The StackRox report aimed to understand how container and Kubernetes adoption trends intersected with security concerns - how prepared organizations felt to handle security, how the environments in which they were running containers affected security, and who in the organization bore the greatest responsibility for container security. Notable findings from "The State of Container Security" report include:
- More than a third of organizations with concerns about their container strategy worry that their strategies don't adequately address container security
- An additional 15 percent believe their strategies don't take seriously enough the threat to containers and Kubernetes deployments
- More than one-third of respondents haven't started or are just creating their security strategy plans
Digging into the sources of concern over container security, survey respondents focused on misconfigurations and runtime security as their primary sources of concern:
- Fifty-four percent of respondents said risks driven by misconfigurations and accidental exposures is their primary concern
- A near majority of respondents, 44 percent, indicated that runtime, vs. build and deploy, is the phase they are most concerned about from a security perspective
Despite the concerns over the runtime phase of the lifecycle, the dominance of concerns over misconfigurations is likely the result of a number of recent high-profile attacks and exposures on Kubernetes deployments, such as the cryptomining attack on Tesla's deployment on Amazon Web Services and Shopify's publishing of the risk of Kubernetes metadata exposure.
Infrastructure portability is often cited as one of the top reasons to run containers and Kubernetes, and the StackRox report highlights the dominance of hybrid deployment. A surprising percentage of respondents are running their containerized applications only on premise, however:
- Seventy percent of respondents overall are running containers on premise, with 32 percent running only on premise
- About 40 percent of respondents are running containers in hybrid environments, both on premise and in the cloud
- Just under 30 percent of respondents are running only in the cloud
As for who in the organization should take lead running container security, DevOps and DevSecOps top the list.
"The DevOps-induced ‘shift left' approach enabled by containerization is fundamentally changing how developers and security teams are interacting in the enterprise, forcing alignment and collaboration like never before," said Mark Bouchard, Vice President of Research and COO, CyberEdge Group. "For organizations to realize more of the technical advantages of microservices, containers and Kubernetes, they will need container security technologies that integrate increasingly early into the software development life cycle."
The report demonstrates that containers provide an impetus and an opportunity to build a stronger bridge between DevOps and security. Results reveal that deeper container security planning, further integration among DevOps and security teams, and the more widespread adoption of key security technologies are necessary to increase the holistic security of containers and Kubernetes deployments. The complete report provides a number of conclusions that outline key implications for organizations in need of a stronger container security strategy and the specific security elements they need to meet enterprise objectives.
"The influence of DevOps and the fast uptake in containerization and Kubernetes have made application development more seamless, efficient and powerful than ever. Yet, our survey results show that security remains a significant challenge in enterprises' container strategies," said Kamal Shah, StackRox CEO. "Containers provide a natural bridge for collaboration between DevOps and security teams but they also introduce unique risks that, if left unchecked, can create real risks for the enterprise."
To download a full copy of the StackRox report, The State of Container Security, click here.