NetRise announces its newest report, Supply Chain Visibility & Risk Study, Edition 2: Containers. The report takes a deep dive into actual software compositions, vulnerability risks and non-CVE risks in different asset classes in every organization's software supply chain. This report, Edition 2, delves into the scope and scale of the components and risks found across 70 of the most commonly downloaded Docker Hub container images.
"The adoption of container technology is rapidly growing, largely because it is lightweight and easy to manage. However, while containers have changed how many modern applications are designed, deployed, and managed, they appear to be among the weakest cybersecurity links in the software supply chain," says Thomas Pace, CEO of NetRise. "With software supply chain attacks seeing triple-digit increases, our goal is to educate and build awareness with CISOs and enterprise security professionals around the scope and scale of software risks that likely exist within their software supply chains. We want to empower enterprises with software transparency so they can take proactive steps to secure their software ecosystems."
Key Takeaways:
- Containerized software is complex. NetRise researchers analyzed 70 randomly selected container images from 250 of Docker Hub's most commonly downloaded images and generated a detailed Software Bill of Materials (SBOM). They found that, on average, each container image had 389 software components.
- New visibility methods are needed. NetRise found that 1 in 8 components had no software manifest—they lacked the formal metadata typically found in manifests, as well as details about dependencies, version numbers, or the package's source. This means that traditional container scanning tools that rely on manifests for analysis will have significant visibility gaps, requiring new processes and tooling to mitigate the associated risks properly.
- Container risks are higher than commonly understood. The average container had 604 known vulnerabilities in the underlying software components, with over 45% being 2 to 10-plus years old. NetRise threat intelligence found that over 4% of the 16,557 identified CVEs with a Critical or High CVSS Severity ranking were weaponized vulnerabilities known by botnets to spread ransomware, used by threat actors, or used in known attacks. Additionally, NetRise found 4.8 misconfigurations per container, including 146 "world writable and readable directories outside tmp," the containers had overly permissive identity controls with an average of 19.5 usernames per container.