Most containers are running as root, which increases runtime security risk

While container usage reveals organizations are shifting left by scanning images during the build phase, DevOps teams are still leaving their environments open to attack, according to Sysdig.

containers runtime security risk

The report also looks at trends, finding a 310 percent growth in container density since 2017, and reveals how organizations of all sizes and across industries are using and securing container environments.

Among its findings, the report states that while 74 percent of customers are scanning before deployment, still 58 percent of containers are running as root. There are some containers that should run as root—security and system daemons for example—but this is a small portion of total containers.

These risky configurations leave easy access to potentially compromise the system and access sensitive data. This finding stresses the need for security throughout the lifecycle of a container image—fixing vulnerabilities is not enough.

Container density grows 170% since 2018

Over the past three years, the median number of containers-per-host more than doubled from 15 in 2018 to 41 today, indicating a growth in efficiency and a shift in cost savings as containers mature. This reveals a continued focus on optimization.

Prometheus continues to grow, 35% YoY

Open source adoption is broader than just Kubernetes as organizations are shifting toward Prometheus as the standard approach to monitoring container environments.

The use of Prometheus metrics grew 35 percent year-over-year.

Docker down, containerd and CRI-O up 4X

In 2017, Docker represented 99 percent of containers in use at that time. Today, that number has fallen to 50 percent, down from 79 percent in October 2019.

While Docker revolutionized containers, organizations are rapidly switching to newer runtimes like containerd and CRI-O.

21% of containers live less than 10 seconds

The ephemeral nature of containers is a unique efficiency advantage, yet it can be a challenge in managing issues around security, health, and performance. The short life of containers reaffirms the need for container-specific tools for security and monitoring. For example, organizations need metric collection with intervals of less than 10 seconds and a detailed record of what occurred when the container was alive.

“With the high-profile breaches we are seeing and the accelerated adoption of containers in production, the container security risk is now on the radar of CISOs. Across millions of containers that we have studied, it’s clear that organizations are shifting security left, but they are neglecting critical best practices,” said Suresh Vasudevan, CEO of Sysdig.

“Container security has to span the entire software development lifecycle. Until organizations fix risky configurations, protect their runtime environments, and invest in container forensics, we will see an increase in container security breaches. I expect we will see several high-impact breaches before we release our next report.”

Other findings

  • There has been a 300 percent increase in Docker Hub downloads over the last year.
  • The use of golang increased to 66 percent, a 470 percent jump since last year.
  • 63 percent of container images are replaced within two weeks or less, signifying a more frequent code deployment rate.



Share this