Sysdig lifts ‘lid’ on container image risks

Sysdig says it’s ‘driving the standard’ for cloud and container security – but how?

The company reminds us that it ‘pioneered’ cloud-native runtime threat detection and response by creating Falco and Sysdig Open Source as open source standards and key building blocks of the Sysdig platform.

Using this technology, developers and operations staff (Ed: did somebody forget to say DevOps?) can detect and respond to threats, find and prioritise software vulnerabilities, detect and fix misconfigurations and maximize performance and availability.

So keen is Sysdig to ‘dig into systems’ (yeah, we all see what we did there), the company has now tabled its Sysdig 2023 Cloud-Native Security and Usage Report – which suggests that supply chain risk and zero trust architecture readiness are the biggest unaddressed security issues in cloud and container environments.

Hundreds & thousands

Looking at real-world data, this study hints at trends which may show how enterprises are using and securing cloud and container environments with a data set that covers billions of containers, thousands of cloud accounts and hundreds of thousands of applications.

All of that data set is drawn from containers that Sysdig customers operated over the course of the last year.

The big number offered for consideration here is a suggestion that some 87% of container images have high or critical vulnerabilities.

Due to the nature of modern design and the sharing of open source images, security teams face a large number of container vulnerabilities. The reality is that teams cannot fix everything and they struggle with finding the right parameters to prioritise vulnerabilities and scale down their workload.

“Looking back at last year’s report, container adoption continues to mature, which is evident by the decrease in container life spans. However, misconfigurations and vulnerabilities continue to plague cloud environments and supply chains are amplifying how security problems manifest. Permissions management, for users and services alike, is another area I’d love to see people get stricter about,” said Michael Isbitski, director of cybersecurity strategy at Sysdig.

Providing some hope, the report authors think that only 15% of critical and high vulnerabilities with an available fix are in packages loaded at runtime.

By filtering on those vulnerable packages that are actually in use, organisational teams can focus their efforts on a smaller fraction of the fixable vulnerabilities that represent true risk. Reducing the number of vulnerabilities by 85% down to 15% provides a more actionable number for cybersecurity teams.

According to Isbitski and team, “Zero trust architecture principles stress that organisations should avoid granting overly permissive access. Data from the report shows that 90% of permissions are unused. If attackers compromise credentials from identities with privileged access or excessive permissions, they have the keys to the kingdom in a cloud environment.”

Some 59% of containers have no CPU limits defined and 69% of requested CPU resources go unused – and all that means that without utilisation information for Kubernetes environments, developers are blind to where their cloud resources are over or under-allocated.

As a final ‘gosh’ number to go away with, this report reckons that 72% of containers live less than five minutes – and you’re asking why again right?

The company says that gathering troubleshooting information after a container is gone is nearly impossible and the life of a container got shorter this past year by 28%. This decrease speaks to organisations maturing in their use of container orchestration and reinforces the need for security that can keep pace with the ephemeral nature of the cloud.

Readers can find the full report linked from Sysdig’s Twitter stream @sysdig.