97 percent don't recognize the security limitations of containers
A new study finds that only three percent of respondents recognize that a container, in and of itself, is not a security boundary, suggesting that the default security capabilities of containers are overestimated.
The survey, from cloud security company Aqua Security of 150 cloud native security practitioners and executives from IT, Security and DevOps teams, across sectors and geographies, also shows that only 24 percent of respondents have plans in place to deploy the necessary building blocks for runtime security.
"The results of the survey showcase a staggering knowledge gap that leads to an underinvestment in a critical part of full lifecycle, end-to-end security for cloud native applications," says Amir Jerbi, co-founder and CTO at Aqua. "When practitioners fail to implement a holistic approach with protecting their workloads at runtime, they are opening up their environments to attackers, since even the most complete 'shift left' vulnerability and malware detection cannot prevent zero-day attacks and administrator errors."
A knowledge gap around workload protection has led to a striking number of practitioners who believe they are protected from supply chain attacks in production, but in fact are not. While 73 percent believe that they could stop software supply chain attacks evading static analysis, there is an apparent misconception about the role of runtime security in achieving this protection.
Aqua has also found that attackers are becoming more proficient at hiding their methods and evading static scanning, while threats to container based environments have become more dangerous and more varied. Over a six-month period, Aqua has observed honeypots being attacked 17,358 times, a 26 percent increase over the previous six months.
"Holistic cloud native security should be every practitioner's goal. It is not just about runtime security or any other one focus area. It is about ensuring the entire application life cycle is covered, from the build to the infrastructure and the workloads,” adds Jerbi.
The full report is available from the Aqua site.