Log4j, perhaps more than any other security issue in recent years, has brought software supply chain security to the fore, even the white house However, even though almost every technology executive is at least aware of the importance of building a reliable and secure software supply chain, most continue to struggle with how best to implement a strategy around it.
The number of CVE (Common Vulnerabilities and Exposures) continues to grow at a steady rate and there is a container out there that does not include at least some vulnerabilities. Some of these may be in libraries that aren’t even used when the container is in production, but are still vulnerabilities.
Image Credits: Slim.ai
According Slim.aithe most recent Container exhibition, the average organization now deploys over 50 containers from its vendors each month (and nearly 10% deploy more than 250). However, only 12% of security leaders responding to Slim.ai’s survey said they were able to meet their own vulnerability remediation goals. All others say they struggle “a lot” or see significant room for improvement. And while all of these organizations are pushing their vendors to improve their security posture and deliver, vendors and buyers often can’t even agree on which CVEs actually need patching in a container.
As Ayse Kaya, Slim.ai’s vice president of Strategic Insights and Analytics, told me, interaction between buyers and suppliers is often still driven by the exchange of spreadsheets and ad hoc meetings between security teams. According to the company’s report, which it created in partnership with research firm Enterprise Strategy Group, this is still how 75% of organizations exchange information with their suppliers, even as nearly all security leaders (84 %) would try to see a central collaborative platform for vulnerability management. For now, though, it seems that emailing spreadsheets back and forth remains state of the art.
Image Credits: Slim.ai
All this inevitably leads to inefficiency. The majority of organizations responding to the survey said they employ six or more experts focused on vulnerability remediation (with a quarter of respondents employing more than 10). One of the major problems in the industry is that more than 40% of the alerts these groups receive are false positives — often for libraries that may be part of a container but are not used in production. Because of this, Kaya for example is very supportive of creation minimal container images. One could argue that this should be a best practice anyway, as it creates a smaller attack surface and reduces false positives.
It’s not just security teams that have to deal with these vulnerabilities, though, of course. All these efforts also slow down the overall development process. Most companies see some downtime several times a week because they find a vulnerability in a production container, for example. According to Slim.ai’s report, the average container now sees a new release roughly every 11 days, and the average container is now affected by 311 CVEs (up from 282 in 2022). All of this means more work, more downtime, and more effort spent working with vendors to fix them.
