Container Security is Shifting Left

Sysdig reported how they observed the behaviors of over two million containers, their security risks, usages, deployed services, alerts, and other applications in the environment. The observations yielded the data percentages and analysis in the report; this post will point out the highlights.

DevOps teams are “shifting left” intending to consider certain implications at the start of the development lifecycle, which is tied to security concerns. From the report, 74% of customers scan their images as part of the pre-deployment process - this helps the team to critically attack any security risk before the application is rolled into production, using CI/CD concepts. Sysdig’s report mentions that 58% of images run as root which may cause security and privilege escalation problems.

The vulnerabilities addressed in the build phase of the container lifecycle need to be avoided, so there have to be policies that detect unwanted behaviors in the system and revert the necessary alerts to the engineers. Security is something that’s been addressed with open-source solutions like Falco. The Sysdig report states that over 20 million Docker hub pulls were observed for Falco images and this represents at least a 300% growth compared to last year’s 252% increase.

Year-by-year, there is an identical pattern where containers are alive for a short time; Sysdig reports that 49% of these containers live less than five minutes and 21% live less than 10 seconds and this presents a major security auditing problem since most security tools can’t provide a viable analysis during such durations.

While comparing Docker with containerd and CRI-O, Sysydig has observed that over the past year, there has been 200% growth for both containerd and CRI-O while Docker came at 50% which is a drop from 79% of the previous year. Meanwhile, the Kubernetes project announced that it would be reducing the use of Docker much later in 2021. With such evolvement in the container runtime space, there may be difficulties in making the right choices for your projects and applications, so it is important to understand your need and make the corresponding decision. In a blog post, Sysdig recommended:

“To make it even easier, popular platforms like OpenShift, GKE, and IKS support using multiple container runtimes in parallel and have typically designed in a runtime of choice, removing the need to spend any cycles of development on deciding which one to use.”

Amongst the diverse registries used to host and manage container images, the report states that Docker Registry is the most used as it has over 36% compared to GCR with 26%, Quay with 24%, IBM Cloud Container Registry with 7%, RedHat Registry with 5%, AWS ECR with 3% and the rest holds 1%.

According to Sysdig, JMX, StatsD, and Prometheus are the 3 main solutions used to monitor containers. Prometheus was observed to have a lot of traction this year. The report says Prometheus use increased to 62% across Sysdig customers compared to its previous value of 46% last year.

Taking the numbers appearing in this report into consideration and knowing that 51% of 4 million Docker images have critical vulnerabilities, taking charge of containers’ security is becoming, not just a trend, but a matter of infrastructure and application stability.

DevSecOps, the acknowledged approach by the experts in the field, seems to take more importance than ever in software engineering. It’s not surprising that we think DevSecOps generally and container security specifically will be of the important trends in 2021.

During 2020, DevSecOps tooling was critical for companies adopting Cloud Native technologies and containers. Hopefully, this practice will strengthen in 2021.

References:

Sysdig 2021 container security and usage report: Shifting left is not enough