Sysdig Security and Usage Report Finds More than 75% of Running Containers Have Severe Vulnerabilities
January 26, 2022Sysdig announced findings from its Sysdig 2022 Cloud-Native Security and Usage Report. The report reveals that as teams rush to expand, container security and usage best practices are sacrificed, leaving openings for attackers. In addition, operational controls lag, potentially resulting in hundreds of thousands of dollars being wasted on poor capacity planning. All of these are indicators that cloud and container adoption is maturing beyond early, “expert” adopters, but moving quickly with an inexperienced team can increase risk and cost.
The fifth annual report reveals how global Sysdig customers of all sizes and across industries are using and securing cloud and container environments. This real-world, real-time data provides insight into usage of billions of containers run yearly, including usage trends, and security, compliance, runtime, and cloud practices.Highlights From the Report
- 75% of containers have “high” or “critical” patchable vulnerabilities
Organizations take educated risks for the sake of moving quickly; however, 85% of images that run in production contain at least one patchable vulnerability. Furthermore, 75% of images contain patchable vulnerabilities of “high” or “critical” severity. This implies a fairly significant level of risk acceptance, which is not unusual for high agility operating models, but can be very dangerous. - Nearly 3 out of every 4 accounts contain exposed S3 buckets
Seventy-three percent of cloud accounts contain exposed S3 buckets and 36% of all existing S3 buckets are open to public access. The amount of risk associated with an open bucket varies according to the sensitivity of the data stored there. However, leaving buckets open is rarely necessary and it’s usually a shortcut that cloud teams should avoid. - 27% of users have unnecessary root access, most without MFA enabled
Cloud security best practices and the CIS Benchmark for AWS indicate that organizations should avoid using the root user for administrative and daily tasks, yet 27% of organizations continue to do so. Forty-eight percent of customers don’t have multi-factor authentication (MFA) enabled on these highly privileged accounts, which makes it easier for attackers to compromise the organization if the account credentials are leaked or stolen. - $400,000+ per cluster overspend on cloud service provider bills
Capacity management and planning are difficult in fast changing Kubernetes environments and limits on how many resources a container can use can go undefined. Sixty percent of containers had no CPU limits defined and 51% had no memory limits defined. Of those clusters that did have CPU limits, an average of 34% of CPU cores were unused. Without knowing the utilization of clusters, organizations could be wasting money due to overallocation or causing performance issues by running out of resources. Given the average cost of Amazon Web Services CPU pricing, an organization with 20 Kubernetes clusters could be overspending up to $400,000 yearly.
Other Interesting Findings
- Non-humans outnumber humans in the cloud, with 88% of roles assigned to nonhumans, such as applications, cloud services, and commercial tools. While this isn’t necessarily a bad thing, a best practice is to follow the principle of least privilege and explicitly assign the minimum necessary permissions to each role. Granting excessive permissions is fast and easy for admins but adds risk.
- Container density grew again in 2021, a nearly 15% increase year-over year and a 360% increase in four years. As containers increase in density, setting resource limits becomes more important, a best practice not being followed as DevOps teams rush to expand cloud environments.
- Massive growth for Falco, the CNCF open-source project contributed by Sysdig. The project now has over 40 million downloads, which represents 370% growth since becoming an Incubating project in January 2020. Falco has secured its position as the runtime cloud and container security standard.
- Containers running as root continue to rise. Forty-eight percent of images are scanned before runtime, yet 76% of containers are running as root, a 31% increase from last year. Slow adoption of best practices may indicate broad adoption of container technologies by organizations that have not yet evolved their DevSecOps processes. Privileged containers are easier for attackers to compromise.
Download the full Sysdig 2022 Cloud-Native Security And Usage Report.