Minimus today at the 2025 RSA Conference launched a managed service through which it ensures application development teams are provided access to a secure set of minimal container images and virtual machines.

Company CTO John Morello said the Minimus service eliminates the possibility that developers might inadvertently download software artifacts that might be infested with malware.

At the core of the Minimus service is an operating system the company specifically developed to make managing the orchestration of software artifacts simpler. That capability then enabled Minimus to ensure that hardened software artifacts that have been configured to minimize the overall size of the attack surface that might be presented can be integrated into DevSecOps workflows, said Morello.

Minimus also constantly monitors threat intelligence to ensure the security of those artifacts while also providing developers with real-time insights into potential threats to rescue overall risk, he added.

While a lot of progress has been made in securing software supply chains, too many developers are still downloading software artifacts from insecure repositories. The Minimus service provides an alternative approach to accessing software artifacts that have been vetted by application security experts for known vulnerabilities and security weaknesses, said Morello.

It’s not clear why more DevSecOps teams are limiting the number of repositories that application developers can use to download software artifacts but cybercriminal syndicates have clearly become more adept at injecting malware into them as part of an effort to infect as many downstream applications as possible. Unfortunately, it might not be years before that malware is actually activated.

DevSecOps teams have been making a concerted effort to provide application developers with scanning tools that discover vulnerabilities and malware in software artifacts. However, the success of those efforts is often limited simply because the number of alerts being generated overwhelms the ability of application developers to recognize and remediate issues based on their actual severity. The Minimus service reduces the need to run those scans by ensuring the software artifacts being used are secure in the first place, said Morello.

It’s not clear how many application security incidents can be traced specifically back to vulnerabilities and malware in software artifacts, but most developers would prefer to not have to address an issue discovered months, sometimes even years, after an application has been deployed in a production environment. As always, an ounce of prevention is always going to be worth more than a pound of any proverbial cure.

The challenge at this point isn’t so much finding the technologies required to secure those artifacts as much as it might be changing the culture of application developers that have for decades now routinely downloaded artifacts from public repositories without considering the application security implications.

Hopefully, the overall state of application security will improve as more organizations move to lock down their software supply chains. In the meantime, however, DevSecOps teams rather than investing in more tooling may want to consider trying to solve the issue at the root source of the repository problem.