Tripwire State of Container Security Report · 5 Those with the most containers in production were...
Transcript of Tripwire State of Container Security Report · 5 Those with the most containers in production were...
FOUNDATIONAL CONTROLS FOR SECURITY, COMPLIANCE & IT OPERATIONS
RESEARCH
Tripwire State of Container Security ReportJanuary 2019
2
As DevOps continues to drive increased use of containers, security teams are struggling to secure these new assets and processes. This report explores the challenges that organizations actively using containers today are facing, as well as the real consequences they have experienced.
Highlights include:
» 94% are concerned about container security
» 60% have had container security incidents in the past year
» 47% have vulnerable containers in production and 46% don’t know if they do
DemographicsSurvey respondents included 311 IT security professionals who manage environments with containers at companies with over 100 employees. Eight-six percent (269) had containers inproduction.
100–1,000 employees
1,000–5,000 employees
More than 5,000 employees
41%39%
20%
Company size
0 5 10 15 20 25 30 35
Industry
Technology
Financial Services and Insurance
Manufacturing
Healthcare
Education
Government
Services
Retail
Energy and Utilities
Transportation
Non-Profit
Food and Beverage
Other
33%
14%
9%
8%
8%
6%
6%
5%
4%
2%
1%
1%
3%
Number of containers in production
0 20 40 60 80 100
More than 1,000
500–1,000
100–500
10–100
Fewer than 10
None—We don't use containers in production
14% 22% 33% 19% 7% 6%
3
The concern increases with the number of containers in production, and is higher among those with more container security expertise.
94% are concernedabout container security
How concerned are you aboutsecurity in container environments?
0 20 40 60 80 100
Not Concerned
Somewhat Concerned
Very Concerned
43% 51% 6%
94%
By # of containersin production
How concerned are you aboutsecurity in container environments?
“Very Concerned”
0
10
20
30
40
50
60
More than 10 containers10–100 containersFewer than 10 containersNone (Development only)
31% 34% 45% 54%0
10
20
30
40
50
60
By security focus andknowledge of containers
How concerned are you aboutsecurity in container environments?
“Very Concerned”
Security Focus Container Security
61% 39%0
10
20
30
40
50
60
53% 35%
Entire jobMajor Part of job
Very KnowledgeableSomewhat Knowledgeable
4
Organizations are accepting risk and facing consequencesOf the 269 respondents with containers in production:
Inadequate container securityknowledge among teams
Visibility into security of containersand container images is limited
Inability to assess risk in containerimages prior to deployment
Lack of tools of defectively secure containers
Insufficient process to handle fundamentaldifferences in securing containers
Not able to assess risk in deployed containers
I have no concerns about container security
What specific security concernsdo you have about containers?
0 10 20 30 40 50 60
54%
52%
43%
42%
40%
38%
5%
We know we have them, but we don’t knowexactly what the vulnerabilities are
We think we have some, but we don’t know for sure
We think we don’t have any,but we don’t know for sure
I don’t know
No, none of our productioncontainers have vulnerabilities
47% have vulnerable containers inproduction and 46% don’t know if they do
Do you currently have vulnerable containersdeployed in production at this time?
0 5 10 15 20 25 30
17%
30%
22%
20%
7%
4%
Yes, we have them and know what the vulnerabilities are, but have deployed anyway
Top concerns about container security
5
Those with the most containers in production were more likely to acknowl-edge that some of those containers are vulnerable.
“With the increased growth and adoption of containers, security practitioners are feeling the pressure to speed their deployment. To keep up with the demand, teams are accepting unneces-sary risks by not securing containers.”
—Tim Erlin, Vice President of Product Management and Strategy at Tripwire
More than 100
10-100
Less than 10
Those with the most containers inproduction have ignored security issues
Do you currently have vulnerable containersdeployed in production at this time?
