Container strategies don’t take security seriously enough

Most organizations do not feel prepared to adequately secure cloud-native applications, despite the surging adoption of containers and Kubernetes, according to StackRox.

Notable findings:

• More than a third of organizations with concerns about their container strategy worry that their strategies don’t adequately address container security
• An additional 15 percent believe their strategies don’t take seriously enough the threat to containers and Kubernetes deployments
• More than one-third of respondents haven’t started or are just creating their security strategy plans.

Digging into the sources of concern over container security, survey respondents focused on misconfigurations and runtime security as their primary sources of concern:

• Fifty-four percent of respondents said risks driven by misconfigurations and accidental exposures is their primary concern
• A near majority of respondents, 44 percent, indicated that runtime, vs. build and deploy, is the phase they are most concerned about from a security perspective.

Despite the concerns over the runtime phase of the lifecycle, the dominance of concerns over misconfigurations is likely the result of a number of recent high-profile attacks and exposures on Kubernetes deployments, such as the cryptomining attack on Tesla’s deployment on Amazon Web Services and Shopify’s publishing of the risk of Kubernetes metadata exposure.

Infrastructure portability is often cited as one of the top reasons to run containers and Kubernetes. A surprising percentage of respondents are running their containerized applications only on premise, however:

• Seventy percent of respondents overall are running containers on premise, with 32 percent running only on premise
• About 40 percent of respondents are running containers in hybrid environments, both on premise and in the cloud
• Just under 30 percent of respondents are running only in the cloud.

As for who in the organization should take lead running container security, DevOps and DevSecOps top the list.

“The DevOps-induced ‘shift left’ approach enabled by containerization is fundamentally changing how developers and security teams are interacting in the enterprise, forcing alignment and collaboration like never before,” said Mark Bouchard, Vice President of Research and COO, CyberEdge Group. “For organizations to realize more of the technical advantages of microservices, containers and Kubernetes, they will need container security technologies that integrate increasingly early into the software development life cycle.”

The report demonstrates that containers provide an impetus and an opportunity to build a stronger bridge between DevOps and security. Results reveal that deeper container security planning, further integration among DevOps and security teams, and the more widespread adoption of key security technologies are necessary to increase the holistic security of containers and Kubernetes deployments.

“The influence of DevOps and the fast uptake in containerization and Kubernetes have made application development more seamless, efficient and powerful than ever. Yet, our survey results show that security remains a significant challenge in enterprises’ container strategies,” said Kamal Shah, StackRox CEO. “Containers provide a natural bridge for collaboration between DevOps and security teams but they also introduce unique risks that, if left unchecked, can create real risks for the enterprise.”