Yes, we know containers are insecure. No, we won’t stop deploying them…

container security

Almost half of organizations running containers in production know they contain security vulnerabilities, and almost as many simply don’t know, but they’re all going to carry on deploying the technology anyway.

According to research by Tripwire, a mere 7 per cent of respondents were confident their production containers were vulnerability free – though their peers might think this confidence is likely misplaced.

Tripwire’s study covered 311 security pros in 100 companies, of whom 269 had containers running in production. Over 43 per cent were “very concerned” over container security, and 51 per cent were “somewhat concerned”.

Worry rates went up the more containers an organisation had in production, with 45 per cent of respondents with 10 to 100 containers saying they were “very concerned”.

Inadequate container security knowledge was the most cited concern, at 54 per cent, with concerns over visibility into containers coming second, at 52 per cent. The inability to assess risk in container images pre-deployment irked 43 per cent of respondents, while 42 per cent were concerned over the lack of tools to secure containers.

Luckily for companies pushing the technology – and presumably miscreants looking to exploit vulnerabilities in – security concerns don’t seem to be slowing the rush to containerization.

While 42 per cent of respondents said they were limiting container adoption because of security fears, far more – 52 per cent – were happy to press on regardless.

Of the respondents with containers in production, 17 per cent said they knew they had containers with known vulnerabilities, but had deployed them all the same. Another 30 per cent said they knew there were vulnerabilities in their deployed containers, but weren’t exactly sure where.

Those with the most containers were also the most likely to have gone ahead and deployed them anyway. Of respondents with more than 100 containers in production, just over a quarter had deployed containers they knew had vulnerabilities. The comparable figure for organisations running 10-100 containers was 10 per cent.

Unsurprisingly, 60 per cent of respondents had had a container security incident over the last year, with 3 per cent experiencing more than 100 incidents, and the same amount experiencing between 26 and 100 incidents. Equally unsurprisingly, 71 per cent of respondents expect the rate of container security incidents to rise this year.

Not that they’ll know about it anytime soon. Just 12 per cent of respondents reckoned they’d know about an incident within minutes. A chunky 45 per cent reckoned they should know in hours, while just over a quarter admitted it would take days before they realised if they had a compromised container in production.