Did you know there is an option to drop Linux capabilities in Docker? Using the docker run --cap-drop option, you can lock down root in a container so that it has limited access within the container. Sadly, almost no one ever tightens the security on a container or anywhere else. The Day After is Too Late There's an unfortunate tendency in IT to think about security too late. People only buy a sec