Even though nearly three in four organizations are moving security to early points in the development process by scanning images during the build phase, DevOps teams are still leaving their environments open to cyber attacks, a new report found.
While organizations are shifting security processes left, or sooner in the delivering pipeline, it’s not enough to fully address security issues, Sysdig’s fourth annual 2021 Container Security and Usage Report found. "To run container applications with confidence, it’s important to address configuration risk, detect runtime threats, and ensure that a detailed recording of container activity is available for incident response and forensics, the San Francisco-based company said.
Many security teams only become involved in the concluding steps of operations and monitoring, said Suresh Vasudevan, Sysdig chief executive. “Across millions of containers that we have studied, it’s clear that organizations are shifting security left, but they are neglecting critical best practices,” he said.
As a result, container security risk has caught the attention of chief information security officers (CISO), owing to high profile breaches and the “accelerated adoption” of containers in production, Vasudevan said.
Sysdig’s report examines how global companies across industries use and secure container environments. Chief among its findings is that while 74 percent of customers are scanning before deployment, 58 percent of containers are running as root. While some containers should run as root, such as security and system daemons, it’s only a small portion of the total. Sysdig said. It’s these risky configurations that can potentially compromise the system.
The report identifies three macro trends:
Prometheus continues to grow, 35% year-over-year.
- Organizations are shifting toward Prometheus as the standard approach to monitoring container environments. The use of Prometheus metrics among Sysdig customers grew 35 percent year-over-year.
Docker down, containerd and CRI-O up 300%.
- Organizations are rapidly switching to newer runtimes like containerd and CRI-O. In 2017, Docker represented 99 percent of containers in use. That number has fallen to 50 percent, down from 79 percent in October 2019.
21% of containers live less than 10 seconds.
- The short life of containers reaffirms the need for container-specific tools for security and monitoring. For example, organizations need metric collection with intervals of less than 10 seconds and a detailed record of what occurred when the container was alive.
Key insights from the report:
- To keep ahead of runtime risks, cloud teams must act now to integrate security into DevOps.
- Real-time visibility that provides detailed audit and forensics records for short-lived containers is critical to secure operations.
- Organizations should invest in Kubernetes-native tools to simplify operating at scale.
- As Prometheus extends its lead as the standard for cloud-native application metrics, users must learn how to leverage reliably and at scale.
“Until organizations fix risky configurations, protect their runtime environments, and invest in container forensics, we will see an increase in container security breaches,” Vasudevan said.
