RESEARCH

Tripwire
State of
Container Security
Report
January 2019

FOUNDATIONAL CONTROLS FOR 
SECURITY, COMPLIANCE & IT OPERATIONS
As DevOps continues to drive increased
use of containers, security teams are
struggling to secure these new assets
and processes. This report explores the
Number of containers in production
challenges that organizations actively
using containers today are facing, as
well as the real consequences they have 14% 22% 33% 19% 7% 6%
experienced.

Highlights include: 0 20 40 60 80 100

»» 94% are concerned about container
None—We don't use containers in production
security
»» 60% have had container security Fewer than 10
incidents in the past year 10–100
»» 47% have vulnerable containers in 100–500
production and 46% don’t know if they
do 500–1,000
More than 1,000

Demographics
Survey respondents included 311 IT
security professionals who manage
environments with containers at
Industry
companies with over 100 employees.
Eight-six percent (269) had containers
inproduction.
Technology 33%
Financial Services and Insurance 14%

Company size Manufacturing 9%

Healthcare 8%
Education 8%
Government 6%
20% Services 6%

41%
Retail 5%
Energy and Utilities 4%

39%
Transportation 2%
Non-Profit 1%
Food and Beverage 1%
Other 3%

100–1,000 employees

0 5 10 15 20 25 30 35
1,000–5,000 employees

More than 5,000 employees

2
 94% are concerned
about container security
How concerned are you about
security in container environments?

94%
43% 51% 6%

0 20 40 60 80 100

Not Concerned
Somewhat Concerned
Very Concerned

The concern increases with the number of containers in

production, and is higher among those with more container
security expertise.

By # of containers By security focus and

in production knowledge of containers

How concerned are you about How concerned are you about
security in container environments? security in container environments?

“Very Concerned” “Very Concerned”

60 60 60
50 50 50

40 40 40

30 30 30

20 20 20

10
31% 34% 45% 54% 10 61% 39% 10 53% 35%
0 0
0

More than 10 containers Security Focus Container Security

10–100 containers
Fewer than 10 containers Entire job Very Knowledgeable
None (Development only) Major Part of job Somewhat Knowledgeable

3
Top concerns about container
security

What specific security concerns Inadequate container security

54%
knowledge among teams
do you have about containers?
Visibility into security of containers
and container images is limited 52%
Inability to assess risk in container
images prior to deployment 43%
Lack of tools of defectively secure containers 42%
Insufficient process to handle fundamental
differences in securing containers 40%
Not able to assess risk in deployed containers 38%
I have no concerns about container security 5%

0 10 20 30 40 50 60

Organizations are accepting risk

and facing consequences
Of the 269 respondents with containers
in production:
47% have vulnerable containers in
production and 46% don’t know if they do
Do you currently have vulnerable containers
deployed in production at this time?  

Yes, we have them and know what the

vulnerabilities are, but have deployed anyway 17%
We know we have them, but we don’t know
exactly what the vulnerabilities are 30%
We think we have some, but we don’t know for sure 22%
We think we don’t have any,
but we don’t know for sure 20%
I don’t know 4%
No, none of our production
containers have vulnerabilities 7%

0 5 10 15 20 25 30

4

Those with the most containers in
production have ignored security issues
Do you currently have vulnerable containers
deployed in production at this time?
By # of containers in production
More than 100 26% 32% 13% 18% 4% 7%
Those with the most containers in
production were more likely to acknowl-
edge that some of those containers are
vulnerable.
“With the increased growth and adoption
of containers, security practitioners
are feeling the pressure to speed
their deployment. To keep up with the
demand, teams are accepting unneces-
Yes, we have them and know
sary risks by not securing containers.”
what the vulnerabilities are
but have deployed anyway —Tim Erlin, Vice President of Product
We know we have them, but
Management and Strategy at Tripwire
we don't know exactly what
the vulnerabilities are

