EP54 Container Security: The Past or The Future?

Guest: 

• Anna Belak,  Director of Thought Leadership @ Sysdig

Topics:

• One model for container security is “Infrastructure security  | build security | runtime security” -  which is most important to get right? Which is hardest to get right? 
• How are you helping users get their infrastructure security right, and what do they get wrong most often here?
• Your report states that “3⁄4 of running containers have at least one "high" or "critical" vulnerability“ and it  sounds like pre-cloud IT, but this is about containers?  This was very true  before cloud, why is this still true in cloud native?  Aren’t containers easy to “patch” and redeploy? 
• You say  “Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production.“ but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don’t fix things? 
•  “52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline.“ - isn’t pipeline and repo scanning easier and cheaper? Why isn’t this 90/10 but 40/50?
•  “62% detect shells in containers” sounds (to Anton) that “62% zoos have a dragon in them” i.e. kinda surreal. What’s the real story?
• Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers? 

Resources:

• Sysdig report
• Kubernetes podcast episode with Anna Belak 
• EP15 Scaling Google Kubernetes Engine Security
• Sysdig learning hub