Container security remains a persistent problem for many developers, despite the fact that containers are now standard tools in modern software development.
This is evident from a survey conducted by BellSoft among 427 developers who attended Devoxx in October 2025. The results show that teams consider security important, but struggle with its implementation.
Almost a quarter of those surveyed said they had experienced a container-related security incident in the past year. The bottleneck is rarely in detecting vulnerabilities, but mainly in what happens next. Weeks or months can pass between the discovery of a problem and the actual implementation of a solution. During that period, applications continued to run with known risks, making organizations vulnerable, reports The Register.
Developers point to human error as the main cause of container security problems. Patch processes also play a major role. Updates are often complex to implement, and patches can sometimes take a long time to arrive. Scanning tools do not always help, as they often generate reports that are false alarms. Combined with limited time, scarce resources, and low organizational priority, this creates a structural problem.
Many general Linux distributions
Choices regarding container images also increase the risk. More than half of those surveyed use general Linux distributions as a basis, while many teams also opt for JDKs for general use. Such images often contain significantly more packages than are necessary for the application. Each additional component increases the attack surface and requires monitoring and patching. According to The Register, this means that security teams must check whether each new vulnerability is relevant, even if the application does not use the package in question.
Security plays a central role in selecting a base image. Developers cite security as a more decisive factor than performance, image size, or ease of use. However, that intention does not always translate into effective measures. Many organizations rely primarily on well-known container registries and vulnerability scans. In doing so, they mainly respond to incidents rather than limiting exposure in advance.
This explains why almost half of developers prefer to use hardened container images. By placing part of the responsibility for security and maintenance with the supplier, teams hope to reduce the risk of human error and lower operational pressure. BellSoft argues that this can contribute to more stable and manageable container environments, although this remains dependent on internal processes.
Finally, it is striking that artificial intelligence played hardly any role in this survey, even though previous studies have shown that many developers use AI when writing code. The focus was clearly on the basics of container security, and it is precisely there that the gap between ambition and practice remains wide.