The Package Popularity Trap

Widely-used software packages appear to pose the greatest security risks according to container vulnerability scanners, but closer examination tells another story.
Ayse Kaya
Apr 23, 2023

Forced-Directed Graph of Container-Package Mappings

Recent analysis conducted by our team at Slim has revealed an intriguing paradox: the most widely utilized and popular packages also happen to harbor the greatest number of CVEs, which in turn signifies a greater security threat.

However, this trend can, perhaps, be attributed to a simple byproduct of heightened scrutiny: As the spotlight shines brighter, so too does our awareness of shortcomings and imperfections. One mustn't overlook the long-tail of packages, as they are not necessarily vulnerability-free; rather, our limitations in terms of human capacity prevent us from uncovering all potential threats without an army of security researchers at our disposal. Recent developments in Generative AI will certainly challenge this dynamic.

Here, I share our most recent deep-dive into the world of container-based CVEs, first released at RSA Conference 2023 earlier this week, and then explore how advancements in Generative AI might impact the way we manage and remediate vulnerabilities in the future.

Our findings

Our research team has analyzed more than three million individual container IDs, utilizing SBOM and vulnerability scanning tools to generate unique profiles and gain insights into the current state of container security. Our analysis covered more than 54,000 packages (purls) containing 7.5K distinct CVEs.

Our findings highlight the massive attack surface that developers and DevSecOps teams need to deal with on a daily basis, and the huge level of complexity that organizations face in implementing vulnerability remediation programs.

Popularity Drives Vulnerability Discovery

A small number of packages account for a large proportion of the CVEs that DevSecOps teams encounter daily. The top one-percent of packages by popularity (i.e., the frequency with which they appear in container images) are responsible for 25-percent of the overall vulnerability count. This highlights the importance of prioritizing and addressing the most critical vulnerabilities in widely used packages.

The data shows that package popularity influences the likelihood of being impacted by CVEs. Packages in five popular containers have, on average, eight CVEs, with 17-percent being impacted. As the number of containers sharing a package increases, so does likelihood the package has known CVEs. For example, packages shared by 20 or more containers have 15 CVEs on average with 25-percent being impacted. Those shared by 30 or more containers have 26 CVEs on average, with 36-percent being impacted.

However, this finding may make the problem of vulnerability sound simpler than it really is.

The potential for a false sense of security

The uncharted territory in the container landscape related to CVEs is huge. These results may be more emblematic of the focus of security researchers — who tend to spend time on high-profile packages — rather than actual security.

Vulnerabilities by popularity

We found 86-percent of packages report zero known vulnerabilities. But organizations that make the assumption those are OK to ship may be walking into a trap. The simple fact that these packages have not yet been as tempting of an attack target as the more widely-deployed ones does not imply security, any more than a decade of leaving a door unlocked without incident means that it will still be safe to do so tonight.

This is an area where Generative AI is sure to change the game in the long run, but in the short term, we are sure to see more zero-day incidents. Suddenly, aiming your skills and tools at narrowly-deployed packages can be profitable, even if only one or two images in the whole world use them. If nothing else, such exploits can be stockpiled in reserve, waiting for a worthwhile target to adopt and deploy them. (See Stuxnet's use of four zero-day vulnerabilities, for example.)

CVE Detection Has Gotten Faster — But Is About To Be Disrupted

We now detect CVEs at twice the rate than they were five years ago. This increased detection rate is likely due to more security researchers, enhanced focus on CVEs and containers, improved scanning tools, increased awareness, and a more significant number of software packages being scrutinized.

CVEs Discovered over time

This increase is still on human scale and relies on several manual processes and human-generated code. As Generative AI begins to both write code itself and be used on both sides of the cybersecurity landscape, we'll begin to see (one hopes) fewer exploits created by human error and faster discovery of exploits through automated processes.

Conclusion

These findings warrant more research and discussion on the need to better understand and secure our containers, lest development teams get lost in a sea of new vulnerabilities.

The faster detection rate of CVEs, the prevalence of vulnerabilities in popular packages, and the dominance of the top 1-percent of packages in vulnerability counts emphasize the importance of robust container security practices.

DevSecOps teams must remain vigilant and proactive in their efforts to secure containers, ensuring that applications are built on secure foundations and that dependencies are regularly updated to minimize the risks associated with known vulnerabilities.

Join me and other industry leaders at Open Source Summit North America to explore this topic in more depth.

Related Articles

5 Most Commonly Asked SlimToolkit Questions

We enlisted SlimToolkit expert and Slim.AI Developer Experience Engineer to dive into how container slimming works.

