Guest:

• Anna Belak, Director of Thought Leadership @ Sysdig

Topics:

• One model for container security is "Infrastructure security | build security | runtime security" - which is most important to get right? Which is hardest to get right?
• How are you helping users get their infrastructure security right, and what do they get wrong most often here?
• Your report states that "3⁄4 of running containers have at least one "high" or "critical" vulnerability" and it sounds like pre-cloud IT, but this is about containers? This was very true before cloud, why is this still true in cloud native? Aren't containers easy to "patch" and redeploy?
• You say "Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production." but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don't fix things?
• "52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline." - isn't pipeline and repo scanning easier and cheaper? Why isn't this 90/10 but 40/50?
• "62% detect shells in containers" sounds (to Anton) that "62% zoos have a dragon in them" i.e. kinda surreal. What's the real story?
• Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers?

Resources:

• Sysdig report
• Kubernetes podcast episode with Anna Belak
• EP15 Scaling Google Kubernetes Engine Security
• Sysdig learning hub