Organizations struggle greatly to keep up with vulnerabilities amid software supply chain complexity, with more than 40% still in reactive mode
Discussions about software supply chain security have moved up to the board-level, and yet few organizations know exactly how to address security in the upstream dependencies of the applications and the containers they run in production. Despite dedicating significant resources to fight the influx of vulnerabilities, only 12% of organizations say they successfully meet their remediation goals, while 40% say teams are mostly in reactive mode.
These are among the stark findings of the third annual Container Report published today by Slim.AI (Slim), the Boston-based startup focused on building a collaborative platform for vulnerability remediation in containers.
The 2023 Container Report provides a reflection of the past year based on Slim’s internal analysis of public container images across all major public repositories. In addition, the report shares the findings of a survey of security and software engineering professionals at large organizations on how they are dealing with software supply chain security complexity. The survey was conducted in partnership with Enterprise Strategy Group (ESG).
CIO INFLUENCE News: ACL Digital at CES 2024: Driving Innovation to Deliver Digital Excellence
Key findings of the report include:
1. The Struggle Is Real In Vulnerability Remediation
Only 12% of security leaders claimed to have achieved their vulnerability remediation goals, with 40% admitting a mostly reactive approach in IT operations, security and DevOps teams.
2. Software Supply Chain Security is a Team Sport
Companies typically get software containers from dozens of vendors, exchanging hundreds of containers each month. The communication overhead to secure containers across company lines strains both sides, with 63% struggling to manage multiple software producers and 67% noting that external container images increase their attack surface.
3. The Spreadsheet Must Die: New Communication Norms Required in Vulnerability Remediation
Simply sharing a vulnerability spreadsheet with your vendor’s SecOps team is a normal practice in today’s consumer-producer relationship. An alarming 75% of organizations are doing this, while 63% hold tedious ad-hoc meetings with vendors. Security leaders are loud and clear in their desire to have a centralized collaboration platform for managing vulnerabilities (84%).
4. Alert Fatigue and False Positives
Organizations are inundated with frequent vulnerability alerts and a high rate of false positives, leading to alert fatigue. Forty-four percent of organizations encounter vulnerabilities in production systems that must be addressed immediately several times a week, with 36% detecting them daily. The plurality of organizations estimate that more than 4 in 10 vulnerability alerts are false positives.
These results correlate with Slim data on public containers. In 2023, CVE counts jumped up by 39%, despite significant acceleration in open-source package updates, container releases and incident response from last year.
5. Increasing Regulatory Pressure
One in three organizations grapples with evolving compliance and regulatory guidelines, with 85% doing extra work to comply with Executive Orders, adding layers of complexity for IT teams.
6. The Real Cost of Vulnerabilities: Hampered Innovation and Growth
Vulnerability backlogs hamper business innovation, performance, productivity and team dynamics. For example, 46% of organizations experience performance issues and downtime as a result of a failure to effectively remediate vulnerabilities in containers.
CIO INFLUENCE News: LogRhythm Product Innovation Prioritizes its Efficiency for High-Performing Security Teams
“As organizations across industries leverage development with containers and cloud services to deliver and use powerful applications, the research revealed vulnerability management challenges across the increasingly complex software supply chain,” said Melinda Marks, practice director, cybersecurity for ESG. “This is a growing concern as attackers are likely to target areas where there is a high chance for mistakes or carelessness. The good news is that there are opportunities for risk burndown if you can manage your software supply chain and eliminate unneeded code components to mitigate vulnerability.”
The public is invited to participate in a more detailed review of the findings during a January 9 webinar to be hosted by Ayse Kaya, vice president of strategy and analytics at Slim and the report’s lead author. Kaya will be joined by Marks and Slim co-founder and CEO John Amaral.
“A customer of ours recently told us that, ‘Software supply chain security is like AI: Everyone is doing it and no one knows what it is,’ and our 2023 Public Container Report underscores just how true that is,” said Kaya. “Software engineering and security teams far too often find themselves playing defense against an unrelenting flood of security challenges. Our report delves into the challenges that complicate vulnerability remediation between those exchanging software, with an in-depth analysis of container data supplemented by a survey of IT professionals. The findings lend hope that communication and cooperation between software producers and users all along the supply chain can help to transform the daunting complexity of container vulnerability management into opportunities for growth and resilience.”
CIO INFLUENCE News: IGEL Unveils Game-Changing Approach to the Secure Endpoint OS for Now & Next, Releases Dates for IGEL DISRUPT 24
[To share your insights with us, please write to sghosh@martechseries.com]
