Академический Документы
Профессиональный Документы
Культура Документы
Tripwire
State of
Container Security
Report
January 2019
FOUNDATIONAL CONTROLS FOR
SECURITY, COMPLIANCE & IT OPERATIONS
As DevOps continues to drive increased
use of containers, security teams are
struggling to secure these new assets
and processes. This report explores the
Number of containers in production
challenges that organizations actively
using containers today are facing, as
well as the real consequences they have 14% 22% 33% 19% 7% 6%
experienced.
Demographics
Survey respondents included 311 IT
security professionals who manage
environments with containers at
Industry
companies with over 100 employees.
Eight-six percent (269) had containers
inproduction.
Technology 33%
Financial Services and Insurance 14%
41%
Retail 5%
Energy and Utilities 4%
39%
Transportation 2%
Non-Profit 1%
Food and Beverage 1%
Other 3%
100–1,000 employees
0 5 10 15 20 25 30 35
1,000–5,000 employees
2
94% are concerned
about container security
How concerned are you about
security in container environments?
94%
43% 51% 6%
0 20 40 60 80 100
Not Concerned
Somewhat Concerned
Very Concerned
How concerned are you about How concerned are you about
security in container environments? security in container environments?
40 40 40
30 30 30
20 20 20
10
31% 34% 45% 54% 10 61% 39% 10 53% 35%
0 0
0
3
Top concerns about container
security
0 10 20 30 40 50 60
0 5 10 15 20 25 30
4
Those with the most containers in
production were more likely to acknowl-
Those with the most containers in edge that some of those containers are
vulnerable.
production have ignored security issues
“With the increased growth and adoption
Do you currently have vulnerable containers of containers, security practitioners
deployed in production at this time? are feeling the pressure to speed
By # of containers in production their deployment. To keep up with the
demand, teams are accepting unneces-
Yes, we have them and know
sary risks by not securing containers.”
what the vulnerabilities are
More than 100 26% 32% 13% 18% 4% 7% but have deployed anyway —Tim Erlin, Vice President of Product
We know we have them, but
Management and Strategy at Tripwire
we don't know exactly what
the vulnerabilities are
I don't know
Less than 10 7% 29% 18% 39% 4% 4%
30
I don't know
25 More than 100 17% 7% 28% 40% 8%
20 More then 6
15
10-100 26% 6% 37% 21% 11%
2-5
10
Just one
5 3% 3%
29% 10% 27% 12% 6% 11%
0 Less than 10 35% 16% 18% 15% 16%
None
26-100 2-5
0 20 40 60 80 100
5
Organizations are bracing for a rise in
container-related security incidents.
Most expect rate of security-related security
incidents to increase in the coming year
How do you expect the rate of container-related
security incidents to change in the coming year?
71%
0 20 40 60 80 100
Decrease dramatically
Decrease slightly
No change
Increase slightly
Increase dramatically
0 10 20 30 40 50 60 70
6
“There’s a belief that you have to accept
a significant amount of risk to take
42% are limiting container advantage of containers, but that’s
not true. Security can and should be
adoption because of security risks embedded into the DevOps life cycle,
incorporating vulnerability and con-
Has your company delayed or limited container figuration assessment of container
infrastructure to monitor risks from
adoption because of security concerns? build to production.”
—Tim Erlin
6%
52% 42%
No
Yes
I don't know
7
Only a few believe they could detect a
compromised container within minutes
Approximately how long would it take to detect
a compromised container or container image?
50
40
30
20
10
12% 45% 26% 6% 2% 2% 7%
0
Minutes Weeks
Hours Months or longer
Days We could not detect it
I don't know
environments 48%
Greater visibility into container risk
0 10 20 30 40 50 60
8
Who’s in charge?
20%
IT Security
46%
12%
DevOps
DevSecOps 22%
Cross-functional team
10% 18%
17%
35%
21%
9
Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial
organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity
asset visibility and deep endpoint intelligence combined with business context; together these solutions
integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions
includes configuration and policy management, file integrity monitoring, vulnerability management,
log management, and reporting and analytics. Learn more at tripwire.com