Aqua Security Survey Surfaces Container Security Knowledge Gap

Aqua Security today published a survey that polled a mix of 150 cloud-native security practitioners and IT executives that suggests awareness of potential container security issue is dangerously low at a time when attacks against software supply chains are escalating.

The survey finds that only 3% of respondents recognize that a container, in and of itself, is not a security boundary and less than a quarter (24%) have plans in place for securing containers at runtime. Only 18% of respondents say they realize they are at risk for zero-day attacks in containerized environments.

Nevertheless, nearly a third of respondents (32%) say they are confident in overall holistic runtime security protection, while nearly three-quarters (73%) say their organization could detect and stop a cyberattack that was designed to evade a static application security testing (SAST) tool. However, the survey finds less than a quarter (23%) have the necessary building blocks of runtime security in place.

The survey comes on the heels of a series of reports published by Aqua Security detailing various examples of how container security is being compromised. Over a six-month period, Aqua observed honeypots being attacked 17,358 times, representing a 26% increase from just the previous six months.

Aqua Security CTO Amir Jerbi says it’s apparent most organizations are unaware of how malware inserted within a containerized application can be employed to take over an entire host. It then becomes relatively trivial to compromise the rest of the IT environment.

Most of the attacks against IT environments running containers have involved cryptojacking. Cybercriminals insert containers that mine for cryptocurrency. Many IT teams consider these attacks to be little more than a nuisance crime. However, it’s only a matter of time before cybercriminals exploit those same vulnerabilities to compromise the entire software supply chain.

As more containerized applications are deployed in production environments, security teams are starting to ask tougher questions about how these applications are being secured in the wake of a wave of high-profile breaches of software supply chains, says Jerbi. The challenge is striking a balance between the desire to build and deploy applications faster and the need to ensure those applications are actually secure, adds Jerbi.

It’s not clear to what degree containers are being compromised today, but as containers proliferate within emerging digital business transformation initiatives, cybercriminals will start to explore how to compromise what are clearly mission-critical business applications. Such high-value targets are too big an opportunity for them to ignore. It is clear that application development and security teams will need to collaborate more to secure those applications by, for example, using cloud-native runtime security alongside the DevOps workflow, says Jerbi.

Less clear at the moment is whether these security issues might lead organizations to curtail developers’ freedom to provision infrastructure, build software and then deploy it without first passing an extensive security review. Most organizations are moving toward embracing DevSecOps best practices to build more secure applications. However, mastering DevSecOps best practices takes time that organizations may not have as attacks against containerized applications mount.

Mike Vizard

Mike Vizard is a veteran IT journalist with more than 25 years of experience covering the technology industry, having previously served as Editor-in-Chief of both CRN and InfoWorld and as editorial director for Ziff-Davis Enterprise, where he oversaw titles including eWEEK, CIO Insight and Baseline. Over his career he has also edited or contributed to a wide range of enterprise technology publications, including IT Business Edge, Channel Insider, ComputerWorld, TMCNet and Digital Review, and he later led editorial for CTOEdge.com. His reporting and analysis span software development, cloud computing, cybersecurity, IT channel strategy and, more recently, artificial intelligence and DevOps practices. A recognized voice in enterprise IT journalism, Vizard is known for tracking emerging technology trends as they move from early adoption into mainstream enterprise use. He now serves as Chief Content Officer for Techstrong Group, where he oversees editorial strategy across the full network — DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, TechStrong.IT, Techstrong Semi and PlatformEngineering.com — in addition to writing and hosting content for Techstrong TV and the Techstrong Gang podcast.

    Mike Vizard has 1813 posts and counting. See all posts by Mike Vizard