Aqua Security published a report today that shows widespread cloud misconfiguration issues also extend to Docker containers. The report finds more than 40% of users had at least one misconfigured Docker application programming interface (API) that on average takes 60 days to remediate.
The report, based on a 12 month review, also finds more than 50% of all organizations receive alerts about misconfigured services with all ports open to the world, but only 68% of those issues were fixed. Even then, on average it took 24 days to remediate those issues. Less than 1% of enterprise organizations fixed all detected issues while less than 8% of small-to-medium businesses (SMBs) fixed all detected issues, the report finds.
The larger the company, the longer issues take to fix, with larger enterprises requiring, on average, 88 days.
The fact that cloud services are routinely misconfigured by developers is widely known. The Aqua report, however, shines a light on the degree to which that issue is leading to an increase in vulnerabilities as more Docker containers are deployed in the cloud by those very same developers.
Ehud Amiri, senior director of product management for Aqua Security, said the mystery is why so many of those misconfigured API and cloud services are not being fixed when organizations have the tools to discover them. Most of these issues stem from the simple fact that, in the era of the cloud, developers are using tools like Terraform to program infrastructure-as-code without any meaningful review of how securely a cloud service has been provisioned.
In the meantime, cybercriminals are becoming more adept at scanning for misconfigured cloud services. At the same time, digital business transformation initiatives that are based on applications built using containers are presenting cybercriminals with an opportunity to compromise business processes that are mission-critical to an organization.
Historically, the biggest issue with container security has been cryptojacking. Cybercriminals have now been employing containers to hijack cloud services to mine cryptocurrency for years now. Most organizations consider such attacks to be nuisance crimes so long as the level of compute being employed is relatively slight. However, those attacks clearly indicate that cybercriminals have learned how to compromise containerized applications.
Those same containerized applications are now more commonly built in the cloud, which means it’s also feasible for cybercriminals to leverage misconfigured APIs and cloud services to compromise entire supply chains.
It’s not clear whether these configuration issues will lead to a backlash against the entire shift left movement as it becomes more apparent that developers either can’t or simply don’t want to be more responsible for cybersecurity. Like most trends in IT, the pendulum swings back and forth. It may now be only a matter of time before cybersecurity teams reassert more control over the provisioning of cloud services, regardless of the impact that may have on the rate at which applications are developed. Business leaders are not going to see the value in rolling out more insecure applications faster.
Developers, of course, may bristle at that suggestion, but the fact of the matter is that being allowed to provision cloud services is more a privilege than a right and, as everyone knows, privileges, when abused, are frequently suspended.