Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Container Security Is Falling Behind Container Deployments

Organizations are increasingly turning to containers even though they are not as confident in the security of those containers, according to a new survey.

Containers — virtualized applications that are key to DevOps — are maturing as critical parts of enterprise application infrastructures. And even though security strategies are maturing, organizations are still struggling to have security keep up with the other facets of container deployment.

A new report, sponsored by StackRox and based on research by AimPoint Group, shows that more than a third of companies haven't begun to implement a container security policy yet. While 15% say their company is in the planning stage with its container security strategy, 19% say that they haven't even gotten that far.

Part of the problem, says StackRox CEO Kamal Shah, is the complexity of the environment into which containers are being deployed. While many people look at containers as a technology for the cloud, Shah says, "We found that 70% are running containers on-prem and 53% are running in hybrid mode, which means running it on-premises as well as on one of the public cloud platforms."

Companies are turning to containers because the speed of deployment in containers is critical for organizations that are implementing agile or DevOps disciplines. And studies by other researchers show that some container practices, such as downloading and reusing popular pre-existing application images, don't insulate a company from security issues.

Jerry Gamblin, principal security engineer at Kenna Security, scanned the 1,000 most popular application images and found that over 60% of the top Docker files held a vulnerability with at least a moderate risk score, and over 20% of the files contained at least one vulnerability that would be considered high risk. [Note: A container is a virtualized application running on a system. An image is the file containing that application and its configuration files before it is launched.]

When looking at the source of vulnerabilities, the StackRox report says that poor deployment is the principal problem. According to the report, 60% of executives say that misconfigurations create the greatest security risks.

"The challenge in this new world is that there are a lot of options, a lot of controls that you have to configure, and there are a lot of configuration options," Shah says. "On top of that, what makes matters worse is that a lot of the controls that exist are not enabled by default."

Those controls are important because 43% of respondents say that runtime is the phase of the container life cycle that worries them the most. Though the report indicates that fixing issues is most cost-effective in building or deployment phases, the lack of a container security strategy hinders many companies in making those fixes.

Procedures and tools are available for better container security, if companies will employ them. Researchers at Alcide conducted surveys of best container practices and found that a handful of processes can make a huge difference in container security. Those best practices include familiar items like regular software updates and secure access, as well as container-specific practices, including namespace isolation (keeping containers completely separate from one another) and automated tools for scanning and setting container configurations.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ajfreeland
50%
50%
Ajfreeland,
User Rank: Apprentice
8/6/2019 | 12:44:23 PM
Data Encryption
Good post and very important for everyone to absorb as transformation to container based architectures gains momentum. One of the top security recommendations for containers is to enable strong encryption for container-to-container networking. But that can also be off-putting for teams and tools where decrypted visibility is important (especially in clouds!). Nubeva has a new method for out of band decrypted visibility for inter and intra-container data-in-motion that works even with TLS 1.3. It's called Symmetric Key Intercept. Check it out on Nubeva's website.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.