Container Security is Shifting Left

DevOps teams are “shifting left” intending to consider certain implications at the start of the development lifecycle, which is tied to security concerns.

Every year, Sysdig releases the “Container Usage and Security” report and the fourth report came in yesterday. There has been a significant shift in container engines that organizations are utilizing in their systems and the reports also show some interesting data on how organizations implement security in the application development lifecycle.


    Sysdig logo Sysdig logo

    Sysdig reported how they observed the behaviors of over two million containers, their security risks, usages, deployed services, alerts, and other applications in the environment. The observations yielded the data percentages and analysis in the report; this post will point out the highlights.

    DevOps teams are “shifting left” intending to consider certain implications at the start of the development lifecycle, which is tied to security concerns. From the report, 74% of customers scan their images as part of the pre-deployment process - this helps the team to critically attack any security risk before the application is rolled into production, using CI/CD concepts. Sysdig’s report mentions that 58% of images run as root which may cause security and privilege escalation problems.

    The vulnerabilities addressed in the build phase of the container lifecycle need to be avoided, so there have to be policies that detect unwanted behaviors in the system and revert the necessary alerts to the engineers. Security is something that’s been addressed with open-source solutions like Falco. The Sysdig report states that over 20 million Docker hub pulls were observed for Falco images and this represents at least a 300% growth compared to last year’s 252% increase.

    Year-by-year, there is an identical pattern where containers are alive for a short time; Sysdig reports that 49% of these containers live less than five minutes and 21% live less than 10 seconds and this presents a major security auditing problem since most security tools can’t provide a viable analysis during such durations.

    While comparing Docker with containerd and CRI-O, Sysydig has observed that over the past year, there has been 200% growth for both containerd and CRI-O while Docker came at 50% which is a drop from 79% of the previous year. Meanwhile, the Kubernetes project announced that it would be reducing the use of Docker much later in 2021. With such evolvement in the container runtime space, there may be difficulties in making the right choices for your projects and applications, so it is important to understand your need and make the corresponding decision. In a blog post, Sysdig recommended:

    “To make it even easier, popular platforms like OpenShift, GKE, and IKS support using multiple container runtimes in parallel and have typically designed in a runtime of choice, removing the need to spend any cycles of development on deciding which one to use.”

    Amongst the diverse registries used to host and manage container images, the report states that Docker Registry is the most used as it has over 36% compared to GCR with 26%, Quay with 24%, IBM Cloud Container Registry with 7%, RedHat Registry with 5%, AWS ECR with 3% and the rest holds 1%.

    According to Sysdig, JMX, StatsD, and Prometheus are the 3 main solutions used to monitor containers. Prometheus was observed to have a lot of traction this year. The report says Prometheus use increased to 62% across Sysdig customers compared to its previous value of 46% last year.

    Taking the numbers appearing in this report into consideration and knowing that 51% of 4 million Docker images have critical vulnerabilities, taking charge of containers’ security is becoming, not just a trend, but a matter of infrastructure and application stability.

    DevSecOps, the acknowledged approach by the experts in the field, seems to take more importance than ever in software engineering. It’s not surprising that we think DevSecOps generally and container security specifically will be of the important trends in 2021.

    During 2020, DevSecOps tooling was critical for companies adopting Cloud Native technologies and containers. Hopefully, this practice will strengthen in 2021.

    References:

    Sysdig 2021 container security and usage report: Shifting left is not enough


    Get similar stories in your inbox weekly, for free



    Share this story with your friends
    editorial
    The Chief I/O

    The team behind this website. We help IT leaders, decision-makers and IT professionals understand topics like Distributed Computing, AIOps & Cloud Native

    Latest stories


    200 Million Certificates in 24 Hours

    Let's Encrypt has been providing free Certificate Authority (CA) for websites in need of them …

    Gatling VS K6

    Gatling and K6 are performance load testing tools, and they are both open source, easy …

    Red Hat Ansible Platform 1 vs 2; What’s the Difference?

    Red Hat Ansible is a platform used by enterprises to manage, unify and execute infrastructure …

    Domino Data Labs Raised $100 Million in the Latest Funding Round

    Culled from the news released by Domino Data labs on funding and the company's progress …

    New Release: The Microsoft Azure Purview Is Now Available on General Availability

    News report detailing the announcement of the release of Azure purview on GA

    Google Introduces Online Training Program to Improve Cloud Skills

    Google addresses existing cloud personnel deficiency with training programs.