Report: 75% of containers appear to work with serious vulnerabilities

Missed a session from the Future of Work Summit? Visit our Future of Work Summit on-demand library to stream.

A new report from Sysdig reveals that as teams rush to expand, container security and best practices for use are being sacrificed, leaving openings for attackers. In addition, operational controls are lagging, potentially leading to hundreds of thousands of dollars being wasted on poor capacity planning. These are all indicators that cloud and container adoption is maturing more than early “expert” adopters, but acting quickly with an inexperienced team can increase risk and cost.

One of the most shocking findings is that 75% of containers have “high” or “critical” patchable vulnerabilities. Organizations take well-considered risks to act quickly; However, 85% of images in production contain at least one patchable vulnerability. In addition, 75% of the images contain patchable vulnerabilities of “high” or “critical” severity. This implies a fairly significant level of risk acceptance, which is not uncommon for high agility business models, but can be very dangerous.

The analysis also found that 73% of cloud accounts contain exposed S3 buckets and 36% of all existing S3 buckets are accessible to the public. The amount of risk associated with an open bucket depends on the sensitivity of the data stored there. However, it is rarely necessary to leave buckets open and it is usually a shortcut that cloud teams should avoid.

Similarly, Sysdig also found that 27% of users have unnecessary root access – most without MFA enabled. Cloud security best practices and the CIS Benchmark for AWS indicate that organizations should avoid the root user for administrative and day-to-day tasks, yet 27% of organizations continue to do so. Forty-eight percent of customers do not have multi-factor authentication (MFA) enabled for these highly privileged accounts, making it easier for attackers to break into the organization if account information is leaked or stolen.

The report also looks at the amount of money wasted on poor capacity planning, the ratio of people to non-humans in the cloud, container lifespan and density data, along with the adoption of open source projects.

Read the full report by Sysdig.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

Leave a Reply

Your email address will not be published.