Much like the early days of virtualization, containers got a bum rap when it came to data security. I say this because just like virtualization, securing containers is more about securing what is happening inside, rather than the security of the wrapper.
As we asked a few years ago what are the impact of containers on security? Recently, container security vendor Twistlock set out to answer that. They examined some real-world container data.
What did they find?
They found the same issues that have always plagued IT systems are the Achilles heel of container security – that it’s the vulnerabilities within containers that are the most significant weakness and not container technologies itself.
The key findings from the report are:
- Surveying use of the top cloud-native applications, 25 percent were running with CVEs where a known exploit exists
- MySQL was the most likely to be out of date, with over 80 percent of deployments being at least one version behind. Overall, 60 percent of all cloud-native apps are not patched to the latest version
- Over 90 percent of detected attacks were automatically executed — zero touch hacking that focuses on brute force or known exploits
- China plays a significant role in the modern threat landscape with over 60 percent of detected attacks against cloud-native applications originated from Chinese IP ranges
These findings are just inexplicable: 60 percent of all cloud-native apps are maintained up to date, and 25 percent of applications were running versions of software with known exploits circulating. If organizations want to secure themselves from attack, they have to make sure their software is patched to the latest versions.
How did Twistlock come at these results? The vendor used two techniques. The first was to scan the internet using publicly accessible scanning services to vet open servers. According to the report, form those scans they identified a small list of commonly used applications from Docker Hub. The researchers then assessed their banners for potential vulnerabilities. “The main goal of this search was to sample the version distribution for each application, and more specifically the percentage of applications that are potentially (or clearly) vulnerable to known security issues,” the report said.
Secondly, the team deployed honeypots that targeted a number of popular cloud-native exploitations. The goal was to identify active patterns of attacks and vulnerabilities actively being exploited.
Twistlock said that they hope the report helps organizations to understand better new attack vectors and threats that face today's applications, improve their ability to manage software updates, workflows better, and patching cadence, and identify the benefits from deploying security defenses that can stop automated threats.
They certainly proved that enterprises are their own worst enemies.
If enterprises stuck to good practices for mitigating risk, such as running assessments and patching and maintaining good configuration management, containers can be useful for security. However, as Twistlock demonstrated, the metadata containers hold make it possible to identify what is in the container, see what is vulnerable as well as assess the value of the data in the container.
When managed properly, because containers are discrete systems, the attack surface of applications can be limited as services necessary to run an application can be limited to just that container. Containers also make security automation much more straightforward.
Of course, enterprises must take advantage of these capabilities and cover the security basics, or they'll remain as vulnerable as always.