Primož Ajdišek

Technical Staff

5 Ways Slim Containers Save You Money

Do slim containers really save you money on your cloud bill? Are there cost advantages to smaller containers? Find out here.

Chris Tozzi

Automating SlimToolkit in Your CICD Pipeline

Using GitHub Actions, you can refine container images automatically making them smaller, faster to load, and more secure by default – all without sacrificing any capabilities.

Nicolas Bohorquez

Contributor

Building Apps Using Cloud Native Buildpacks

Getting started with this innovative technique

Vince Power

Contributor

Building SlimToolkit into a Jenkins Pipeline

A step by step tutorial on building SlimToolkit into your CI/CD pipeline.

Clarifying the Complex: Meet Ivan Velichko, Container Dude at Slim.AI

Ivan recently joined the team at Slim.AI, and we sat down with him to learn more about the path that led him here.

Ivan Velichko

Container Dude

Container Insights: Dissecting the World's Most Popular Containers

Join Ayse Kaya in this series, as she creates her 2022 Container Report Chalk Full of Important Security Findings for Developers.

Ayse Kaya

Analytics & Strategy

Container of the Week: Python & Flask

Our weekly breakdown of a popular container

What We Discovered Analyzing the Top 100 Public Container Images

Complexity abounds in modern development

Ayse Kaya

Analytics & Strategy

2022 Public Container Report

Vulnerabilities continue to increase and developers are struggling to keep up.

Ayse Kaya

Analytics & Strategy

Containerizing Python Apps for Lambda

A tutorial on deploying AWS Lambda using containers, Python edition.

Docker Containers for Your Raspberry Pi

Compact PCs need compact apps

Martin Wimpress

Community

Explore and Analyze a Docker container with SlimToolkit's X-Ray

Understanding container composition

Martin Wimpress

Community

Five Proven Ways to Debug a Container

When Things Just Are Not Working

Theofanis Despoudis

Contributor

Five Things You Should Never Ship to Production in a Container

Here is our take on five things to avoid when creating a container or shipping it to production.

Chris Tozzi

How to Find, Fix, and Prioritize Vulnerabilities in Your Docker Container Image

Strategies for addressing a large volume of vulnerabilities in a container environment.

Theo Despoudis

Contributor

Increasing Your CI/CD Velocity with Slim Containers

We’ll explain what Slim Containers are, how they speed up the build process, and how they can improve the efficiency of your testing.

Mike Mackrory

Contributor

Integrate Testing into Your Container Pipeline

A closer look at testing within container pipelines, CI/CD, software delivery, and containerization.

Faith Kilonzi

Software Engineer

Reducing Docker Image Size - Slimming vs Compressing

Know the difference

Pieter van Noordennen

Growth

Serverless Applications and Docker

How to Scale the Latest Trend in Infrastructure

Pieter van Noordennen

Growth

Slim.AI Docker Extension for Docker Desktop

How to access our Docker Extension and try it for yourself.

Josh Viney

Product

Slimming a Rails Application with SlimToolkit

Dissect a simple Rails application container using SlimToolkit to analyze, optimize, and deploy your product more quickly.

Theofanis Despoudis

Contributor

Where Do You Store Your Container Images?

Container Registry Options are Growing in Number and Complexity

Pieter van Noordennen

Growth

Using AppArmor and SecComp Profiles for Security Audits

Conduct better container security audits using tools like SecComp, NGINX, and Docker.

What’s in your container?

Why Docker Layers matter for container optimization

Pieter van Noordennen

Growth

Why Developers Shouldn't Have to Be Infrastructure Experts, Too

Simplifying processes required to containerize and deploy cloud-native apps.

Chris Tozzi

A New Workflow for Cloud Development

Leverage the benefits of containerization without the headaches & hassle

John Amaral

CEO

Why Don’t We Practice Container Best Practices?

Container best practices are easy to understand, hard to do

John Amaral

CEO

5 Best Practices Production-Ready Containers

Knowing what’s in a container is critical to securing your software supply chain.

Martin Wimpress

Community

Better Security Audits with AppArmor and SecComp via SlimToolkit

Combine the power of tools like SecComp, NGINX, and Docker.

5 Common Container Exploits

From Malware, to Access Control Risks, and Beyond

Chris Tozzi

Contributor

Introducing Slim's Scanner Orb for CircleCI

Get vulnerability and container composition analysis with every new container build

Heather Thacker

Contributor

The 4th S of Software Supply Chain Security

An approach to Front Line Software Supply Chain Security (SSCS).

John Amaral

CEO