Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Sysdig: Container Security Shifting Left, Docker Usage Shrinking

Sysdig: Container Security Shifting Left, Docker Usage Shrinking

This item in japanese

Sysdig 2021 container security and usage report highlights a trend for container security to "shift left". Yet, many of the analyzed images are still lacking in basic security provisions.

Sysdig collected data by analyzing millions of containers used by some of their customers on a daily basis, which include containers based on NGINX, Go, PostgreSQL, and many more available images.

Shifting-left in the realm of security means that teams are considering security implications of architectural and design choice earlier in the development cycle.

One highlight in our analysis revealed that for many companies, the trend of shifting left is extending to Kubernetes security with three-fourths of organizations scanning their container images in the CI/CD build phase prior to deployment.

Image scanning is key for security, says Sysdig, regardless of the image source. Indeed, about 55% of the images they scanned to make their report showed at least a vulnerability with high severity or higher.

This positive trend is unfortunately counterbalanced by poor handling of image configuration. Specifically, 58% of containers still run as root, says Sysdig, while only a handful of them should really require that privilege level.

As container environments mature, organizations realize that scanning is not enough. They also need runtime security to deal with ongoing threats.

Besides running containers as root, other recurrent runtime policy violations identified by Sysdig include writing to files under /, /etc, and so on; using a shell as entry point into a container; modifying sensitive files; etc.

One tool for runtime security that according to Sysdig has seen growing adoption is Cloud Native Computing Foundation (CNCF) Falco project. Originally created at Sysdig and later donated to CNCF, Falco analyzes Linux system calls to detect unusual behaviour such as privilege escalation using privileged containers, ownership and mode changes, execve, shell, and SSH usage, and so on. However, runtime analysis is made hard by the fact that many containers have very limited lifespans, which are not enough for many monitoring tools to provide detailed information. For example, almost 49% of containers live less than five minutes, which 21% of them living less than 10 seconds.

Another trend that Sysdig highlights is a shift away from Docker as a container runtime in favour of containerd and CRI-O. This trend is no surprise, given the evolution of the Docker engine:

The Docker engine previously implemented both high-level and low-level runtime features. These are now broken out into separate containerd and runc projects.

The trend away from Docker is also confirmed by Kubernetes having officially announced they will deprecate Docker later this year. Kubernetes, on the other hand, holds the lead as the orchestrator or choice at a significant distance from OpenShift.

Rate this Article