Sysdig Report Surfaces Major Container Security Challenges

Sysdig today published a cloud-native security report that found 91% of runtime scans fail and that only 2% of granted permissions are being used in container environments.

Crystal Morin, cybersecurity strategist at Sysdig, said these results suggest that organizations are not making nearly enough progress on securing cloud-native computing environments.

Based on an analysis of millions of containers and thousands of cloud accounts, users, and roles conducted by Sysdig, the survey makes it clear that there is a greater need for continuous monitoring to ensure the security of cloud-native application environments, said Morin. Cybersecurity teams should also review the permissions that are being needlessly granted to not just end users but also machines and software components as part of any effort to embrace zero-trust IT, she added.

However, the report also found an interesting paradox. After analyzing nearly six million runtime image scans and over 500,000 continuous integration and continuous delivery (CI/CD) build pipeline scans, the runtime scans had a 91% vulnerability policy failure rate compared to 71% for the CI/CD pipelines.

In theory, as more organizations shift responsibility for application security further left, those results should be flipped, noted Morin. Organizations should be scanning earlier and more often. One possible explanation for this data is that additional dependencies are being referenced that aren’t in scope for pipeline scans. Another reason may be that organizations are simply forgoing pipeline scans in favor of runtime checks for better accuracy or to reduce the burden on development teams. Finally, not all packages are being checked all the time, which is often the case with middleware components, the report noted.

Regardless of scan failure rates, there are more containers than ever that could be compromised. The report also notes that 70% of containers live for five minutes or less. It takes, on average, about 10 minutes for cybercriminals to launch an attack. The longer a container runs, the more likely it is to be compromised, noted Morin.

In addition, cybercriminals are getting more adept at monitoring cloud-native application environments because they are increasingly watching for vulnerable containers to be spun back up, she added. In fact, the time cybersecurity teams have to discover and remediate a container breach before cybercriminals leverage that exploit to implant malware laterally across an IT environment is now measured in minutes, said Morin.

The Sysdig report notes that 35% of attacks were identifiable by identifying indicators of compromise (IoC), while the remaining 65% required additional behavioral detection mechanisms.

Finally, the report also finds there are more artificial intelligence (AI) models running in cloud-native application environments. More than two-thirds of organizations (69%) have yet to embed AI into their cloud environments: While 31% of companies have integrated AI frameworks and packages, only 15% of these integrations, however, are being used for generative AI tools such as large language models (LLMs). While the adoption of AI varies widely, the one thing that is clear is a new type of software artifact that needs to be secure is showing up in container environments.

The challenge now, as always, is distinguishing what level of cybersecurity risk each of those artifacts actually represents to the organization.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1652 posts and counting. See all posts by Mike Vizard