Log4j, perhaps more than any other recent security issue, has brought software supply chain security to the forefront of attention. The topic has even garnered the attention of the White House. Despite the widespread awareness of the critical importance of establishing a trustworthy and secure software supply chain, many technology executives still struggle with how to effectively implement a strategy around it.
The number of CVEs (Common Vulnerabilities and Exposures) continues to rise steadily, and it is rare to find a container that is free of all vulnerabilities. Some of these vulnerabilities may even exist in libraries that are not used during production, but nonetheless pose a risk.
In their latest Container Report, Slim.ai reveals that the average organization deploys over 50 containers from various vendors each month, with almost 10% deploying more than 250. However, only 12% of the surveyed security leaders reported that they were successfully achieving their vulnerability remediation goals. The remaining responses ranged from struggling greatly to seeing significant room for improvement. Additionally, there is often disagreement between vendors and buyers over which CVEs in a container actually require patching.
As Ayse Kaya, Slim.ai’s VP for Strategic Insights and Analytics, explained, the communication between buyers and vendors typically involves exchanging spreadsheets and having ad hoc meetings between security groups. According to Slim.ai’s report, which was created in collaboration with research firm Enterprise Strategy Group, 75% of organizations still use this method to exchange information with vendors, despite 84% of security leaders indicating a desire for a centralized collaboration platform for managing vulnerabilities. For now, it seems that emailing spreadsheets back and forth remains the norm.
All of this ultimately leads to inefficiencies. The majority of organizations surveyed reported having six or more specialists dedicated to vulnerability remediation, with a quarter of respondents employing over 10. One of the major issues in the industry is the high percentage (over 40%) of false positive alerts received by these teams, often for libraries that are part of a container but not actually used in production. To combat this, Kaya strongly promotes the practice of creating minimal container images. In fact, this could be viewed as a best practice, as it reduces the attack surface and decreases the number of false positives.
However, it’s not just security teams that are impacted by these vulnerabilities. The efforts to address them also slow down the overall development process. Most companies report experiencing disruptions multiple times a week due to the detection of a vulnerability in a production container. According to Slim.ai’s report, the average container is now affected by 311 CVEs (up from 282 in 2022) and sees a new release approximately every 11 days. This means more work, more interruptions, and more coordination with vendors to address and resolve these issues.
