According to the Sysdig study, 87 percent of container images are said to have high-risk vulnerabilities. The 2023 Cloud-Native Security and Usage Report finds massive risk in the supply chain, along with more than $10 million in wasteful spending on large-scale cloud deployments.
Sysdig, the leader in cloud and container security, announces the results of the "Sysdig 2023 Cloud-Native Security and Usage Report". The report, which focuses on two themes this year, shows that supply chain risk and readiness to implement a Zero Trust architecture are the top unsolved security issues in cloud and container environments. The report also reveals that tens of millions of dollars in cloud spend is wasted on over-allocated capacity.
The sixth annual report provides real-world data on how global organizations of all sizes and industries are using and securing cloud and container environments. The datasets include billions of containers, thousands of cloud accounts, and hundreds of thousands of applications that Sysdig customers have run over the past year.
Highlights of the report
87 percent of container images have major or critical vulnerabilities
Due to the nature of modern design and sharing of open source images, security teams face a large number of container vulnerabilities. The reality is that teams cannot fix everything. They struggle to find the right parameters to prioritize vulnerabilities and reduce their workload.
The report gives hope to security teams
Only 15 percent of the critical and major vulnerabilities for which a fix is available are actually in packages that are loaded at runtime. By filtering which vulnerability packages are actually being used, organizational teams can focus their efforts on the small subset of remediable vulnerabilities that pose real risk. Reducing the total number of vulnerabilities to address from 85 percent to 15 percent that pose a real threat gives cybersecurity teams a much more manageable task.
90 percent of the permissions granted are not used
The principles of the Zero Trust architecture emphasize that organizations should avoid granting overly permissive access rights. Data from the report shows that 90 percent of all permissions are unused. When attackers compromise credentials of identities with privileged access or excessive privileges, they gain deep insight into a cloud environment.
No CPU limits are defined for 59 percent of the containers. In addition, 69 percent of the requested CPU resources remain unused
Without information about the utilization of Kubernetes environments, developers don't know where their cloud resources are over- or under-committed. Businesses of all sizes could therefore overspend 40 percent. For large deployments, optimizing an environment could save an average of $10 million in cloud costs.
72 percent of the containers live less than five minutes
Gathering troubleshooting information after a container is gone is almost impossible. In addition, the lifespan of a container has been reduced by 28 percent this year. This decline suggests that organizations are making better use of container orchestration and underscores the need for security measures that can keep up with the ephemeral nature of the cloud.
Supply chains amplify security issues
“Looking back at last year's report shows that container adoption is continuing, as evidenced by the decline in container lifespans. However, misconfigurations and vulnerabilities continue to plague cloud environments. Supply chains increase the manifestation of security problems. Managing permissions, both for users and for services, is another area where I would like to see more rigorous practice,” said Michael Isbitski, director of cybersecurity strategy at Sysdig. “This year's report shows great growth while also outlining best practices that I hope teams will adopt by the 2024 report. This includes, for example, looking at the actual exposure to understand the actual risk and prioritizing remediation of vulnerabilities that have real impact.”
More at SYSdig.com
About Sysdig
Sysdig sets the standard for cloud and container security. The company pioneered runtime detection and response to cloud threats by developing Falco and Sysdig as open-source standards and key building blocks of the Sysdig platform.