Three years ago we launched our first Container Report, in which we dissected the top 100 public containers on Docker Hub, and we were surprised to find a large number of vulnerabilities in the most commonly used public containers.
Last year, we expanded our data set to 165 containers and commissioned a global study of software engineering professionals. Alarmingly, we found even more high and critical vulnerabilities across all categories. In addition, we found a disconnect between executives and front-line engineers: 49% of executives thought their company’s containers were being slimmed and hardened, but less than 26% of those doing the actual work said they understood how to do it.
Our 2023 research reveals some progress: discussions about supply chain security have moved up to the board level. However, other news is more sobering. Organizations need to learn exactly how to address security in the upstream dependencies of the applications and the containers they run on. Our research found that despite dedicating significant resources to fight the influx of vulnerabilities, 50% of organizations are greatly struggling and more than 40% are stuck in reactive mode.
Finding #1: The Struggle Is Real In Vulnerability Remediation
We found that only 12% of security leaders claimed to have achieved their vulnerability remediation goals, with 40% admitting a mostly reactive approach across IT Operations, Security, and DevOps teams.
Finding # 2: Software Supply Chain Security is a Team Sport
The intricate network effects between software consumers (i.e., buyers) and producers (i.e., vendors) manifest in container security and require extensive collaboration. Companies typically receive software containers from dozens of vendors, exchanging hundreds of containers each month. The communication overhead to secure containers across company lines strains both sides, with 63% struggling to manage multiple software producers and 67% noting that external container images increase their attack surface.
Finding # 3: The Spreadsheet Must Die: New Communication Norms Required in Vulnerability Remediation
Simply sharing a vulnerability spreadsheet with your vendor’s SecOps team is a normal practice in today’s consumer-producer relationship. An alarming 75% of organizations are doing this, while 63% hold tedious ad-hoc meetings with vendors. Security leaders are loud and clear in their desire to have a centralized collaboration platform for managing vulnerabilities (84%).
Finding #4: Alert Fatigue and False Positives
Organizations are inundated with frequent vulnerability alerts and a high rate of false positives, leading to alert fatigue. Forty-four percent of organizations encounter vulnerabilities in production systems that must be addressed immediately several times a week, with 36% detecting them daily. The plurality of organizations estimate that more than 40% of vulnerability alerts are false positives.
These results correlate with SlimAI data on public containers. In 2023, CVE counts jumped up by 39%, despite significant acceleration in open-source package updates, container releases, and incident response from last year.
Finding #5: Increasing Regulatory Pressure
One in three organizations grapples with evolving compliance and regulatory guidelines, with 85% completing extra work to comply with Executive Orders, adding layers of complexity for IT teams.
Finding #6: The Real Cost of Vulnerabilities: Innovation and Growth
Vulnerability backlogs hamper business innovation, performance, productivity, and team dynamics, according to our surveyed leaders. For example, 46% of organizations experience performance issues and downtime as a result of a failure to effectively remediate vulnerabilities in their containers.
This year, we tripled the number of containers in our data set over 2022. We examined hundreds of containers across all major public repositories including Docker Hub, AWS ECR, and Quay. We also added a separate dataset of 40+ Community Images to better understand real-world scenarios. Finally, we partnered with the research firm Enterprise Strategy Group (ESG) for a survey of 250 top IT, security and engineering executives in North America.
Our customer recently told us, “Software supply chain security is like AI: Everyone is doing it and no one knows what it is.” Our 2023 Container Report underscores just how true that is. Software engineering and security teams far too often find themselves playing defense against an unrelenting flood of security challenges, and this reactive posture inevitably places them behind the curve in a landscape that demands proactive and preemptive measures. The findings of this year’s report can be described as stark but instructive, lending hope that communication and cooperation between software producers and users all along the supply chain can help us make headway in transforming the daunting complexity of container vulnerability management into opportunities for growth and resilience.