News

Bellsoft Survey Finds Java Teams Struggle to Square Container Debugging Tools with Security Goals

• By John K. Waters
• February 3, 2026

Container security incidents remain a routine problem for software teams, and many of the day-to-day choices developers make to keep Java services easy to build and troubleshoot can increase security exposure, according to a new survey released by OpenJDK vendor BellSoft.

BellSoft said it surveyed 427 professionals at the Devoxx 2025 conference in October and found that 23% had experienced a container security incident. The vendor said the harder problem is often shortening the gap between vulnerability disclosure and remediation, a window that can stretch for weeks or months while organizations continue running with known exposures.

For Java developers, that remediation gap can widen when base images and runtimes include far more software than an application needs. BellSoft said 55% of respondents rely on general-purpose Linux distributions such as Ubuntu, Debian, or Red Hat-based images that ship with hundreds of packages their applications may never use. In the same survey, 69% said they use general-purpose JDKs, a choice BellSoft argues can add components that increase patching and hardening work compared with slimmer, purpose-built alternatives.

Security was the top factor respondents cited when choosing a base container image, at 29%, followed by performance at 21%, image size at 17%, and Java support at 17%, according to the survey. But developers also reported keeping interactive tooling inside containers that can help with diagnostics while expanding the attack surface in production. Respondents ranked shells as essential in base containers (54%) and package managers (39%). BellSoft flagged package managers as a particular risk because they can enable runtime installation of additional components that were not part of the original build.

Human factors also dominated the list of what goes wrong. Sixty-two percent of respondents said human error was the biggest contributor to container security mistakes, pointing to misconfigurations and inconsistent practices. Other cited contributors included patching difficulties (36%), gaps before patches are available (32%), and false positives from scanning tools (29%). Respondents also pointed to time and resource constraints (49%) and lack of organizational prioritization (36%) as obstacles.

Most teams said they rely on widely used baseline defenses. Trusted registries (45%) and vulnerability scanning (43%) were the most common measures, while smaller shares reported generating software bills of materials (SBOMs; 18%), using image signing (16%), or hardware isolation (6%). Ten percent said their organization took no additional security measures beyond standard tools, according to the survey.

Updating practices varied sharply. BellSoft said 31% of respondents rebuild or update images with every release, and 26% do so when critical vulnerabilities emerge, but 33% update monthly, rarely, or only a few times per year.

Asked what would help, 48% said pre-hardened, security-focused base images would be most useful. BellSoft said a practical model is to use minimal runtime images in production and keep fuller "debug builds" for development, allowing diagnosis without shipping extra tooling into production environments.

"Teams want security, efficiency, and simplicity, but their current strategies and tooling make this difficult to achieve," BellSoft CEO Alex Belokrylov said in a statement.