DigiNews

Summary

Shayon Mukherjee surveys the sandboxing landscape, emphasizing that isolation is a spectrum with different boundaries and attack surfaces. The piece compares kernel-level containers, user-space kernels like gVisor, microVMs, and WebAssembly, and discusses both server-side and local development sandboxing strategies, including defense-in-depth practices and threat models.