I finally got a chance to look around again and here is the paper from Docker that had me thinking what I was thinking before taking with you. and thus my confusing as you sort of refute in part at least some of the statements from this document. I equated default to “out of the box”.
"Container technology increases the default security for applications in two ways. "
" Docker’s default settings are designed to limit Linux capabilities."
"The default bounding set of capabilities inside a Docker container is less than half the total capabilities assigned to a Linux process (see Linux Capabilities figure). "
" Containers can run with a reduced capability set that does not negatively impact the application and yet improves the overall security system levels and makes running applications more secure by default."
" Containers have no default device access and have to be explicitly granted device access"
" Using Docker brings immediate benefits, not only in terms of application development and deployment speed and ease, but also in terms of security"
"Containers provide an additional layer of protection by isolating between the applications and the host, and between the applications themselves without using incremental resources of the underlying infrastructure and by reducing the surface area of the host itself. "
"Linux hosts can be hardened in many other ways and deploying Docker enhances the host security but also does not preclude the use of additional security tools. "
"The simple deployment of Docker increases the overall system security levels by default, through isolation, confinement, and by implicitly implementing a number of best-practices, that would otherwise require explicit configuration in every OS used within the organization "