Over three-quarters of container images have high risk vulnerabilities
A new report from container and cloud security company Sysdig finds that 75 percent of images contain patchable vulnerabilities of 'high' or 'critical' severity. In addition 85 percent of container images that run in production contain at least one patchable vulnerability.
Looking at the issues in more detail, 73 percent of cloud accounts contain exposed S3 buckets and 36 percent of all existing S3 buckets are open to public access.
The amount of risk associated with an open bucket varies according to the sensitivity of the data stored there, but leaving buckets open is rarely necessary and is a shortcut that cloud teams should generally avoid.
Unnecessary root access is a problem in 27 percent of organizations and 48 percent don't have multi-factor authentication enabled on these sensitive accounts.
Outside of security issues, 60 percent of containers have no CPU limits defined and 51 percent have no memory limits defined, risking overspend on cloud budgets as systems are allowed to expand out of control. There has been a 15 percent increase year-on year in container density and a 360 percent increase in four years, which makes setting resource limit more important.
Among other interesting findings, 88 percent of roles are assigned to non-humans, such as applications, cloud services, and commercial tools. This adds risk if least privilege standards aren't being followed.
Aaron Newcomb, director of product marketing at Sysdig, writes on the company's blog, "Cloud technologies continue to expand their role in transforming how organizations deliver applications. With security becoming a growing concern among DevOps teams, it is good to see that teams are implementing security during the build process. However, more work is needed to secure both containers and cloud services to prevent possible vulnerabilities from entering production."
Best practices organizations are advised to follow include, managing access based on data sensitivity and specific use cases, while abiding by the principle of least privilege, and striving to eliminate or reduce insecure behaviors that lead to excessive alerts.
You can read more and get then full report on the Sysdig blog.