NetRisethe company providing granular visibility into the world’s software — helping companies inventory and control software assets and detect and respond to software risks — announced its newest report, Supply Chain Visibility & Risk Study, Edition 2: Containers. The report takes a deep dive into actual software compositions, vulnerability risks, and non-CVE risks in different asset classes in every organization’s software supply chain. This report, Edition 2, delves into the scope and scale of the components and risks found across 70 of the most commonly downloaded Docker Hub container images.

CyberTech Insights and News: ManTech Earns Perfect CMMC 2.0 Cybersecurity Score

“The adoption of container technology is rapidly growing, largely because it is lightweight and easy to manage. However, while containers have changed how many modern applications are designed, deployed, and managed, they appear to be among the weakest cybersecurity links in the software supply chain,” said Thomas Pace, CEO of NetRise. “With software supply chain attacks seeing triple-digit increases, our goal is to educate and build awareness with CISOs and enterprise security professionals around the scope and scale of software risks that likely exist within their software supply chains. We want to empower enterprises with software transparency so they can take proactive steps to secure their software ecosystems.”

Containers are the fastest growing – and weakest cybersecurity link – in software supply chains. Companies need help to get container security right. Issues from misconfigured clouds, containers, and networks to uncertainty over who owns container security throughout the software’s lifecycle persist. And yet, according to a 2022 Anchore report, enterprises plan to expand container adoption over the next 24 months, with 88% planning to increase container use and 31% planning to increase container use significantly. However, as of 2024, we are starting to see a recognition of container security issues, as a recent report by Red Hat indicates that 67% of organizations have delayed or slowed down application deployment due to security concerns related to containers and Kubernetes.

The increasing reliance on containerized applications comes with two cybersecurity challenges:

  1. The need to maintain visibility of the detailed software components in containers and their provenance and
  2. Identifying and prioritizing vulnerabilities and risks within the containers’ components.

The report’s key findings include:

  • Containerized software is complex. NetRise researchers analyzed 70 randomly selected container images from 250 of Docker Hub’s most commonly downloaded images and generated a detailed Software Bill of Materials (SBOM). They found that, on average, each container image had 389 software components.
  • New visibility methods are needed. NetRise found that 1 in 8 components had no software manifest—they lacked the formal metadata typically found in manifests, as well as details about dependencies, version numbers, or the package’s source. This means that traditional container scanning tools that rely on manifests for analysis will have significant visibility gaps, requiring new processes and tooling to mitigate the associated risks properly.
  • Container risks are higher than commonly understood. The average container had 604 known vulnerabilities in the underlying software components, with over 45% being 2 to 10-plus years old. NetRise threat intelligence found that over 4% of the 16,557 identified CVEs with a Critical or High CVSS Severity ranking were weaponized vulnerabilities known by botnets to spread ransomware, used by threat actors, or used in known attacks. Additionally, NetRise found 4.8 misconfigurations per container, including 146 “world writable and readable directories outside tmp,” the containers had overly permissive identity controls with an average of 19.5 usernames per container.

It’s time to move beyond blind trust in your software. The lack of transparency within the software supply chain is business-critical for organizations worldwide. The bottom line is that transparency into the contents of commercial software, including containerized software, is essential. As a starting point, organizations need comprehensive visibility in their software to understand the scope, scale, and related risks. Advanced technology can provide organizations with much-needed insights to enrich and feed asset discovery, vulnerability management, and intrusion detection tools used within security operations with detailed SBOM development for all software, detection of vulnerabilities and non-CVE risks, and prioritization of all identified software supply chain risks.

CyberTech Insights and News: Advanced Networks Boosts Orange County IT Cybersecurity

To share your insights, please write to us at news@intentamplify.com

Source – PRnesswire