Article Details

Java developers want container security, just not the job that comes with it. BellSoft survey finds 48% prefer pre‑hardened images over managing vulnerabilities themselves. Java developers still struggle to secure containers, with nearly half (48 percent) saying they'd rather delegate security to providers of hardened containers than worry about making their own container security decisions. This finding comes from BellSoft, which offers the Liberica JDK, a free, open-source implementation of Java SE. The company says it surveyed 427 developers at Devoxx last year for its 2025 State of Container Security report. Its goal was to better understand decisions about containers, security, priorities, and practices. The most important factor among the survey respondents in choosing a base container image was security (29 percent), followed by performance (21 percent), image size (17 percent), Java support (17 percent), ease of use (11 percent), license compliance (4 percent), and other (1 percent). That's understandable given that almost one in four of the devs (23 percent) said they'd experienced container-related security incidents in the past year. Yet the choices these developers make in terms of their software tools may be undermining their stated goals. About 55 percent rely on general-purpose Linux distributions and 69 percent use general-purpose JDKs. Such software, BellSoft argues, is bloated by unnecessary packages and thus requires extra work to secure and optimize compared to pre-hardened options. That might be manageable were it not for unreliable people. According to the respondents, 62 percent of container security mistakes came from human error, followed by patching difficulties (36 percent), gaps before patch availability (32 percent), and false positives from scanning tools (29 percent). And these issues were compounded by organizational time and resource constraints (49 percent) and lack of organizational prioritization (36 percent). Respondents revealed various approaches to dealing with container security. These range from relying on trusted container registries (45 percent), vulnerability scanning (43 percent), software bill-of-materials (SBOM) generation (18 percent), image signing (16 percent), and hardware isolation (6 percent). Ten percent said their organization took no additional security measures beyond standard tools. "Across every section of the survey, one message repeats consistently: Teams want security, efficiency and simplicity but their current strategies and tooling makes this difficult to achieve," BellSoft CEO Alex Belokrylov said in a statement. Belokrylov argues that adopting hardened images shifts the burden of security and maintenance to the image vendor, thereby reducing maintenance and cost burdens. BellSoft elicited these findings despite, or perhaps because of, the wide use of AI tools. Marketing VP Maria Gladkaya told The Register in an email that while AI didn't come up in the responses this year, the 2024 survey revealed that 74 percent of developers were using AI to write code.