• Around 74% of organizations are now scanning their images in the CI/CD build process.
  • The decline in usage of Docker runtime
  • Shift left is not a magic wand
  • Increase in usage of Falco and Prometheus

Sysdig recently came out with its Container Security and Usage Report every year and this year, the report was authored by Aaron Newcomb, Director,  Product Marketing – Sysdig.

As Newcomb worked on this report he found many things that he expected, including container density, where nodes are getting packed with more containers. What was really surprising was the increased focus and awareness of security. Around 74% of organizations are now scanning their images in the CI/CD build process.

The report also sees the trend of decline of Docker. “With the announcement of Kubernetes depreciating support for Docker runtime, we see a dramatic increase (4x) in containerd and CRI-O usage,” said Newcomb.

While it’s encouraging to see that people are paying more attention to shift left when it comes to container security, as it ensures that they can deploy more quickly with more confidence in their release, that’s not the only thing they need to look at. In fact, myopic view on shift left as the final security measure will make users more vulnerable.

The report found that 58% of containers were running as root, which is extremely dangerous. When you put misconfigurations with running containers in the root, it renders the entire shift left approach mute. “Shift left isn’t a magic wand that you can wave over your DevOps and sit back and rest,” said Newcomb. “You need to be constantly vigilant because even if you are shifting left, there are lots of things that can get through, especially configuration errors, and they crop up all the time.”

Another point is that container lifespan is shortening; they live for a very short time. So even if you are shifting left, if those containers don’t live very long, there could still be issues that you’re not catching, because you don’t have the right tools or processes in place to catch things when they only live, you know, 10-15 seconds.

With scanning comes another risk of the ‘street lamp’ effect, where you are only looking at areas you are expected to look at. We need to have a holistic view of the whole stack, going all the way down to the OS and kernel level. “If you could look at a very low level and see that there’s an activity that should not be taking place on a particular system, you can step in and stop it sooner,” said Newcomb. That’s when Sysdig’s open source Falco project enters the picture. The reports see a massive jump in Falco’s adoption.  Newcomb noticed a 300% increase in downloads for Falco. There was also a big growth in Prometheus metric usage.

These are some of the takeaways from this discussion. Newcomb deep dives into the report and we discussed more topics than I listed here. Please watch the entire discussion above and also subscribe to our newsletter so you don’t miss stories like these. You can also subscribe to our YouTube channel to get notified as soon as we publish new content there.

You may also like