87% of Container Images in Production Have Critical or High-Severity Vulnerabilities

At the recent CloudNativeSecurityCon in Seattle, 800 DevSecOps practitioners gathered to address myriad software supply chain security issues, including the security of container images and the impact of zero trust on the software supply chain.

As of 2022, there were 7.1 million cloud-native developers, 51% more than the 4.7 million 12 months earlier, said Cloud Native Computing Foundation executive director Priyanka Sharma in the opening keynote. "Everyone is becoming a cloud-native developer," Sharma said.

However, this rapid shift to cloud-native development can be a source of concern because the rapid release cycles may lead to organizations not following secure life cycle development (SDLC) practices, Sharma warned. Snyk's "State of Cloud Security Report 2022" found that 77% of organizations acknowledged that they have poor training and lack effective collaboration among developers and security teams.

"There are siloed teams often working in separate countries, time zones, using different tools, policy frameworks," Sharma said. "In the cloud-native environment, we are interacting with so many other entities. Throw in a lack of security policy, and there's the recipe for your security breach."

The lack of security policies is fueling an increase in vulnerabilities due to misconfigurations. An alarming 87% of container images running in production have critical or high-severity vulnerabilities, up from 75% a year ago, according to the "Sysdig 2023 Cloud-Native Security and Usage Report." Yet only 15% of those unpatched critical and high-severity vulnerabilities are in packages in use at runtime when patches are available.

Sysdig's findings are based on telemetry gathered from thousands of its customers' cloud accounts, amounting to billions of containers. The high percentage of critical or high-severity vulnerabilities in containers is the outgrowth of the rush by organizations to deploy modern cloud applications. The push has created an influx of software developers moving to the more agile continuous integration continuous development (CI/CD) programming model.

Sysdig's report recommends filtering to isolate only the critical and highly vulnerable packages in use in order to focus on those that present the most risk. Further, only 2% of the vulnerabilities are exploitable.

"By looking at what has in-use exposure, what is actually in use at runtime, and having the fix available will help teams prioritize," Sysdig threat researcher Crystal Morin told Dark Reading.

5 Elements of Zero-Trust Implementation

Sharma pointed to last year's "Cost of a Data Breach Report" from IBM and Ponemon Institute, which showed that 79% of organizations have not moved to a zero-trust environment.

"That is really not good because almost 20% of breaches are occurring because of a compromise at a business partner," Sharma said. "And keep in mind that almost half the breaches that occur are cloud-based."

A key barrier to instituting zero trust is environments where permissions are not under control. According to the Sysdig report, 90% of permissions granted are not used, creating an easy path for stealing credentials. According to the report, "teams need to enforce least privilege access, and that requires an understanding of which permissions are actually in use."

Zack Butcher, founding engineer at Tetrate and an early engineer on Google's service mesh project Istio, told attendees that creating a zero-trust environment isn't that complicated.

"Zero trust itself isn't a mystery," he said. "There's a lot of FUD [fear, uncertainty, and doubt] around what zero trust is. It's fundamentally two things: people process and runtime controls that answer and mitigate the question, 'What if the attacker is already inside that network?'"

Butcher identified five policy checks that would make up a zero-trust system:

Butcher noted that while these checks are not new, an effort is now underway to create an identity-based segmentation standard with the National Institute of Standards and Technology (NIST).

"If you look at things like API gateways and ingress gateways, we do these checks usually," he said. "But we need to be doing them, not just at the front door, but every single hop in our infrastructure. Every single time anything is communicating, we need to be applying, at minimum, these five checks."

NIST Standard Coming Up

During a breakout session, Butcher and NIST computer scientist Ramaswamy "Mouli" Chandramouli explained the five controls and how they fit into a zero-trust architecture. Tools such as a service mesh can help implement many of those controls, Butcher said.

The presentation is an outline for a proposal that will be presented as NIST SP 800-207A: "A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location Environments." "We expect to have this out for initial public review sometime in June," Butcher said.

Butcher said supply chain security is a critical component of a zero-trust architecture.

"If we can't inventory and attest what's running in our infrastructure, we leave a gap for attackers to exploit," he said. "Zero trust as a philosophy is all about mitigating what an attacker can do if they are in the network. The goal is bounding their attack in space and time, and controlling the applications that execute in that infrastructure is a key element of bounding the space an attacker has to work with."