Keynote: What We Learned Dissecting the World’s Most Popular Containers

Containers present both opportunities and risks to developers, with a vast and complex world that requires balancing between developer experience and production readiness. The industry needs to improve software supply chain practices and address the challenges of container optimization and security.

• 60% of top publicly available containers have more vulnerabilities than a year ago
• 70% of customers demand containers with zero vulnerabilities
• 88% of developers find it challenging to remove vulnerabilities due to complexity and numerous components with dependencies
• Developers are increasingly interested in Kubernetes and container adoption
• There is a mismatch between executives and front-line engineers in understanding container hardening
• Automation and intelligent optimization can help solve container optimization and security challenges

The speaker, a data scientist at Slim.AI, shared insights from analyzing over 900,000 containers and finding a complex and vulnerable landscape. Despite the rising interest in containers, developers face pressure to deliver perfect containers while struggling with the complexity of dependencies and packages. The industry needs to address these challenges and improve software supply chain practices to ensure production readiness.

Data scientist and container enthusiast Ayse Kaya and her team at Slim.AI analyzed more than 100 of the world’s most popular public container images using open source tools to better understand what developers encounter when running containers in Kubernetes. What they found was a vast, varied, and complex world that gives developers massive opportunities to scale, but also presents risks to both security and productivity. This talk shares the data, visualizations, and insights they generated from their research. Kaya shows the current paradox in software supply chain practices (i.e. taking advantage of abstraction vs. knowing what’s in the software you ship), and that even small, special purpose containers could have thousands of packages, libraries, and licenses, not to mention critical vulnerabilities. Finally, she’ll highlight the current trade-offs teams make between “developer experience” and “production readiness”, and open a discussion about how we can improve as an industry.