Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Cloud Security

Misconfiguration a Top Security Concern for Containers

Report Demonstrates that Security Needs to be Included in Containerization

Report Demonstrates that Security Needs to be Included in Containerization

Although the acceptance and adoption of containers within DevOps is growing, concern over their security remains strong. Thirty-five percent of respondents to a new survey believe their company does not adequately invest in container security, while a further 15% don’t think their company takes the threat to containers seriously.

The survey (PDF) was undertaken by StackRox among 230 IT staff — almost half of whom identify IT security as their primary role. More than 45% are employed in companies with more than 10,000 employees, while 58% are employed in either the fintech or technology sectors. The StackRox inaugural report, ‘The State of Container Security’, found that most organizations feel unprepared to adequately secure cloud-native applications, despite the surging adoption of containers and Kubernetes. 

Docker is the most popular container runtime, used by 189 of the respondents. Kubernetes, originally developed by Google, is the most popular container orchestrator, used by 122 of the respondents. Docker Swarm is the second most popular orchestrator, used by 93 of the respondents primarily from the larger organizations with 5,000 or more employees.

Forty percent of the respondents operate their containers in a hybrid environment — both on prem and in the cloud. Twenty-eight percent are cloud only, while a surprising 32% are on premise only. Of those containers in the cloud, 118 of the respondents use AWS, 56 use Azure, and 39 use Google Cloud Platform. “This ranking would be a bit surprising given Google’s industry leadership in container usage and Kubernetes,” comments the report, “but is less surprising given the dominance of large enterprises in our survey pool.”

Misconfiguration within the orchestrator is the biggest security concern at 54% of respondents. These concerns cover both the Docker containers and the Kubernetes orchestrator, Wei Lien Dang, VP of products at StackRox, told SecurityWeek. “Among the best known ‘container attacks’ are the Tesla cryptomining incident on AWS and the Shopify published vulnerability around metadata. Both of those issues stemmed from misconfiguration of the orchestrator.”

In February 2018 it was disclosed by RedLock that a Kubernetes container run by Tesla on AWS had been hijacked and used for cryptomining. Once discovered, Tesla was able to lock down its servers within a day. It’s not that Kubernetes cannot be made secure, it is the complexity and granularity of required access to containers that becomes difficult — and it is this that leads the survey respondents to be concerned about misconfigurations.

“The security challenge for Kubernetes is not the access directly to the platform to log in and launch an attack,” explains Wei Lien Dang. “Rather, it’s that Kubernetes often accidentally gets configured with exposed pieces — the dashboard, for example, or the metadata will be accessible, and itís via those misconfigurations that attacks can happen.”

Advertisement. Scroll to continue reading.

This is exacerbated by the tendency for containers to be under the aegis of DevOps, and for DevOps to not necessarily include security team involvement.

“The group using containers and configuring Kubernetes most often is DevOps,” he continued. “The challenge is for the Security team to be involved in setting the policies and guidelines for securing that infrastructure. The goal of any container security solution should be to help Security bridge into the DevOps world — providing the security oversight and guidance but leveraging the tooling and processing of DevOps.”

Like many powerful platforms, StackRox believes that Kubernetes is best served with an abstraction layer on top. StackRox acts like that security abstraction layer highlighting misconfigurations and pinpointing risks like unnecessary open communications paths that leave assets at risk. 

Commenting on the findings of the survey, Mark Bouchard, co-founder and the COO at research and consulting CyberEdge Group, said, “Human error has been responsible for creating the majority of security risks in every wave of infrastructure change, and it’s no different with containers and Kubernetes. It’s crucial that the security tooling for this infrastructure automatically flags the most well-known misconfigurations across the full ecosystem.”

“StackRox helps with both asset management — simply identifying the breadth of containers deployed — and securing the containers and Kubernetes environments,” explains Wei Lien Dang. “The StackRox Container Security Platform helps secure the images themselves and assess risk during the build process, harden the environment and reduce the attack surface during the deploy phase, and find and stop malicious activities during the runtime phase. The tight integration between the StackRox platform and Kubernetes and the container ecosystem enables security be operationalized across the entire life cycle.”

This would be best managed by the security team. Concern over the security of containers should be the spur to transform company DevOps into company Security DevOps.

“The influence of DevOps and the fast uptake in containerization and Kubernetes have made application development more seamless, efficient and powerful than ever. Yet, our survey results show that security remains a significant challenge in enterprisesí container strategies,” said Kamal Shah, StackRox CEO. “Containers provide a natural bridge for collaboration between DevOps and security teams, but they also introduce unique risks that, if left unchecked, can create real risks for the enterprise.”

Founded in 2014 and headquartered in Mountain View, California, StackRox raised $25 million in Series B funding in April 2018, bringing the total raised to date by the company to more than $39 million.

Related: More Than 21,000 Container Orchestration and API Management Systems Exposed to the Public Internet 

Related: Microsoft Patches Critical Flaw in Open Source Container Library 

Related: Code Execution in Alpine Linux Impacts Containers 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.