NetRise Releases Supply Chain Visibility & Risk Study, Edition 2: Containers, Revealing Signicant Visibility and Risk Challenges within Common Containers

New research finds containers have over 600 vulnerabilities a piece on average.

AUSTIN, Texas, Dec. 10, 2024 -- NetRise, the company providing granular visibility into the world's software — helping companies inventory and control software assets and detect and respond to software risks — announced today its newest report, Supply Chain Visibility & Risk Study, Edition 2: Containers. The report takes a deep dive into actual software compositions, vulnerability risks, and non-CVE risks in different asset classes in every organization's software supply chain. This report, Edition 2, delves into the scope and scale of the components and risks found across 70 of the most commonly downloaded Docker Hub container images.

"The adoption of container technology is rapidly growing, largely because it is lightweight and easy to manage. However, while containers have changed how many modern applications are designed, deployed, and managed, they appear to be among the weakest cybersecurity links in the software supply chain," said Thomas Pace, CEO of NetRise. "With software supply chain attacks seeing triple-digit increases, our goal is to educate and build awareness with CISOs and enterprise security professionals around the scope and scale of software risks that likely exist within their software supply chains. We want to empower enterprises with software transparency so they can take proactive steps to secure their software ecosystems."

Containers are the fastest growing - and weakest cybersecurity link - in software supply chains. Companies need help to get container security right. Issues from misconfigured clouds, containers, and networks to uncertainty over who owns container security throughout the software's lifecycle persist. And yet, according to a 2022 Anchore report, enterprises plan to expand container adoption over the next 24 months, with 88% planning to increase container use and 31% planning to increase container use significantly. However, as of 2024, we are starting to see a recognition of container security issues, as a recent report by Red Hat indicates that 67% of organizations have delayed or slowed down application deployment due to security concerns related to containers and Kubernetes.

The increasing reliance on containerized applications comes with two cybersecurity challenges:

1. The need to maintain visibility of the detailed software components in containers and their provenance and
   
   
2. Identifying and prioritizing vulnerabilities and risks within the containers' components.
   
   

The report's key findings include:

• Containerized software is complex. NetRise researchers analyzed 70 randomly selected container images from 250 of Docker Hub's most commonly downloaded images and generated a detailed Software Bill of Materials (SBOM). They found that, on average, each container image had 389 software components.
  
  
• New visibility methods are needed. NetRise found that 1 in 8 components had no software manifest—they lacked the formal metadata typically found in manifests, as well as details about dependencies, version numbers, or the package's source. This means that traditional container scanning tools that rely on manifests for analysis will have significant visibility gaps, requiring new processes and tooling to mitigate the associated risks properly.
  
  
• Container risks are higher than commonly understood. The average container had 604 known vulnerabilities in the underlying software components, with over 45% being 2 to 10-plus years old. NetRise threat intelligence found that over 4% of the 16,557 identified CVEs with a Critical or High CVSS Severity ranking were weaponized vulnerabilities known by botnets to spread ransomware, used by threat actors, or used in known attacks. Additionally, NetRise found 4.8 misconfigurations per container, including 146 "world writable and readable directories outside tmp," the containers had overly permissive identity controls with an average of 19.5 usernames per container.
  
  

It's time to move beyond blind trust in your software. The lack of transparency within the software supply chain is business-critical for organizations worldwide. The bottom line is that transparency into the contents of commercial software, including containerized software, is essential. As a starting point, organizations need comprehensive visibility in their software to understand the scope, scale, and related risks. Advanced technology can provide organizations with much-needed insights to enrich and feed asset discovery, vulnerability management, and intrusion detection tools used within security operations with detailed SBOM development for all software, detection of vulnerabilities and non-CVE risks, and prioritization of all identified software supply chain risks.

To download the full report, visit NetRise Supply Chain Visibility & Risk Study - Edition 2.

Methodology

NetRise analyzed 70 randomly selected container images from the 250 most commonly downloaded images on Docker Hub. The scope of the research includes a comprehensive analysis of the software embedded in the containers leveraging the leading compiled code analysis capabilities of the NetRise Platform. The research methodology provides a detailed and holistic understanding of the software components and software risks associated with each containerized application. The following steps outline the research process:

• Software Bill of Materials (SBOM) Analysis: To gain complete visibility into the components that constitute the software running within each container, the NetRise Platform generated detailed SBOMs for each container. This involves identifying all software components, including third-party libraries and dependencies (both direct and indirect), to understand the complete software stack.
  
  
• Vulnerability and Non-CVE Risk Assessment: To evaluate each container's risk state, considering both known vulnerabilities (CVEs) and non-CVE risks, the NetRise Platform identified vulnerabilities listed in the CVE database and non-CVE risks, such as misconfigurations, outdated components, and potential security flaws that are not yet publicly disclosed.
  
  
• Evaluate the Priority of Identified Vulnerabilities: To stratify vulnerabilities based on CVSS scores, weaponization, and network accessibility, the NetRise Platform identified weaponized vulnerabilities that are actively being exploited in the wild and those that are also network accessible to narrow the list of priority vulnerabilities.
  
  

About NetRise

Based in Austin, Texas, NetRise was built by defensive cyber experts bred across the private sector, intelligence community, and U.S. federal government to solve the software supply chain security problem. The company is partnering with companies across manufacturing, automotive, medical devices, industrial control systems, satellites, and many more. https://www.netrise.io/

Media Contact:

Danielle Ostrovsky
Hi-Touch PR
410-302-9459
ostrovsky@hi-touchpr.com

View on PR Newswire