Aqua Security today published a survey that polled a mix of 150 cloud-native security practitioners and IT executives that suggests awareness of potential container security issue is dangerously low at a time when attacks against software supply chains are escalating.
The survey finds that only 3% of respondents recognize that a container, in and of itself, is not a security boundary and less than a quarter (24%) have plans in place for securing containers at runtime. Only 18% of respondents say they realize they are at risk for zero-day attacks in containerized environments.
Nevertheless, nearly a third of respondents (32%) say they are confident in overall holistic runtime security protection, while nearly three-quarters (73%) say their organization could detect and stop a cyberattack that was designed to evade a static application security testing (SAST) tool. However, the survey finds less than a quarter (23%) have the necessary building blocks of runtime security in place.
The survey comes on the heels of a series of reports published by Aqua Security detailing various examples of how container security is being compromised. Over a six-month period, Aqua observed honeypots being attacked 17,358 times, representing a 26% increase from just the previous six months.
Aqua Security CTO Amir Jerbi says it’s apparent most organizations are unaware of how malware inserted within a containerized application can be employed to take over an entire host. It then becomes relatively trivial to compromise the rest of the IT environment.
Most of the attacks against IT environments running containers have involved cryptojacking. Cybercriminals insert containers that mine for cryptocurrency. Many IT teams consider these attacks to be little more than a nuisance crime. However, it’s only a matter of time before cybercriminals exploit those same vulnerabilities to compromise the entire software supply chain.
As more containerized applications are deployed in production environments, security teams are starting to ask tougher questions about how these applications are being secured in the wake of a wave of high-profile breaches of software supply chains, says Jerbi. The challenge is striking a balance between the desire to build and deploy applications faster and the need to ensure those applications are actually secure, adds Jerbi.
It’s not clear to what degree containers are being compromised today, but as containers proliferate within emerging digital business transformation initiatives, cybercriminals will start to explore how to compromise what are clearly mission-critical business applications. Such high-value targets are too big an opportunity for them to ignore. It is clear that application development and security teams will need to collaborate more to secure those applications by, for example, using cloud-native runtime security alongside the DevOps workflow, says Jerbi.
Less clear at the moment is whether these security issues might lead organizations to curtail developers’ freedom to provision infrastructure, build software and then deploy it without first passing an extensive security review. Most organizations are moving toward embracing DevSecOps best practices to build more secure applications. However, mastering DevSecOps best practices takes time that organizations may not have as attacks against containerized applications mount.