9% We think we have some,

10-100 10% 27% 36% 14%4%
but don't know for sure

We think we don't have any,

but we don't know for sure

I don't know
Less than 10 7% 29% 18% 39% 4% 4%

No, none of our production

containers have vulnerabilities
0 20 40 60 80 100 120

The more containers deployed,

60% have had container
the more likely there had been
security incidents in the past year a container security incident.
Approximately how many security
incidents have occurred in your container Approximately how many security incidents have occurred
infrastructure in the past 12 months? in your container infrastructure in the past 12 months?
(By # of containers in production)

30
I don't know
25 More than 100 17% 7% 28% 40% 8%

20 More then 6

15
10-100 26% 6% 37% 21% 11%
2-5
10
Just one
5 3% 3%
29% 10% 27% 12% 6% 11%
0 Less than 10 35% 16% 18% 15% 16%
None

I don't know 11-25 Just one

More than 100 6-10 None None (Dev only) 55% 14% 19% 2% 10%

26-100 2-5
0 20 40 60 80 100

5
Organizations are bracing for a rise in
container-related security incidents.
Most expect rate of security-related security
incidents to increase in the coming year
How do you expect the rate of container-related
security incidents to change in the coming year?

71%

13% 58% 21% 7% 1%

0 20 40 60 80 100

Decrease dramatically
Decrease slightly
No change
Increase slightly
Increase dramatically

Top reasons for increased

security incidents
n = expect security incidents to increase

Increased adoption of container

technology will increase risk 61%

Containers will increasingly be used for

mission-critical systems that are more 52%
likely to be targeted

Hackers will target new

technology while it is weak 52%

Lack of security best practices for

containers will leave them vulnerable 49%

0 10 20 30 40 50 60 70

6

42% are limiting container
adoption because of security risks
Has your company delayed or limited container
adoption because of security concerns?
“There’s a belief that you have to accept
a significant amount of risk to take
advantage of containers, but that’s
not true. Security can and should be
embedded into the DevOps life cycle,
incorporating vulnerability and con-
figuration assessment of container
infrastructure to monitor risks from
build to production.”
—Tim Erlin

6%

52% 42%

No

Yes

I don't know

7
 Only a few believe they could detect a
compromised container within minutes
Approximately how long would it take to detect
a compromised container or container image?

50

40

30

20

10
12% 45% 26% 6% 2% 2% 7%
0
Minutes Weeks
Hours Months or longer
Days We could not detect it
I don't know

98% want additional

security capabilities
Incident detection and response for
containers and infrastructure 52%
Isolate containers that
49%
for container
behave abnormally
More security-focused monitoring
of container infrastructure 48%

environments 48%
Greater visibility into container risk

Monitor containers for drift

or behavior changes 45%
What additional security Attack-blocking technologies for containers 45%
management tools or Artificial intelligence security
40%
analytics for containers
capabilities would your Blockchain 22%
organization want for We don’t want anything
2%
container environments? special for container security

0 10 20 30 40 50 60

8
Who’s in charge?

IT security is most likely team to have

primary responsibility for container security
What organization owns primary
responsibility for container security?

20%
IT Security
46%
12%
DevOps

DevSecOps 22%
Cross-functional team

Because of containers, 82% are rethinking

security responsibilities—with varying results
Has container adoption caused your organization
to think about restructuring security responsibilities?

10% 18%

17%

35%
21%

Container adoption is one

No, it didn't even cross our minds
of the many changes that is
to think about it
making us re-think security
Yes, we thought about it but don't
see a need to change anything We're still thinking about it
Yes, we have reassigned security
responsibility based on container adoption

9
 Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial
organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity
asset visibility and deep endpoint intelligence combined with business context; together these solutions
integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions
includes configuration and policy management, file integrity monitoring, vulnerability management,
log management, and reporting and analytics. Learn more at tripwire.com

The State of Security: Security News, Trends and Insights at tripwire.com/blog

Follow us on Twitter @TripwireInc » Watch us at youtube.com/TripwireInc

©2019 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.

All other product and company names are property of their respective owners. All rights reserved. BRDRSCS1b 1901