RESEARCH Tripwire State of Container Security Report January 2019 FOUNDATIONAL CONTROLS FOR SECURITY, COMPLIANCE & IT OPERATIONS
As DevOps continues to drive increased use of containers, security teams are struggling to secure these new assets and processes. This report explores the challenges that organizations actively using containers today are facing, as well as the real consequences they have experienced. Highlights include:»» 94% are concerned about container security»» 60% have had container security incidents in the past year»» 47% have vulnerable containers in production and 46% don t know if they do Number of containers in production 14% 22% 33% 19% 7% 6% 0 20 40 60 80 100 None We don't use containers in production Fewer than 10 10 100 100 500 500 1,000 More than 1,000 Demographics Survey respondents included 311 IT security professionals who manage environments with containers at companies with over 100 employees. Eight-six percent (269) had containers inproduction. Industry Company size 20% 41% 39% Technology Financial Services and Insurance Manufacturing Healthcare Education Government Services Retail Energy and Utilities Transportation Non-Profit Food and Beverage Other 33% 14% 9% 8% 8% 6% 6% 5% 4% 2% 1% 1% 3% 100 1,000 employees 1,000 5,000 employees 0 5 10 15 20 25 30 35 More than 5,000 employees 2
94% are concerned about container security How concerned are you about security in container environments? 94% 43% 51% 6% 0 20 40 60 80 100 Not Concerned Somewhat Concerned Very Concerned The concern increases with the number of containers in production, and is higher among those with more container security expertise. By # of containers in production By security focus and knowledge of containers How concerned are you about security in container environments? How concerned are you about security in container environments? Very Concerned Very Concerned 60 50 60 50 60 50 40 40 40 30 30 30 20 10 0 31% 34% 45% 54% More than 10 containers 10 100 containers Fewer than 10 containers None (Development only) 20 10 0 61% 39% Security Focus Entire job Major Part of job 20 10 0 53% 35% Container Security Very Knowledgeable Somewhat Knowledgeable 3
Top concerns about container security What specific security concerns do you have about containers? Inadequate container security knowledge among teams Visibility into security of containers and container images is limited Inability to assess risk in container images prior to deployment Lack of tools of defectively secure containers Insufficient process to handle fundamental differences in securing containers Not able to assess risk in deployed containers I have no concerns about container security 54% 52% 43% 42% 40% 38% 5% 0 10 20 30 40 50 60 Organizations are accepting risk and facing consequences Of the 269 respondents with containers in production: 47% have vulnerable containers in production and 46% don t know if they do Do you currently have vulnerable containers deployed in production at this time? Yes, we have them and know what the vulnerabilities are, but have deployed anyway We know we have them, but we don t know exactly what the vulnerabilities are We think we have some, but we don t know for sure We think we don t have any, but we don t know for sure I don t know No, none of our production containers have vulnerabilities 17% 30% 22% 20% 4% 7% 0 5 10 15 20 25 30 4
Those with the most containers in production have ignored security issues More than 100 Do you currently have vulnerable containers deployed in production at this time? By # of containers in production 26% 32% 13% 18% 4% 7% Yes, we have them and know what the vulnerabilities are but have deployed anyway We know we have them, but we don't know exactly what the vulnerabilities are Those with the most containers in production were more likely to acknowledge that some of those containers are vulnerable. With the increased growth and adoption of containers, security practitioners are feeling the pressure to speed their deployment. To keep up with the demand, teams are accepting unnecessary risks by not securing containers. Tim Erlin, Vice President of Product Management and Strategy at Tripwire 10-100 10% 27% 36% 14%4% 9% We think we have some, but don't know for sure We think we don't have any, but we don't know for sure Less than 10 7% 29% 18% 39% 4% 4% 0 20 40 60 80 100 120 I don't know No, none of our production containers have vulnerabilities 60% have had container security incidents in the past year Approximately how many security incidents have occurred in your container infrastructure in the past 12 months? The more containers deployed, the more likely there had been a container security incident. Approximately how many security incidents have occurred in your container infrastructure in the past 12 months? (By # of containers in production) 30 25 20 More than 100 17% 7% 28% 40% 8% I don't know More then 6 15 10 5 0 3% 3% 29% 10% 27% 12% 6% 11% 10-100 Less than 10 26% 35% 6% 37% 21% 11% 16% 18% 15% 16% 2-5 Just one None I don't know More than 100 26-100 11-25 6-10 2-5 Just one None None (Dev only) 55% 14% 19% 2% 10% 0 20 40 60 80 100 5
Organizations are bracing for a rise in container-related security incidents. Most expect rate of security-related security incidents to increase in the coming year How do you expect the rate of container-related security incidents to change in the coming year? 71% 13% 58% 21% 7% 1% 0 20 40 60 80 100 Decrease dramatically Decrease slightly No change Increase slightly Increase dramatically Top reasons for increased security incidents n = expect security incidents to increase Increased adoption of container technology will increase risk 61% Containers will increasingly be used for mission-critical systems that are more likely to be targeted 52% Hackers will target new technology while it is weak 52% Lack of security best practices for containers will leave them vulnerable 49% 0 10 20 30 40 50 60 70 6
42% are limiting container adoption because of security risks Has your company delayed or limited container adoption because of security concerns? 6% There s a belief that you have to accept a significant amount of risk to take advantage of containers, but that s not true. Security can and should be embedded into the DevOps life cycle, incorporating vulnerability and configuration assessment of container infrastructure to monitor risks from build to production. Tim Erlin 52% 42% No Yes I don't know 7
Only a few believe they could detect a compromised container within minutes 50 40 30 20 Approximately how long would it take to detect a compromised container or container image? 10 0 12% 45% 26% 6% 2% 2% 7% Minutes Hours Days Weeks Months or longer We could not detect it I don't know 98% want additional security capabilities for container environments What additional security management tools or capabilities would your organization want for container environments? Incident detection and response for containers and infrastructure Isolate containers that behave abnormally More security-focused monitoring of container infrastructure Greater visibility into container risk Monitor containers for drift or behavior changes Attack-blocking technologies for containers Artificial intelligence security analytics for containers Blockchain We don t want anything special for container security 52% 49% 48% 48% 45% 45% 40% 22% 2% 0 10 20 30 40 50 60 8
Who s in charge? IT security is most likely team to have primary responsibility for container security What organization owns primary responsibility for container security? 20% IT Security DevOps 12% 46% DevSecOps 22% Cross-functional team Because of containers, 82% are rethinking security responsibilities with varying results Has container adoption caused your organization to think about restructuring security responsibilities? 10% 18% 17% 21% 35% No, it didn't even cross our minds to think about it Yes, we thought about it but don't see a need to change anything Yes, we have reassigned security responsibility based on container adoption Container adoption is one of the many changes that is making us re-think security We're still thinking about it 9
Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics. Learn more at tripwire.com The State of Security: Security News, Trends and Insights at tripwire.com/blog Follow us on Twitter @TripwireInc» Watch us at youtube.com/tripwireinc 2019 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. BRDRSCS1b 1901