Red Hat Survey Finds Widespread Container Security Issues
A survey of 500 DevOps, engineering and security professionals published today by Red Hat finds 94% of respondents have experienced a security incident involving their Kubernetes and container environments during the last 12 months, with more than half of respondents (55%) needing to delay deploying Kubernetes applications into production because of a security issue.
Just under 60% of respondents also noted there was a misconfiguration incident in their environments over the last 12 months. Nearly half (47%) are still worried about exposures due to misconfigurations in their container and Kubernetes environments.
Overall, nearly a third of respondents said they experienced a runtime security incident, while another third said they had discovered a major vulnerability.
On the plus side, the report finds most respondents have some form of a DevSecOps initiative underway. Only 26% of respondents said they continue to operate DevOps separately from security. More than two-thirds (67%) also claim to have at least a basic Kubernetes security strategy, with only 7% admitting they have no Kubernetes strategy in place at all.
Wei Lien Dang, senior director for product and marketing for cloud platforms at Red Hat, says that while the Kubernetes and container threat vectors organizations need to be aware of haven’t changed much, there are more issues being encountered as Kubernetes cluster are deployed more widely in production environments.
The Red Hat report arrives at a time when the amount of attention being paid to software supply chain security has increased dramatically in the wake of several high-profile breaches. While most organizations are working toward improving the amount of security expertise developers have as part of an effort to shift responsibility for security further left, it has also become apparent those efforts will take time. In the meantime, security professionals are being tasked to more aggressively review application security.
In some cases, developers will assume that containers might only run for a few minutes, and do not represent a major security risk. However, as more containers are employed on Kubernetes clusters, cybercriminals have begun to scan for misconfigurations more aggressively. They realize that many of these containers are being employed within a digital business transformation initiative that represents a high-value target.
In general, Dang says organizations that make use of a curated instance of Kubernetes, such as the Red Hat OpenShift platform, are likely to have fewer issues because many of the settings that might lead to an issue have already been configured on behalf of the customer.
Regardless of who configured a Kubernetes cluster, however, the chances malware will be inadvertently encapsulated within a container are significant. Developers will employ libraries that have not been updated after vulnerabilities have become known. Many containers are also starting to run for longer periods of time, which makes it more likely a vulnerability will be discovered. In addition, IT teams need to remember to scan the host systems that containers are deployed on for vulnerabilities, as well.
Of course, there may come a day when artificial intelligence (AI) is more widely employed to improve container security. In the meantime, however, it’s apparent there’s no real substitute for vigilance.
