Containers have 600+ vulnerabilities on average

Containers are the fastest growing – and weakest cybersecurity link – in software supply chains, according to NetRise.

Companies are struggling to get container security right. Issues from misconfigured clouds, containers, and networks to uncertainty over who owns container security throughout the software’s lifecycle persist. And yet, according to a 2022 Anchore report, enterprises plan to expand container adoption over the next 24 months, with 88% planning to increase container use and 31% planning to increase container use significantly.

However, as of 2024, we are starting to see a recognition of container security issues, as a recent report by Red Hat indicates that 67% of organizations have delayed or slowed down application deployment due to security concerns related to containers and Kubernetes.

Reliance on containerized applications comes with cybersecurity challenges

The increasing reliance on containerized applications comes with two cybersecurity challenges:

• The need to maintain visibility of the detailed software components in containers and their provenance and
• Identifying and prioritizing vulnerabilities and risks within the containers’ components.

NetRise researchers analyzed 70 randomly selected container images from 250 of Docker Hub’s most commonly downloaded images and generated a detailed Software Bill of Materials (SBOM). They found that, on average, each container image had 389 software components.

Researchers found that 1 in 8 components had no software manifest—they lacked the formal metadata typically found in manifests, as well as details about dependencies, version numbers, or the package’s source. This means that traditional container scanning tools that rely on manifests for analysis will have significant visibility gaps, requiring new processes and tooling to mitigate the associated risks properly.

The average container had 604 known vulnerabilities in the underlying software components, with over 45% being 2 to 10-plus years old. NetRise threat intelligence found that over 4% of the 16,557 identified CVEs with a Critical or High CVSS Severity ranking were weaponized vulnerabilities known by botnets to spread ransomware, used by threat actors, or used in known attacks.

Additionally, they found 4.8 misconfigurations per container, including 146 “world writable and readable directories outside tmp,” the containers had overly permissive identity controls with an average of 19.5 usernames per container.

Understanding software risks starts with full visibility

The lack of transparency within the software supply chain is business-critical for organizations worldwide. The bottom line is that transparency into the contents of commercial software, including containerized software, is essential.

As a starting point, organizations need comprehensive visibility in their software to understand the scope, scale, and related risks. Advanced technology can provide organizations with much-needed insights to enrich and feed asset discovery, vulnerability management, and intrusion detection tools used within security operations with detailed SBOM development for all software, detection of vulnerabilities and non-CVE risks, and prioritization of all identified software supply chain risks.

“The adoption of container technology is rapidly growing, largely because it is lightweight and easy to manage. However, while containers have changed how many modern applications are designed, deployed, and managed, they appear to be among the weakest cybersecurity links in the software supply chain,” said Thomas Pace, CEO of NetRise.