The vast majority of software container users are unaware of crucial security principles that underline the urgency for runtime controls, according to a new study released today by cloud-native security company Aqua Security Software Ltd.

The 2021 Cloud Native Security Practitioner study, based on a survey of 150 cloud-native security practitioners and executives from information technology, security and DevOps teams, found that only 3% of respondents recognize that a container, in and of itself, is not a security boundary. Conversely, 97% didn’t, indicating that the default security capabilities of containers are overestimated.

Only 24% of respondents have plans to deploy the necessary building blocks for runtime security, a result the study notes is especially alarming. Nearly a third of respondents said they were confident in overall holistic runtime security protection, but fewer than 23% of respondents had the necessary building blocks of runtime security in place.

The study also found a knowledge gap concerning supply chain risks. Nearly three-quarters of respondents said they believed they could stop software supply chain attacks evading static analysis, but that’s the result of an apparent misconception about the role of runtime security in achieving this protection.

“There is concerning overconfidence in the perceived ability to prevent supply chain attacks,” Amir Jerbi, co-founder and chief technology officer at Aqua Security, said in a statement. “The reality is that runtime security is essential because sophisticated supply chain attacks evade static analysis.”

Referencing a previous report where Aqua Security found that attackers are becoming more proficient at hiding their methods and evading static scanning, Jerbi noted that “we see unnamed attackers use legitimate vanilla images to download malicious elements at runtime, Kinsing malware that only downloads in runtime, and attackers like Team TNT who hide their malicious communications attacking our honeypots on daily basis.”

Jerbi added that holistic cloud-native security should be the goal. “It is not just about runtime security or any other one focus area,” he said. “It is about ensuring the entire application life cycle is covered, from the build to the infrastructure and the workloads.”

Image: Aqua Security