Spring developers lack container security knowledge

BellSoft has published a survey of Spring developers that found widespread gaps in container security knowledge. The study covered 250 Spring developers, DevOps engineers and Java architects surveyed at Spring I/O in Barcelona.

The findings point to weak awareness of how day-to-day development choices affect the security of containerised Java applications.

According to the survey, 64% of respondents did not know that Dockerfile authoring decisions could affect security. BellSoft described this as the most significant result because it reflected a knowledge gap rather than a lack of tools.

The report also found limited familiarity with hardened container images. Some 42% of respondents had never heard of hardened images, while 22% said they use them in production.

Another 14% were interested in using hardened images but had not started, and 7% were planning to adopt them. The results suggest that awareness remains a barrier to wider use.

Compliance gaps

The survey also examined whether engineers understood the compliance frameworks that apply to their container environments. It found that 44% could not name the rules governing their stack, saying this was managed by another team.

Among respondents who could identify a framework, DORA and ISO 27001 each applied to 22% of organisations, while NIS2 applied to 12%. BellSoft said these frameworks have direct implications for software supply chain security, vulnerability management and incident response.

The report argued that limited awareness among engineers can create a disconnect between regulatory obligations and technical decisions such as selecting base images, patching containers and signing images.

Basic practices

BellSoft assessed the use of five security practices in container environments: scanning, hardening, patching, software bills of materials and image signing. It found that 16% of respondents used none of the five.

Fewer than 2% said they had all five measures in place. Around 65% said they applied either none or only one of the practices.

That suggests many teams still rely heavily on cloud providers for security coverage in areas that remain the customer's responsibility. In container environments, those responsibilities often include image maintenance, vulnerability remediation and provenance controls.

BellSoft, which supplies OpenJDK distributions, framed the survey around Spring developers and the wider Java ecosystem. The research was designed to test not only which tools teams use, but also how decisions are made and where knowledge gaps lie.

The sample included Spring developers, DevOps engineers and Java architects attending one of the larger annual gatherings in the European Java community. The study focused on container deployment practices around Java applications built with Spring.

Alex Belokrylov, Chief Executive Officer of BellSoft, commented on the findings.

"Container security is no longer a niche concern for platform engineers. Developers are woefully under-informed about the scope of this issue, and the data is clear: controls embedded at the platform level achieve universal, consistent coverage, whereas controls that depend on individual developer awareness do not. The urgent priority is education, the second is automation," he said.