Sysdig Report Reveals Container Security, Cost Issues

Sysdig, Inc. today published a report that finds, among other issues, 85% of the container images running in production environments contain at least one vulnerability. Three-quarters of those vulnerabilities (75%) are rated as “high” or “critical,” according to the report.

The report is based on an analysis of how more than 700 IT organizations employ Sysdig’s platform to monitor and secure containers. The report also reveals that organizations that have deployed more than 20 Kubernetes clusters may be overspending on cloud services by as much as $400,000 each year. A full 60% of the clusters analyzed had no CPU limits defined, while 51% had no memory limits defined. More than a third of CPU cores (34%) were unused.

On the plus side, however, the report also indicates that use of Prometheus metrics to monitor container environments grew 83% since the last time Sysdig published a similar report a year ago.

Aaron Newcomb, director of product marketing for Sysdig, says the report makes it apparent that adoption of best practices for securing containers and limiting costs continues to lag. For example, the survey finds that less than half of container images (48%) are scanned before runtime. In fact, more than three-quarters (76%) are running as root, which makes it easier for cybercriminals to compromise the entire IT environment once they gain access to that container.

The report also finds nearly three out of four organizations have exposed S3 buckets, with more than a third (36%) of S3 buckets open to public access. More than a quarter (27%) also have unnecessary root access, while many (48%) lack support for multifactor authentication (MFA). The report also notes that 88% of roles are assigned to applications, cloud services and commercial tools rather than a specific administrator, which suggests access is being granted to any user of those tools and services.

Overall, the report finds that use of containers grew 15% in the last year since Sysdig’s 2021 report.

In general, Newcomb says the lack of adoption of DevSecOps best practices makes it clear that a shift left toward making developers more accountable for cybersecurity is not yet happening. As such, it’s critical for IT operations and security teams to make sure security policies are implemented at runtime, he adds. Otherwise, developers will continue to routinely deploy container images that encapsulate multiple vulnerabilities without realizing it.

In effect, Sysdig is making a case for IT operations and security teams to shift even further left. The goal is to make it easier to secure containers by deploying platforms like the open source Falco engine for detecting container threats originally developed by Sysdig. The company claims more than 40 million Falco downloads, which represents 370% growth since Sysdig contributed Falco to the Cloud Native Computing Foundation (CNCF) in January 2020.

There’s clearly still work to be done when it comes to container security. Far too many developers, for example, assume that because a container only runs for a few seconds, that a cybercriminal will not have the time to discover and exploit it. Cybercriminals, however, are now continuously scanning for container vulnerabilities within software supply chains; the presence of containers indicates to them that an advanced application representing a valuable target has been deployed.

One way or another, container security will eventually improve. The issue is how quickly those improvements will happen and whether they will make a substantial difference.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1681 posts and counting. See all posts by Mike Vizard