87 percent of container images have high risk vulnerabilities
Due to the nature of modern software design and the sharing of open source images, security teams face a large number of container vulnerabilities according to a new report.
The study from Sysdig, based on real-world data sets covering billions of containers, thousands of cloud accounts, and hundreds of thousands of applications, finds 87 percent of container images have high or critical vulnerabilities.
On a slightly more positive note only 15 percent of critical and high vulnerabilities with an available fix are in packages loaded at runtime. This means that by focusing on those vulnerable packages that are actually in use, teams can target their efforts at a smaller fraction of the fixable vulnerabilities that represent true risk.
Data from the report also shows that 90 percent of permissions are unused. If attackers compromise credentials from identities with privileged access or excessive permissions, they have the keys to the kingdom in a cloud environment.
In addition 59 percent of containers have no CPU limits defined, and 69 percent of requested CPU resources go unused. Also 72 percent of containers live for less than five minutes which makes gathering troubleshooting information after a container is gone almost impossible, the life of a container got shorter this year by 28 percent too.
"Looking back at last year's report, container adoption continues to mature, which is evident by the decrease in container life spans. However, misconfigurations and vulnerabilities continue to plague cloud environments, and supply chains are amplifying how security problems manifest. Permissions management, for users and services alike, is another area I’d love to see people get stricter about," says Michael Isbitski, director of cybersecurity strategy at Sysdig. "This year's report shows great growth and also outlines best practices that I hope teams adopt by the 2024 report, such as looking at in-use exposure to understand real risk, and to prioritize the remediation of vulnerabilities that are truly impactful."
The full report is available from the Sysdig site.
Image credit: billiondigital/depositphotos.com