Container Adoption Comes with Risks for Software Supply Chain
Multiple critical vulnerabilities and risks have been found lurking within some of the most commonly downloaded Docker Hub container images.
The NetRise study examined 70 randomly selected images from the top 250 downloads, uncovering an average of 604 known vulnerabilities per container, with more than 45% dating back 2 to 10+ years.
The report found that 4% of these vulnerabilities are weaponized, and actively exploited by botnets and threat actors.
Adding to the challenges, one in eight container components lacked a software manifest, leaving crucial metadata about dependencies and sources missing, further complicating security efforts.
Misconfigurations were another widespread issue, with containers averaging nearly five per image, including overly permissive identity controls and insecure directories.
The findings from the study indicate the critical importance of having a detailed understanding of all software components and risks.
Michael Scott, chief technology officer and co-founder of NetRise, explained organizations must prioritize integrating software analysis into their cybersecurity processes and workflows.
“Organizations can address visibility gaps in containerized software by adopting advanced analysis tools that go beyond traditional scanning methods,” he said.
These tools analyze compiled and interpreted code, giving them visibility into the software, even for containerized software lacking formal manifests.
He said container security remains a weak link in the software supply chain because of the inherent complexities and lack of visibility into the containerized software.
Additionally, the rapid adoption of containerized applications has outpaced the development of security processes and tools, leaving gaps in risk identification and mitigation.
“Addressing these challenges requires a move to advanced visibility platforms and a focus on proactive risk-based management throughout the software lifecycle,” he noted.
Strengthening Software Supply Chains
Scott said organizations aiming to strengthen their software supply chain security should take several foundational steps.
First, generating comprehensive Software Bill of Materials (SBOMs) is essential to understanding detailed software components, which serve as the basis for effective security measures.
An SBOM is designed to provide complete transparency into the components that make up the analyzed software including containerized applications.
Scott noted software transparency can and should go well beyond the SBOM, with software security intelligence also including enrichment data around software risks like vulnerabilities, non-CVE risks, exploitability, reachability and emerging threats and life-cycle management items like licensing, provenance and end-of-life.
“Automated software risk analysis should also be implemented to uncover a complete risk profile for each software or firmware package,” he added.
Beyond traditional CVSS scores, organizations should prioritize and compare software risks by considering additional factors such as weaponization and network accessibility.
Finally, Scott said establishing responsible vulnerability and risk disclosure practices with software vendors is critical for improving the overall state of software security for all stakeholders involved.
“Enterprises should prioritize vulnerabilities based on a risk-based approach that considers factors such as CVSS scores, weaponization status and exploitability,” he said.
For example, identifying vulnerabilities actively exploited by threat actors or listed in catalogs like CISA’s Known Exploited Vulnerabilities (KEV) helps focus resources on the most critical threats.
Improving Ownership, Accountability
Scot said organizations can improve ownership and accountability for container security by building security practices across the software lifecycle and defining roles and responsibilities.
“Development teams should consider security from the start, using tools to generate SBOMs and assess risks during the build phase,” he said.
He added ops teams must ensure secure configurations, regular updates and compliance checks in deployment and runtime environments.
“Assigning clear ownership for each phase helps ensure container security is a shared responsibility, not an afterthought,” he said.