SJ Technologies[1] partnered with Sonatype[2] for the DevSecOps Community 2018 Survey. The survey was wildly popular, receiving answers from more than 2,000 respondents representing a wide range of industries, development practices, and responsibilities. One-third of respondents (33%) came from the technology industry, and banking and financial services was the second most represented group (15%). 70% of all respondents were using a container registry. With so many respondents utilizing containers, a deeper dive into container security is in order.
The numbers don't lie
Looking at year-over-year data, the percentage of respondents who reported using container and application security tooling doubled. In 2017, only 23% had tooling in place, compared to 56% in 2018. Container security is quickly becoming a segment ripe for standardization and simplification. Given the recent explosive growth of Kubernetes[3] and the creation of new container runtimes in the past year, this should not come as a surprise.
What is surprising is the fact that most organizations are using more than one container registry. Most respondents use a private Docker registry, followed by AWS ECR and Sonatype Nexus. Red Hat OpenShift and Jfrog Artifactory were also well represented. One can imagine the many ways container registries could be utilized. But some registries are very different than others. Implementing security tooling with many registries could make for a convoluted pipeline if not thought through. Thankfully, most registries implement common APIs allowing for this.
Containers require a different approach to security than VMs.
When asked "Do you leverage security products to identify vulnerabilities in containers?" almost half of all respondents responded that they use security tooling to identify vulnerabilities in containers. When factoring in only results from respondents who consider themselves part of "mature DevOps processes," almost