Half of enterprise infosec pros polled admit deploying containers with known vulnerabilities
Security practitioners in organizations that deploy containers consistently ignore vulnerability warnings, an attitude that led to a spike in security incidents targeting the technology last year, new research shows.
The Lowdown: The growing use of containers by DevOps units to speed application development and deployment creates an added level of complexity for IT security teams struggling with poor understanding of the risks associated with containers and container images, the study reveals.
The Details: The study by Dimensional Research on behalf of container security vendor Tripwire found that 47 percent of organizations with more than 100 employees have knowingly deployed containers with vulnerabilities, while 46 percent admit to deploying containers without knowing their vulnerability status.
Other findings in the survey of 311 IT security professionals:
— 75 percent of those with more than 100 containers in production reported an incident in 2018.
— 71 percent expect container security incidents to increase this year.
— 98 percent believe they need additional security capabilities, while just 12 percent say they can detect a compromised container within minutes.
— 42 percent have either delayed or limited container adoption due to security concerns.
The Buzz: “It’s concerning, but not surprising, that nearly half of the respondents said they knowingly deploy vulnerable containers,” said Tim Erlin, vice president of product management and strategy at Tripwire. “With the increased growth and adoption of containers, organizations are feeling the pressure to speed their deployment. To keep up with the demand, teams are accepting risks by not securing containers. Based on what this study found, we can see that the result is a majority of organizations experiencing container security incidents.
“There’s a belief that you have to accept a significant amount of risk to take advantage of containers, but that’s not true,” Erlin added. “Security can and should be embedded into the DevOps life cycle, incorporating vulnerability and configuration assessment of container infrastructure to monitor risks from build to production.”
Channelnomics Point of View: The Tripwire study is another example of the rift that can develop between the business that values speed and constant iteration and the security teams tasked with defending critical assets.
Like any technology at the intersection of enterprise application development and security, containers benefit most from a shift in mindset from DevOps to DevSecOps. Embedding security throughout the application lifecycle not only ensures that security practitioners get the visibility and controls they need to safeguard the organization; it also enlists the help of developers who bring new-found security awareness to the earliest stages of rapid development.