Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Report Finds 75% of Cloud Runtimes Contain High or Critical Vulnerabilities

Report Finds 75% of Cloud Runtimes Contain High or Critical Vulnerabilities

This item in japanese


Sysdig’s latest cloud-native and security-usage report finds that shipping containers with vulnerabilities has become standard practice - with the report finding that 75% of containers have high severity vulnerabilities which could have been patched.

The report stresses that many organisations find this to be an acceptable risk, with many organisations prepared to take these risks in order to move and release quickly.

Key takeaways from the report show that many organisations have a long way to go in terms of ensuring that they have appropriate cloud-native and container security.

The report defines a number of key indicators to determine success in cloud native and security, and analyses the responses from a broad array of organisations to show the current trends in the industry. Sysdig offers widely used software that helps users with cloud-native and container security. The anonymous reporting functionality in Sysdig's popular software allows the company to gather valuable insights and adoption stats from its users.

Amazon Web Services’ S3 (Simple Storage Service) provides an ideal mechanism for storing and serving files, but locking this down so that public access isn’t possible takes some effort.  The report found that 36% of AWS S3 buckets are open to public access, and 73% of accounts have at least one public bucket. Whilst this isn’t in itself necessarily a security problem, it’s indicative of organisations taking a security-by-obscurity approach to locking down buckets, perhaps as a zero-trust approach is not considered warranted. This could lead to private information being available publicly across the Internet.

Performance issues and cost overruns feature heavily in the report too - with data showing that more than half of containers deployed to Kubernetes infrastructure have no memory or CPU limits defined.  Adding these enables cluster admins to profile the applications running, and also prevent them from overrunning a cluster, or growing to size where capacity is wasted. This also shows up as a third of CPU cores allocated to clusters were unused - a sign that autoscaling of capacity to meet demand is not a solved problem.

96% of the container platforms in use are Kubernetes, proving that consolidation in this area is almost complete. Measurement and monitoring of usage is also showing a clear adoption trend - with Prometheus use in 83% of organisations at the expense of other less cloud-native solutions. Prometheus has gained an advantage as an open standard, and one that fits well onto applications run in a Kubernetes cluster.

Interested readers can download the full report from the Sysdig website.

About the Author

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Not surprising

    by Nico Coetzee,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    I have noticed that even if I use a pristine base image (like ubuntu:latest) and then apply all patches (apt update ; apt upgrade) the end result still flags many issues with Snyk's container scanner. And that's without any other applications installed - just pull the image and apply the patches.

    23 Low, 3 medium

    Now add you app with it's own libraries and other dependencies and that number will only go north.

    One of my projects has a simple Java app. After only a couple of days it's reporting 61 High and 45 medium vulnerabilities - many of which can't be fixed right now as it depends on third party library maintainers to fix their stuff.

    And these are just the low hanging fruits...

    So, I don't find these reports strange at all.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p