Aqua Security on Thursday released a report which found that only 3% of respondents surveyed recognize that a container — in and of itself — does not function as a security boundary, indicating that 97% are unaware of basic container security principles, often overestimating the default security properties of containers.
Amir Jerbi, co-founder and CTO at Aqua, added that security teams should find the number alarming combined with other survey data that found only 24% of respondents have plans to deploy the necessary building blocks for runtime security.
"The survey results showcase a staggering knowledge gap that leads to an underinvestment in a critical part of full lifecycle, end-to-end security for cloud native applications,” Jerbi said. “The default security capabilities of containers and cloud native controls are complex, with multiple layers that might not overlap between orchestrators and containers. With this complexity, practitioners might overestimate the default security. It takes a double-click further down to understand the full implications of the security controls available, and what other controls might be needed to combat the kind of sophisticated attacks we see.”
For example, the survey found that only 18% realize they are at risk for zero-days in containerized environments. And while 32% were confident in overall holistic runtime security protection, less than 23% had the necessary building blocks of runtime security in place.
The Aqua Security report clearly shows the importance of network-based ingress and egress security for container clusters, said Vishal Jain, co-founder and CTO at Valtix. “A layered defense approach is critical,” Jain said. “That’s why it’s important to deploy network-based ingress and egress controls for container clusters to look for suspicious activity from nodes with compromised containers.
Michael Isbitski, technical evangelist at Salt Security, added that he’s spent many days as an analyst explaining the pros and cons of native container security versus third-party container security offerings from vendors like Aqua and Stackrox.
“Situations with container security also get worse than what the survey highlights,” Isbitski said. “Practitioners sometimes misunderstand the application security and API security benefits of container security, whether it is from native container runtime features or third-party add-ons. Container security tooling focuses heavily on securing container images, container workloads, and container platforms. Application-layer and API security are still largely out of scope for container security.”