The use of container images is growing fast thanks to their flexibility and convenience, but they can also represent a weak cybersecurity link in software supply chains.
A new report from NetRise looks at the scope and scale of the components and risks found across 70 of the most commonly downloaded Docker Hub container images.
"The adoption of container technology is rapidly growing, largely because it is lightweight and easy to manage. However, while containers have changed how many modern applications are designed, deployed, and managed, they appear to be among the weakest cybersecurity links in the software supply chain," saysThomas Pace, CEO of NetRise. "With software supply chain attacks seeing triple-digit increases, our goal is to educate and build awareness with CISOs and enterprise security professionals around the scope and scale of software risks that likely exist within their software supply chains. We want to empower enterprises with software transparency so they can take proactive steps to secure their software ecosystems."
Researchers analyzed 70 randomly selected container images from 250 of Docker Hub's most commonly downloaded images and generated a detailed Software Bill of Materials (SBOM) for them. They found that, on average, each container image had 389 software components.
Worryingly one in eight components had no software manifest -- they lacked the formal metadata typically found in manifests, as well as details about dependencies, version numbers, or the package's source. This means that traditional container scanning tools that rely on manifests for analysis will have significant visibility gaps, requiring new processes and tooling to mitigate the associated risks properly.
The average container had 604 known vulnerabilities in the underlying software components, with over 45 percent being between two and 10-plus years old. NetRise threat intelligence finds that over four percent of the 16,557 identified CVEs with a critical or high CVSS Severity ranking were weaponized vulnerabilities known by botnets to spread ransomware, used by threat actors, or used in known attacks.
In addition, the research found 4.8 misconfigurations per container, including 146 'world writable and readable directories outside tmp,' the containers had overly permissive identity controls too with an average of 19.5 usernames per container.
The full report is available from the NetRise site.
Image credit: Arwagula/Dreamstime.com