Container Adoption not Slowed by Supply Chain Attacks

The extensive adoption of containerization and DevOps has changed enterprise software supply chain risks dramatically. In many ways, enterprise software risks have increased considerably because of the rising use of third-party software components. The encouraging news is that organizations are starting to show signs of maturing and adapting to the challenges of these newer and more dynamic environments.

Software containers are here to stay. According to the “Anchore 2021 Software Supply Chain Security Report,” 65% of enterprise respondents say they deliver a “significant” number of applications within containers. Not surprisingly, cloud service providers, software makers and other technology-focused organizations lead when it comes to container use.

Still, non-tech verticals such as health care are also embracing containerization in considerable numbers. And 84% of respondents said they would increase their use of containerization. Respondents use containers for both internal applications and software products they sell.

The risks arise because developers rely on many open source software packages and components within their containerized applications. This is likely why survey respondents said the security of containers with open source software is their top challenge. That concern even beat respondents needing to understand the security of the code they develop in-house.

Somewhat conflictingly, respondents overall didn’t see containerized applications as necessarily riskier than traditional applications, with 28% of respondents believing containers posed a higher risk and 34% seeing containers as less risky. “This likely arises from the fact that advanced users have a deeper understanding of the complex dependency chains that are common with containerized applications. They also better understand the need to adapt security processes and tools to adapt to unique container challenges,” the report proposes.

When it comes to containers, those more mature organizations are assuaging their concerns by taking action; focusing more on supply chain security. While only 9% of less mature container organizations view container security as a priority, 23% of advanced organizations do. By the end of next year, 63% of respondents said increasing the use of containers is their priority, followed closely by improving software supply chain security.

According to the survey, more mature respondents are increasing their supply chain security efforts. Sixty percent of respondents have made securing the software supply chain a top or significant area of focus.

On the heels of attacks such as NotPetya and SolarWinds, enterprises have become relatively focused on securing their software supply chains. About 46% said they have a significant focus on securing their software supply chain, while an additional 14% said it’s a top priority. Only 3% said it’s not a priority.

The report is based on the responses of 425 business technology, security and DevOps leaders.

Software supply chain security is going to continue to be a hot topic in cybersecurity. Recently, the president signed an executive order with several software supply chain requirements, including a software bill of materials, open source security, security testing and greater controls over secure software development.