According to a new report, Watching the Honeypots, released this week by Twistlock, more than half of cloud-native services are not automatically updated.

The company issued its first biannual state of cloud native security report in which researchers analyzed deployments of common cloud-native applications and ran honeypots to collect data on risk factors and attack patterns against cloud native services.

Researchers focused on two main sampling methods, which involved scanning the internet internally and discovering openly accessible servers using public scanning services. From that list of commonly used applications, they then scanned the banners to identify different versions and vulnerabilities.

The second sampling method used honeypots to mimic the behaviors of popular cloud-native applications to detect patterns of attacks on open servers. “The team found a disturbing number of out-of-date applications, with many open to known vulnerabilities (with CVEs). Some of these were vulnerabilities that were disclosed years ago. Additionally, the team found a great number of active bots/attackers that search for these applications in an attempt to exploit them,” the report said.

What researchers discovered was that 60% of cloud-native services are not automatically patched to the latest version. Additionally, over 90% of attacks are automatically executed against outdated code and known CVEs.

In their survey of the top cloud-native applications, researchers discovered that 25% were running with CVEs where a known exploit existed. The application most likely to be outdated was MySQL, with more than 80% of deployments at least one version behind. More than 60% of these cloud-native application attacks originated from Chinese IPs.

“Adoption of cloud-native technologies gives organizations a chance to build and deploy software faster and scale and manage deployments with ease. But this speed and agility is often coming at the expense of foundational security practices,” said Dima Stopel, Twistlock co-founder and VP of research and development, in a press release.

“Organizations need to build automatic enforcement of security into their application pipelines...to prevent vulnerable code from reaching production but also to quickly triage and patch new risks in production.”