Leaky containers and buckets: Sysdig usage report claims 75% of containers need patching, pronto

Report highlights

75% of containers have “high” or “critical” patchable vulnerabilities

Organizations take educated risks for the sake of moving quickly; however, 85% of images that run in production contain at least one patchable vulnerability. Furthermore, 75% of images contain patchable vulnerabilities of “high” or “critical” severity. This implies a fairly significant level of risk acceptance, which is not unusual for high agility operating models, but can be very dangerous.

Nearly 3 out of every 4 accounts contain exposed S3 buckets

Seventy-three percent of cloud accounts contain exposed S3 buckets and 36% of all existing S3 buckets are open to public access. The amount of risk associated with an open bucket varies according to the sensitivity of the data stored there. However, leaving buckets open is rarely necessary and it’s usually a shortcut that cloud teams should avoid.

27% of users have unnecessary root access, most without MFA enabled

Cloud security best practices and the CIS Benchmark for AWS indicate that organizations should avoid using the root user for administrative and daily tasks, yet 27% of organizations continue to do so. Forty-eight percent of customers don’t have multi-factor authentication (MFA) enabled on these highly privileged accounts, which makes it easier for attackers to compromise the organization if the account credentials are leaked or stolen.

$400,000+ per cluster overspend on cloud service provider bills

Capacity management and planning are difficult in fast changing Kubernetes environments and limits on how many resources a container can use can go undefined. Sixty percent of containers had no CPU limits defined and 51% had no memory limits defined. Of those clusters that did have CPU limits, an average of 34% of CPU cores were unused. Without knowing the utilization of clusters, organizations could be wasting money due to overallocation or causing performance issues by running out of resources. Given the average cost of Amazon Web Services CPU pricing, an organization with 20 Kubernetes clusters could be overspending up to $400,000 yearly.

Other interesting findings

• Non-humans outnumber humans in the cloud, with 88% of roles assigned to nonhumans, such as applications, cloud services, and commercial tools. While this isn’t necessarily a bad thing, a best practice is to follow the principle of least privilege and explicitly assign the minimum necessary permissions to each role. Granting excessive permissions is fast and easy for admins but adds risk.
• Container density grew again in 2021, a nearly 15% increase year-over year and a 360% increase in four years. As containers increase in density, setting resource limits becomes more important, a best practice not being followed as DevOps teams rush to expand cloud environments.
• Massive growth for Falco, the CNCF open-source project contributed by Sysdig. The project now has over 40 million downloads, which represents 370% growth since becoming an Incubating project in January 2020. Falco has secured its position as the runtime cloud and container security standard.
• Containers running as root continue to rise. Forty-eight percent of images are scanned before runtime, yet 76% of containers are running as root, a 31% increase from last year. Slow adoption of best practices may indicate broad adoption of container technologies by organizations that have not yet evolved their DevSecOps processes. Privileged containers are easier for attackers to compromise.

Article Topics

application development  |  cloud native  |  DevOps  |  Sysdig