60% of Organizations Suffered a Container Security Incident in 2018, Finds Study

Image

Many organizations have DevOps on their mind going into 2019. This is a global movement. In fact, Puppet and Splunk received responses for their 2018 State of DevOps Report from organizations on every continent except Antarctica. Those organizations varied in their industry, size and level of DevOps maturity, but they were all interested in learning how they could advance their DevOps evolution going forward. They’ll face challenges along the way. Organizations will confront growing complexity and risk as they work to scale their DevOps initiatives in 2019. Part of this risk will come from their containers, for many organizations still lack transparency into these software pieces. If they are to adequately mitigate their risk and minimize their exposure to digital threats, organizations will need to secure their containers. But are they prepared to do this? The answer lies in Tripwire’s State of Container Security Report. For its study, Tripwire surveyed 311 IT security professionals who manage environments with containers at companies with over 100 employees. Their responses illustrated that organizations have already experienced real consequences with respect to securing their container deployments: 60 percent admitted that their organized had been hit with at least one container security incident within the past year. Eighty-six percent of surveyed organizations had containers in production at the time of the Tripwire’s study; the more containers in production, the more likely it was they experienced a container security incident... Of those organizations with over 100 containers in production, 75 percent had suffered a security event. It’s therefore no wonder that 94 percent of respondents said they have container security concerns. Seventy-one percent of individuals went so far as to predict that container security incidents would increase in the new year. Their forecast in part reflects gaps in organizations’ current container security strategies. For instance, just 12 percent of respondents to Tripwire’s survey said they could detect a compromised container within minutes. Forty-five percent of survey participants said it would take hours, while some estimated it would take even longer. At the same time, nearly half (47 percent) of IT security professionals said their organizations have vulnerable containers in production, while nearly the same number (46 percent) said they were unsure if this was the case. Tim Erlin, vice president of product management and strategy at Tripwire, explained:

With the increased growth and adoption of containers, organizations are feeling the pressure to speed their deployment. To keep up with the demand, teams are accepting risks by not securing containers. Based on what this study found, we can see that the result is a majority of organizations experiencing container security incidents.

In response to these security vulnerabilities, some organizations are restricting their DevOps deployments. Forty-two percent of respondents to Tripwire’s survey said their organizations are limiting their container adoption because of the attendant security risks. Almost everyone said they wanted additional security environments (98 percent), and 82 percent are thinking about restructuring security responsibilities because of container adoption. While companies wait for these features, Erlin explained that organizations can and should work to embed security into the DevOps lifecycle. They can do so by applying security controls like vulnerability management and monitoring/auditing across their containers including the build environment, container security testing and validation processes and runtime containers. For specific insight on how to apply these and other basic security controls throughout a container environment, check out Tripwire’s Complete Guide to Complete Security.