Sysdig Exposes The Risk and Cost Of Cloud Usage
Written by Sue Gee   
Wednesday, 01 February 2023

Sysdig has published a new report into cloud and container security and usage. It confirms that supply chain risk and zero trust architecture readiness are issues of paramount concern and also exposes tens of millions of dollars in wasted cloud spend caused by over-allocated capacity.

Founded in 2013 by Loris Degioanni, co-creator of Wireshark, Sysdig launched its open source Linux visibility tool a year later. Its open source tool for threat detection, Falco, was contributed to the Cloud Native Computing Foundation as a sandbox project in 2018 and is now a CNCF incubating project. Falco and Sysdig are the key building blocks of the Sysdig platform which  enables teams to detect and respond to threats, find and prioritize software vulnerabilities, detect and fix misconfigurations, and maximize performance and availability.

The Sysdig 2023 Cloud-Native Security and Usage Report, its sixth annual report reveals how global companies of all sizes and industries are using and securing cloud and container environments based on data covering billions of containers, thousands of cloud accounts, and hundreds of thousands of applications that Sysdig customers operated over the course of the last year.

Having identified vulnerabilities introduced through software supply chains as one of the two biggest cloud security risks, Sysdig reports that 87% of container images running in production have a critical or high severity vulnerability. The report comments:
Despite increased adoption of shift-left security strategies to assess code early and often, organizations need runtime security. This is evidenced by the tremendous growth in the adoption of technologies like Falco, a Cloud Native Computing Foundation (CNCF) open source project, that helps organizations detect runtime threats across clouds, containers, hosts, and Kubernetes environments.

On a more positive note the report also finds that only 15% of high or critical severity vulnerabilities with an available fix are actually in use at runtime and advises:
Prioritization based on filtering by in use packages enables teams to significantly reduce cycles spent chasing an endless pile of vulnerabilities.
 
sysdigvuln
With regard to runtime protection methods to mitigate unpatchable vulnerabilities, the report suggests reducing "image bloat". It argues that while ideally an image should only consist of code necessary to do its job, third-party pre-packaged and open source images often include superfluous packages.  
Sysdig looked at the package types of more than 6.3 million running images to determine the four most commonly used package types and then identified those with the most bloat.
sysdigbloat
 JavaScript packages were found in the greatest number, yet fewer than 1% of them were required at runtime making it the top candidate for removal to reduce bloat. On the other hand it was Java packages that was found to be the riskiest, representing over 60% of vulnerabilities exposed at runtime. 
 
Noting that misconfigurations are still the biggest player in security incidents, the report looked into the management of identities, access, and privilege. Commenting:
Although many organizations are talking about zero trust principles, such as enforcing least privilege, our data shows
little evidence of action.
In fact, Sysdig found that 90% of granted permissions are not used, which leaves many opportunities for attackers who steal credentials. 
 
Turning to container usage the report reveals the extent of unused Kubernetes resources. Admitting that keeping track of cost and usage of containers is inherently difficult, the report notes that organizations often neglect to set limits on how many
resources a container can use. Also allowing developers to choose capacity can lead to overallocation. Concrete findings were that in Sysdig's largest region 59% of containers had no CPU limits defined, and 69% of requested CPU resources were unused:
sysdig containers
 
This leads to the staggering conclusion that organizations of all sizes could be overspending by 40%, and for large deployments, optimizing an environment could save an average $10 million on cloud consumption bills.  
 
sysdigsq

More Information

Download the Sysdig 2023 Cloud-Native Security and Usage Report

Related Articles

What's the Best Way to Effectively Monitor a Kubernetes Cluster?

Does Sigstore Really Secure The Supply Chain?

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


DuckDB And Hydra Partner To Get DuckDB Into PostgreSQL
11/11/2024

The offspring of that partnership is pg_duckdb, an extension that embeds the DuckDB engine into the PostgreSQL database, allowing it to handle analytical workloads.



JetBrains Improves Kubernetes Support In IDE Upgrades
12/11/2024

JetBrains has improved its IDEs with features to suggest the logical structure of code, to streamline the debugging experience for Kubernetes applications, and provide comprehensive cluster-wide Kuber [ ... ]


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 01 February 2023 )