Containers — virtualized applications that are key to DevOps — are maturing as critical parts of enterprise application infrastructures. And even though security strategies are maturing, organizations are still struggling to have security keep up with the other facets of container deployment.
A new report, sponsored by StackRox and based on research by AimPoint Group, shows that more than a third of companies haven't begun to implement a container security policy yet. While 15% say their company is in the planning stage with its container security strategy, 19% say that they haven't even gotten that far.
Part of the problem, says StackRox CEO Kamal Shah, is the complexity of the environment into which containers are being deployed. While many people look at containers as a technology for the cloud, Shah says, "We found that 70% are running containers on-prem and 53% are running in hybrid mode, which means running it on-premises as well as on one of the public cloud platforms."
Companies are turning to containers because the speed of deployment in containers is critical for organizations that are implementing agile or DevOps disciplines. And studies by other researchers show that some container practices, such as downloading and reusing popular pre-existing application images, don't insulate a company from security issues.
Jerry Gamblin, principal security engineer at Kenna Security, scanned the 1,000 most popular application images and found that over 60% of the top Docker files held a vulnerability with at least a moderate risk score, and over 20% of the files contained at least one vulnerability that would be considered high risk. [Note: A container is a ..
Support the originator by clicking the read the rest link below.
