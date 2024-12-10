Containers are a weak link in supply chain security

No Comments

The use of container images is growing fast thanks to their flexibility and convenience, but they can also represent a weak cybersecurity link in software supply chains.

A new report from NetRise looks at the scope and scale of the components and risks found across 70 of the most commonly downloaded Docker Hub container images.

"The adoption of container technology is rapidly growing, largely because it is lightweight and easy to manage. However, while containers have changed how many modern applications are designed, deployed, and managed, they appear to be among the weakest cybersecurity links in the software supply chain," saysThomas Pace, CEO of NetRise. "With software supply chain attacks seeing triple-digit increases, our goal is to educate and build awareness with CISOs and enterprise security professionals around the scope and scale of software risks that likely exist within their software supply chains. We want to empower enterprises with software transparency so they can take proactive steps to secure their software ecosystems."

Researchers analyzed 70 randomly selected container images from 250 of Docker Hub's most commonly downloaded images and generated a detailed Software Bill of Materials (SBOM) for them. They found that, on average, each container image had 389 software components.

Worryingly one in eight components had no software manifest -- they lacked the formal metadata typically found in manifests, as well as details about dependencies, version numbers, or the package's source. This means that traditional container scanning tools that rely on manifests for analysis will have significant visibility gaps, requiring new processes and tooling to mitigate the associated risks properly.

The average container had 604 known vulnerabilities in the underlying software components, with over 45 percent being between two and 10-plus years old. NetRise threat intelligence finds that over four percent of the 16,557 identified CVEs with a critical or high CVSS Severity ranking were weaponized vulnerabilities known by botnets to spread ransomware, used by threat actors, or used in known attacks.

In addition, the research found 4.8 misconfigurations per container, including 146 'world writable and readable directories outside tmp,' the containers had overly permissive identity controls too with an average of 19.5 usernames per container.

The full report is available from the NetRise site.

Image credit: Arwagula/Dreamstime.com

No Comments
Got News? Contact Us

Recent Headlines

Enterprises struggle to meet data infrastructure demands

PNY CS2150 M.2 NVMe Gen5 x4 SSD supports Microsoft DirectStorage

Yelp introduces AI tools to transform local business discovery and advertising

Containers are a weak link in supply chain security

Donald Trump, UEFA European Championship, and Inside Out 2: there are no surprises in Google’s top trending searches of 2024

Willow: Google reveals new quantum chip offering incomprehensibly fast processing

Microsoft blocks Windows 11 24H2 upgrades for some Google Workspace and Outlook users

Most Commented Stories

The stunning Oreon 10 arrives to replace Microsoft Windows -- download it now!

76 Comments

Windows 12 is everything Windows 11 should be -- and the Microsoft OS we deserve!

56 Comments

Forget bloated Windows 11, Windows 12 Lite is the Microsoft operating system we need!

29 Comments

Microsoft refuses to ease Windows 11’s strict hardware requirements, despite the ditching of Windows 10

24 Comments

Today is the day! Say goodbye to Microsoft Windows 11 -- Nitrux Linux 3.8.0 is the OS you've been waiting for

22 Comments

Bluesky thinking -- why left-wingers are leaving X and why X will get over it

21 Comments

Waiting for Microsoft Windows 12 is a mistake when you can upgrade to Linux today

20 Comments

The Guardian’s exit from Elon Musk’s X shows a lack of journalistic courage

13 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.