EP54 Container Security: The Past or The Future?

Guest:  Anna Belak,  Director of Thought Leadership @ Sysdig Topics: One model for container security is “Infrastructure security  | build security | runtime security” -  which is most important to get right? Which is hardest to get right?  How are you helping users get their infrastructure security right, and what do they get wrong most often here? Your report states that “3⁄4 of running containers have at least one "high" or "critical" vulnerability“ and it  sounds like pre-cloud IT, but this is about containers?  This was very true  before cloud, why is this still true in cloud native?  Aren’t containers easy to “patch” and redeploy?  You say  “Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production.“ but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don’t fix things?   “52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline.“ - isn’t pipeline and repo scanning easier and cheaper? Why isn’t this 90/10 but 40/50?  “62% detect shells in containers” sounds (to Anton) that “62% zoos have a dragon in them” i.e. kinda surreal. What’s the real story? Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers?  Resources: Sysdig report Kubernetes podcast episode with Anna Belak  EP15 Scaling Google Kubernetes Engine Security Sysdig learning hub