The popularity of container technology has grown fast in software engineering, but 60 percent of organizations suffered at least one container-related security incident in 2018, mostly caused by the advancement of DevOps teams, according to Tripwire’s State of Container Security Report. 71 percent anticipate an increase in container security incidents in 2019, most likely raising the costs of hybrid cloud security.
Securing container pipeline and infrastructure presents multiple challenges, but the blame has often fallen on DevOps teams because they are more interested in optimization, integration and cutting down overall costs, and tend to neglect security.
“The rise of DevOps exposes organizations to risk via container vulnerabilities,” while “47 percent knowingly deploy vulnerable containers,” reads the report. This is a never-ending headache for security pros who have to figure out how to assess security risks before deployment, then implement a legitimate container security strategy.
Tim Erlin, Tripwire’s vice president of product management and strategy, explains that “security can and should be embedded into the DevOps life cycle, incorporating vulnerability and configuration assessment of container infrastructure to monitor risks from build to production.”
Container technology changes the way software is written, and even though it’s been around for a decade, security practices to protect container integrity are still inadequate and ineffective.
“It’s concerning, but not surprising, that nearly half of the respondents said they knowingly deploy vulnerable containers,” Erlin said. “With the increased growth and adoption of containers, organizations are feeling the pressure to speed their deployment. To keep up with the demand, teams are accepting risks by not securing containers.”
Two of the more popular systems, adopted by a number of software firms, are Docker and Kubernetes. In theory, containerized applications make the application run faster and more smoothly, but companies such as Tesla and Gemalto would say otherwise. They are two of the hundreds of firms that had bad actors intrude into their cloud environments due to container security incidents. Security bugs in unencrypted Docker APIs, for example, allowed hackers to create their own containers to run Monero mining scripts, while Kubernetes systems have also been on the cybercriminals’ radar for cryptojacking operations.
Some 94% of IT pros worry about the risks and security of container technology, in particular about the lack of know-how, little-to-no transparency of container image security and failure to detect vulnerabilities and risks before deployment. Despite the high number of containers deployed, container technology is still a mystery for many security teams. Going forward, some organizations have chosen to hold on container adoption and limit DevOps deployment until they can create relevant policies including security testing, and proper tools for network and user behavior monitoring.
The study was conducted on 311 IT security professionals responsible for containment management in their organizations.