Organisations are struggling to keep up with vulnerabilities amid software supply chain complexity, as revealed by the recent annual Container Report by start-up Slim.AI.
The report disclosed that over 40% of companies remain in a reactive mode to address critical security findings in applications and containers. Despite the allocation of significant resources, only a mere 12% of organisations profess to meet their remediation targets successfully.
The Container Report reviews the past year through Slim's internal analysis of public container images across all major public repositories. Key findings included in the report come from a survey of IT security and software engineering professionals in large organisations. The survey was conducted in collaboration with Enterprise Strategy Group (ESG) to understand how they're coping with software supply chain security complexity.
The report highlighted that vulnerability remediation proved challenging for most - a scanty 12% of security leaders claim to have achieved their remediation targets.
Communication overhead to secure containers across enterprise lines burdens both sides, with 63% struggling to manage multiple software producers and 67% observing that external container images augment their attack surface. This situation underscores the need for a better collaboration platform for managing vulnerabilities, a sentiment echoed by 84% of security leaders.
The report also revealed that a staggering 75% of organisations merely shared vulnerability spreadsheets with their vendors' security operations teams, indicating a glaring need for more effective communication methods.
Furthermore, 'alert fatigue' from frequent vulnerability alerts and a high rate of false positives is a growing issue. As many as 44% of organisations reported encountering vulnerabilities in production systems that required immediate attention several times a week, while 36% detected them daily.
Melinda Marks, Practice Director of Cybersecurity for ESG, commented, "Vulnerability management challenges across the increasingly complex software supply chain have been unveiled in the study. This issue raises significant concerns as attackers tend to target areas susceptible to errors or carelessness."
The study also noted an increase of 39% in Commons Vulnerabilities and Exposures (CVE) counts in 2023, consistent with the burgeoning alert fatigue concern within organisations. The simultaneous acceleration of open-source package updates, container releases, and incident response over the past year has not stemmed this tide.
Regulatory pressure is another key challenge. One out of three organisations struggles with evolving compliance and regulatory guidelines, with 85% having to put in extra work to align with executive orders.
The report further cautioned that failing to effectively manage vulnerabilities in containers could impact business innovation, performance, productivity, and team dynamics. In fact, 46% of organisations experienced performance issues and downtime due to ineffective vulnerability remediation.
Slim.AI's vice president of strategy and analytics, Ayse Kaya, commented on the study stating, "Software engineering and security teams far too often find themselves playing defence against an unrelenting flood of security challenges. Our report delves into the challenges that complicate vulnerability remediation between those exchanging software."