New research shows that hundreds of organizations are deploying software containers in the public cloud without securing them first.

Software containers, which are used by developers to build applications once that can run in any computing environment, provide benefits such as agility, scaling and rapid response to continuous change. But the scaling of containers in production environments is exposing these apps to new security risks, according to a new study by Lacework Inc., which provides automated security services for Amazon Web Services Inc.’s public cloud platform.

The cloud security firm said it had seen an explosion in the use of container orchestration and application programming interface tools that could serve as “attack points.”

Altogether, the company said, it has found more than 21,000 container and API tools with potential vulnerabilities. The tools, hosted on public cloud platforms such as AWS, Google Cloud Platform and OVH — a French cloud services provider — include de facto standards such as Kubernetes and Docker Swarm. Most of the vulnerabilities stem from poorly configured resources, a lack of user credentials and unsecure protocols, it said.

Lacework said the findings of its study highlight the need for better “security guardrails” in addition to regular container isolation techniques.

The vulnerabilities included more than 300 container management clusters being hosted in the open with no authentication in place, providing “virtually complete access” to anyone who cared, Lacework said. No authentication means that the cluster’s administrative dashboards can be accessed by anyone without using any security credentials. Lacework also found numerous instances where it was possible to perform remote code execution via APIs.

The company said that hackers could exploit these container vulnerabilities to gain access to servers, privileged accounts and administrative passwords.

“We noticed an alarming number of systems with no authentication whatsoever,” Lacework reported. “Some were clearly in the midst of being set up, but some were in full production. In cases where full access was available, one can perform operations like add and deploy their own applications, delete infrastructure, change credentials and potentially exfiltrate data.”

By leaving these interfaces exposed, organizations face a “huge potential for risk to their data and cloud infrastructure,” Lacework said.

The security firm said its findings highlight the need for information technology administrators to determine what is an acceptable level of external visibility into their container deployments, in addition to the need for stricter access controls.

Image: Paul Townsend/Flickr