Survey Surfaces Raft of Container Security Challenges

January 29, 2026January 29, 2026 Mike Vizard BellSoft survey, cloud native security, container patching, container security, DevSecOps, image signing, Kubernetes security, SBOM, software supply chain security, vulnerability scanning

by Mike Vizard

A survey of 427 IT professionals who work with containers published today finds just under a quarter (23%) experienced some type of cybersecurity incident in the last year, with only 5% describing that event as creating a major issue for their organization.

Conducted by BellSoft, a provider of the distribution of the OpenJDK framework for building Java applications, the survey also identifies human errors and mistakes (62%) as the main source of the vulnerabilities that exist in their container application environment.

However, only 43% use vulnerability scanning tools, and less than half (45%) said they only work with trusted image registries. Additionally, only 18% are making use of some type of software bill of materials (SBOM) tool, and only 16% use image signing. Finally, only 6% use some type of hardware virtualization, such as a Kata container.

Dmitry Chuyko, performance architect for BellSoft, said the survey suggests that IT teams may not have as much insight into the vulnerabilities that exist within these applications. While containers are regularly ripped and replace the base image within those containers is often not regularly updated, so vulnerabilities that are created by various dependencies may persist longer than most application development teams fully appreciate, he added.

In fact, well over a third of respondents (36%) said they encounter difficulties with regular patching of applications, while 32% said there are gaps before patches become available. For example, only 31% update with every application release, and just over a quarter (26%) said they only update when critical vulnerabilities are found. A third (33%) said they only update monthly or less frequently, with only 10% updating weekly.

Additionally, just under half (49%) are also challenged by time and resource constraints, while 36% conceded that container security is not an organizational priority, according to the survey.

On the plus side, just under half (48%) want pre-hardened, security-focused base images, but only 29% said they prioritize the number of security vulnerabilities that exist when selecting a base image. In comparison, 86% prioritize efficient memory usage, followed by high throughput under load (68%) and fast startup times (66%)

Overall, the complexity of cloud-native application environments makes securing these applications especially challenging, noted Chuyko. In fact, 47% of respondents want better/easier automated tools, compared to 36% that want more time and resources.

A lack of security incidents doesn’t mean an application environment is secure so much as it suggests an organization may simply be lucky. It’s relatively trivial these days for cybercriminals to gain access to application environments by stealing credentials. However, cybercriminals are becoming more interested in compromising software supply chains in the hopes that the malware they inject can be activated later in multiple downstream applications.

Of course, it’s still difficult to assess the actual level of risk that a specific vulnerability represents to an application, especially if the code in question doesn’t ever actually get loaded into memory or there is no way to access it from outside the organization. Nevertheless, the challenge most DevSecOps teams face today, especially in the age of artificial intelligence (AI), is that the amount of code that needs to be reviewed for vulnerabilities far exceeds the small thin line of individuals assigned to the task.