A new report from Sysdig, the unified cloud and container security solutions provider, has revealed that 87% of container images have high-risk vulnerabilities.
Sysdig's 2023 Cloud-Native Security and Usage report revealed that supply chain risk and zero trust architecture readiness are the most significant unaddressed security issues in cloud and container environments.
This is the sixth annual report that Sysdig has released. It looks at real-world data to understand how global companies and industries use and secure cloud and container environments.
The data set used covers billions of containers, thousands of cloud accounts and hundreds of thousands of applications that Sysdig customers operated over the last year.
There are a number of highlights from the report, but the headline is that 87% of container images have high or critical vulnerabilities.
Security teams face a large number of container vulnerabilities due to the nature of modern design and the reality of sharing open-source images. Part of the problem with this change is that teams are finding it harder to prioritise vulnerabilities and scale down their workload in order to manage these vulnerabilities.
However, one revelation from the report is that only 15% of critical and high vulnerabilities with an available fix are in packages loaded at runtime. This means that organisational teams can focus their efforts on a reduced 15% of vulnerabilities compared to 85% just by filtering on the packages that are actually in use.
The other main issue in cloud and container environments is zero trust architecture. Zero trust architecture principles stress that organisations should avoid granting overly permissive access, and the report revealed that 90% of granted permissions are unused.
The report also communicated that 59% of containers have no CPU limits defined, and 69% of requested CPU resources go unused. Without utilisation information for Kubernetes environments, it becomes harder for developers to understand where their cloud resources are over or under-allocated.
Part of this challenge is leading to organisations of all sizes possibly overspending by 40%, with more than $10 million in wasteful spending for large cloud deployments.
The wasteful spending could also relate to the lifespan of containers, in which the report states that 72% of containers live less than five minutes, something that has decreased this year by 28%.
This decrease in the lifespan of containers could be attributed to the maturing of organisations' use of container orchestration. Still, it also points to the need for security that can keep pace with the short-term nature of the cloud.
"Looking back at last year's report, container adoption continues to mature, which is evident by the decrease in container life spans. However, misconfigurations and vulnerabilities continue to plague cloud environments, and supply chains are amplifying how security problems manifest," says Michael Isbitski, Director of Cybersecurity Strategy, Sysdig.
Permissions management, for users and services alike, is another area I'd love to see people get stricter about."
"This year's report shows great growth and also outlines best practices that I hope teams adopt by the 2024 report, such as looking at in-use exposure to understand real risk, and to prioritise the remediation of vulnerabilities that are truly impactful."