This provides an additional robust perimeter for protecting applications from one another.

, but don’t worry about it. But Heartbleed happened. And OpenSSL has far fewer lines of code than a hypervisor. I need to go out now—my flying pig wants more hogwash.

I don’t know of any significant hypervisor breaches to date. But a quick look at the database reveals that researchers do find exploitable hypervisor weaknesses. The hypervisor developers and vendors have been quick to patch vulnerabilities as they occur. In March 2017, Microsoft issued , documenting seven patched vulnerabilities in its Hyper-V hypervisor, all designated important or critical.

I still believe VMs provide better security than containers, but we have to look at the safety of VM systems with clear eyes. I plan to discuss hypervisor weaknesses in more detail in the future. Also, containers and VMs are often combined. There is much yet to be said.

This article is published as part of the IDG Contributor Network.