By # of containers in production
0 20 40 60 80 100 120
No, none of our productioncontainers have vulnerabilities
I don't know
We think we don't have any,but we don't know for sure
We think we have some,but don't know for sure
We know we have them, butwe don't know exactly whatthe vulnerabilities are
Yes, we have them and knowwhat the vulnerabilities arebut have deployed anyway26%
10%
7% 29% 18% 39% 4%
27% 36% 14%4%
32% 13% 18% 4% 7%
9%
4%
60% have had containersecurity incidents in the past year
Approximately how many securityincidents have occurred in your container
infrastructure in the past 12 months?
0
5
10
15
20
25
30
I don't know
More than 100
26-100
11-25
6-10
2-5
Just one
None
29% 10% 27% 12% 6% 11%3% 3%
The more containers deployed, the more likely there had been a container security incident.
Approximately how many security incidents have occurredin your container infrastructure in the past 12 months?
(By # of containers in production)
0 20 40 60 80 100
I don't know
More then 6
2-5
Just one
None
More than 100
10-100
Less than 10
None (Dev only)
17%
26%
35%
55% 14% 19% 2% 10%
16% 18% 15% 16%
6% 37% 21% 11%
7% 28% 40% 8%
Organizations are bracing for a rise in container-related security incidents.
6
Most expect rate of security-related securityincidents to increase in the coming year
How do you expect the rate of container-relatedsecurity incidents to change in the coming year?
0 20 40 60 80 100
Decrease dramatically
Decrease slightly
No change
Increase slightly
Increase dramatically
13% 58% 21% 7% 1%
71%
Increased adoption of containertechnology will increase risk
Containers will increasingly be used formission-critical systems that are more
likely to be targeted
Hackers will target newtechnology while it is weak
Lack of security best practices forcontainers will leave them vulnerable
Top reasons for increasedsecurity incidents
n = expect security incidents to increase
0 10 20 30 40 50 60 70
61%
52%
52%
49%
7
“There’s a belief that you have to accept a significant amount of risk to take advantage of containers, but that’s not true. Security can and should be embedded into the DevOps life cycle, incorporating vulnerability and con-figuration assessment of container infrastructure to monitor risks from build to production.” —Tim Erlin
42% are limiting containeradoption because of security risks
Has your company delayed or limited containeradoption because of security concerns?
No
Yes
I don't know
42%52%
6%
8
Incident detection and response forcontainers and infrastructure
Isolate containers thatbehave abnormally
More security-focused monitoringof container infrastructure
Greater visibility into container risk
Monitor containers for driftor behavior changes
Attack-blocking technologies for containers
Artificial intelligence securityanalytics for containers
Blockchain
We don’t want anythingspecial for container security
98% want additionalsecurity capabilitiesfor containerenvironmentsWhat additional securitymanagement tools orcapabilities would yourorganization want forcontainer environments?
0 10 20 30 40 50 60
52%
49%
48%
48%
45%
45%
22%
40%
2%
Only a few believe they could detect acompromised container within minutes
Approximately how long would it take to detecta compromised container or container image?
0
10
20
30
40
50
I don't know
We could not detect it
Months or longer
Weeks
Days
Hours
Minutes
12% 45% 26% 6% 7%2% 2%
9
IT security is most likely team to haveprimary responsibility for container security
What organization owns primary responsibility for container security?
Cross-functional team
DevSecOps
DevOps
IT Security 46%
22%
12%
20%
Because of containers, 82% are rethinking security responsibilities—with varying results
Has container adoption caused your organizationto think about restructuring security responsibilities?
We're still thinking about it
Container adoption is one of the many changes that is making us re-think security
Yes, we have reassigned security responsibility based on container adoption
Yes, we thought about it but don't see a need to change anything
No, it didn't even cross our minds to think about it
18%10%
35%21%
17%
Who’s in charge?
©2019 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved.
Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics. Learn more at tripwire.com
The State of Security: Security News, Trends and Insights at tripwire.com/blog Follow us on Twitter @TripwireInc » Watch us at youtube.com/TripwireInc
BRDRSCS1b 1901