FOUNDATIONAL CONTROLS FOR SECURITY, COMPLIANCE & IT OPERATIONS

RESEARCH

Tripwire State of Container Security ReportJanuary 2019

2

As DevOps continues to drive increased use of containers, security teams are struggling to secure these new assets and processes. This report explores the challenges that organizations actively using containers today are facing, as well as the real consequences they have experienced.

Highlights include:

» 94% are concerned about container security

» 60% have had container security incidents in the past year

» 47% have vulnerable containers in production and 46% don’t know if they do

DemographicsSurvey respondents included 311 IT security professionals who manage environments with containers at companies with over 100 employees. Eight-six percent (269) had containers inproduction.

100–1,000 employees

1,000–5,000 employees

More than 5,000 employees

41%39%

20%

Company size

0 5 10 15 20 25 30 35

Industry

Technology

Financial Services and Insurance

Manufacturing

Healthcare

Education

Government

Services

Retail

Energy and Utilities

Transportation

Non-Profit

Food and Beverage

Other

33%

14%

9%

8%

8%

6%

6%

5%

4%

2%

1%

1%

3%

Number of containers in production

0 20 40 60 80 100

More than 1,000

500–1,000

100–500

10–100

Fewer than 10

None—We don't use containers in production

14% 22% 33% 19% 7% 6%

3

The concern increases with the number of containers in production, and is higher among those with more container security expertise.

94% are concernedabout container security

How concerned are you aboutsecurity in container environments?

0 20 40 60 80 100

Not Concerned

Somewhat Concerned

Very Concerned

43% 51% 6%

94%

By # of containersin production

How concerned are you aboutsecurity in container environments?

“Very Concerned”

0

10

20

30

40

50

60

More than 10 containers10–100 containersFewer than 10 containersNone (Development only)

31% 34% 45% 54%0

10

20

30

40

50

60

By security focus andknowledge of containers

How concerned are you aboutsecurity in container environments?

“Very Concerned”

Security Focus Container Security

61% 39%0

10

20

30

40

50

60

53% 35%

Entire jobMajor Part of job

Very KnowledgeableSomewhat Knowledgeable

4

Organizations are accepting risk and facing consequencesOf the 269 respondents with containers in production:

Inadequate container securityknowledge among teams

Visibility into security of containersand container images is limited

Inability to assess risk in containerimages prior to deployment

Lack of tools of defectively secure containers

Insufficient process to handle fundamentaldifferences in securing containers

Not able to assess risk in deployed containers

I have no concerns about container security

What specific security concernsdo you have about containers?

0 10 20 30 40 50 60

54%

52%

43%

42%

40%

38%

5%

We know we have them, but we don’t knowexactly what the vulnerabilities are

We think we have some, but we don’t know for sure

We think we don’t have any,but we don’t know for sure

I don’t know

No, none of our productioncontainers have vulnerabilities

47% have vulnerable containers inproduction and 46% don’t know if they do

Do you currently have vulnerable containersdeployed in production at this time?  

0 5 10 15 20 25 30

17%

30%

22%

20%

7%

4%

Yes, we have them and know what the vulnerabilities are, but have deployed anyway

Top concerns about container security

5

Those with the most containers in production were more likely to acknowl-edge that some of those containers are vulnerable.

“With the increased growth and adoption of containers, security practitioners are feeling the pressure to speed their deployment. To keep up with the demand, teams are accepting unneces-sary risks by not securing containers.”

—Tim Erlin, Vice President of Product Management and Strategy at Tripwire

More than 100

10-100

Less than 10

Those with the most containers inproduction have ignored security issues

Do you currently have vulnerable containersdeployed in production at this time?

By # of containers in production

0 20 40 60 80 100 120

No, none of our productioncontainers have vulnerabilities

I don't know

We think we don't have any,but we don't know for sure

We think we have some,but don't know for sure

We know we have them, butwe don't know exactly whatthe vulnerabilities are

Yes, we have them and knowwhat the vulnerabilities arebut have deployed anyway26%

10%

7% 29% 18% 39% 4%

27% 36% 14%4%

32% 13% 18% 4% 7%

9%

4%

60% have had containersecurity incidents in the past year

Approximately how many securityincidents have occurred in your container

infrastructure in the past 12 months?

0

5

10

15

20

25

30

I don't know

More than 100

26-100

11-25

6-10

2-5

Just one

None

29% 10% 27% 12% 6% 11%3% 3%

The more containers deployed, the more likely there had been a container security incident.

Approximately how many security incidents have occurredin your container infrastructure in the past 12 months?

(By # of containers in production)

0 20 40 60 80 100

I don't know

More then 6

2-5

Just one

None

More than 100

10-100

Less than 10

None (Dev only)

17%

26%

35%

55% 14% 19% 2% 10%

16% 18% 15% 16%

6% 37% 21% 11%

7% 28% 40% 8%

Organizations are bracing for a rise in container-related security incidents.

6

Most expect rate of security-related securityincidents to increase in the coming year

How do you expect the rate of container-relatedsecurity incidents to change in the coming year?

0 20 40 60 80 100

Decrease dramatically

Decrease slightly

No change

Increase slightly

Increase dramatically

13% 58% 21% 7% 1%

71%

Increased adoption of containertechnology will increase risk

Containers will increasingly be used formission-critical systems that are more

likely to be targeted

Hackers will target newtechnology while it is weak

Lack of security best practices forcontainers will leave them vulnerable

Top reasons for increasedsecurity incidents

n = expect security incidents to increase

0 10 20 30 40 50 60 70

61%

52%

52%

49%

7

“There’s a belief that you have to accept a significant amount of risk to take advantage of containers, but that’s not true. Security can and should be embedded into the DevOps life cycle, incorporating vulnerability and con-figuration assessment of container infrastructure to monitor risks from build to production.” —Tim Erlin

42% are limiting containeradoption because of security risks

Has your company delayed or limited containeradoption because of security concerns?

No

Yes

I don't know

42%52%

6%

8

Incident detection and response forcontainers and infrastructure

Isolate containers thatbehave abnormally

More security-focused monitoringof container infrastructure

Greater visibility into container risk

Monitor containers for driftor behavior changes

Attack-blocking technologies for containers

Artificial intelligence securityanalytics for containers

Blockchain

We don’t want anythingspecial for container security

98% want additionalsecurity capabilitiesfor containerenvironmentsWhat additional securitymanagement tools orcapabilities would yourorganization want forcontainer environments?

0 10 20 30 40 50 60

52%

49%

48%

48%

45%

45%

22%

40%

2%

Only a few believe they could detect acompromised container within minutes

Approximately how long would it take to detecta compromised container or container image?

0

10

20

30

40

50

I don't know

We could not detect it

Months or longer

Weeks

Days

Hours

Minutes

12% 45% 26% 6% 7%2% 2%

9

IT security is most likely team to haveprimary responsibility for container security

What organization owns primary responsibility for container security?

Cross-functional team

DevSecOps

DevOps

IT Security 46%

22%

12%

20%

Because of containers, 82% are rethinking security responsibilities—with varying results

Has container adoption caused your organizationto think about restructuring security responsibilities?

We're still thinking about it

Container adoption is one of the many changes that is making us re-think security

Yes, we have reassigned security responsibility based on container adoption

Yes, we thought about it but don't see a need to change anything

No, it didn't even cross our minds to think about it

18%10%

35%21%

17%

Who’s in charge?

©2019 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved.

Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics. Learn more at tripwire.com

The State of Security: Security News, Trends and Insights at tripwire.com/blog Follow us on Twitter @TripwireInc » Watch us at youtube.com/TripwireInc

BRDRSCS1b 1901