A preliminary report published by Sysdig, a provider of a unified service for monitoring container application performance and security, suggests developers are engaging in a significant amount of risky behavior as they build and deploy applications using containers.
Based on analysis of more than 100,000 scanned images, the report finds that that 40% of images are pulled from public sources. However, most of those images have not been certified—the report notes less than 1% of its nearly 3 million hosted images stored on Docker Hub are certified.
The report also finds 58% of images are running as root, allowing for privileged containers to be compromised more easily.
Janet Matsuda, chief marketing officer for Sysdig, says IT teams should also pay careful attention to the potential severity level of vulnerabilities associated with different classes of container images. The report finds 53% of packages that don’t involve an operating system have high- or critical-level severity vulnerabilities. In many cases developers are unknowingly pulling in vulnerabilities from frameworks such as Python PIP or Ruby Gem, she notes.
In contrast, the report observes only 4% of operating system vulnerabilities are high or critical.
The report also finds that Alpine Linux, a lightweight distribution of Linux, is the most widely deployed container image, while npm registry is the most popular image that is not an operating system.
The average size of an image is 376MB, while the average number of layers in those images is roughly 9.5, according to the report. The more layers in an image, the more challenging it is to debug.
Matsuda says the report makes it apparent there is still much work to be done in terms of making developers aware of container security issues. In theory, developers are assuming more responsibility for container security as organizations embrace best DevSecOps practices. In practice, developers are not changing default settings to make sure both container images and the platforms they run on are secure, she says.
Developers also often assume that cybersecurity teams are securing platforms on their behalf. Most cybersecurity teams, however, are still coming up to speed on containers. Even when cybersecurity teams do know what containers are, the responsibility for configuring them correctly still lies with the developer.
Unfortunately, it may take some type of cataclysmic event to get developers to focus more on container security. Much like the rest of the IT community, cybercriminals are just starting to appreciate the nuances of container security. It may be a while before there is enough of a critical mass of container platforms in production environments that would make it worth the while of cybercriminals to exploit. Nevertheless, it’s now more a matter of when versus if those efforts will be made.
In the meantime, however, developers should not become complacent. Just because there is no evidence of widespread breaches of a container, it doesn’t necessarily follow that the container images they have deployed are secure, especially if those containers are encapsulating software that may have any manner of known vulnerabilities.