Guest: Ayse Kaya (LinkedIn, Twitter)
Even after intense focus on software supply chain security following the discovery of Log4Shell, 60% of the top publicly-available containers have more vulnerabilities in them today than they did a year ago. In fact, Slim.ai says they are detecting new incidents four times faster than their remediation rate, with new incidents often falling into high or critical categories.
In this episode of TFiR: Let’s Talk recorded at the KubeCon in Detroit, Swapnil Bhartiya catches up with Ayse Kaya, Head of Analytics at Slim.ai, to discuss the findings from Slim.ai’s 2022 Public Container Report, the trends in cybersecurity, and how intelligent optimization and automation can help mitigate these risks.
Key highlights of this video interview:
- The Log4Shell vulnerability has prompted many to focus on software supply chain security and understand not only the principal components of software systems and their contributors, but also the dependency trees.
- Slim.ai has scanned almost a million containers this year and the research team deconstructs the containers to better understand what makes them developer-friendly and production-ready. The findings were documented in their 2022 Public Container Report.
- Kaya says that the top 165 public containers contain 10 million images with 318 billion posts and are the most common starting points for most developers. A high number of vulnerabilities were found within these containers.
- Many are not aware that hacker attacks are often collaborative and become increasingly sophisticated over time. Kaya explains that if an incident is so big that it affects everyone, then this will capture the attention of other departments and more budget may be allocated to security.
- While technology can stand companies in good stead in terms of security, humans can often be the weakest link. It is essential for people to understand the consequences of their actions. A hacker team only needs one penetration point so they often do not go for the most sophisticated approach but rather, the simple one.
- According to a Slim.ai’s global randomized survey among developers and DevOps engineers, 70% said their customers demand that their containers have absolutely no vulnerabilities. Only 1 in 4 developers said they fully understand how securing your container works, but that they have a desire to learn.
- Kaya feels that there is a big disconnect between the executives and developers when it comes to container security.
- While Slim.ai is remediating vulnerabilities in the containers they have looked at, they are detecting new incidents four times faster than their remediation rate and the new incidents are mainly falling into high or critical categories. Kaya feels that developers do not feel like they are getting ahead of the game and that is a key problem.
- Kaya feels that you should ship to production only what is needed. However, according to the Slim.ai survey, half of the developers said they do this manually. She describes how this leads to human errors and why having the right automated processes and intelligent optimization is the way to go. This will ultimately help reduce costs because developers can stay on top of vulnerabilities and have more time to focus on other things.