Organizations increasingly embrace software containers despite a lack of confidence in their ability to defend them against cyberattacks, according to consultants at the CyberEdge Group.
Containers allow users to build and move applications along with all their related information and dependencies in a single, portable package.
“It’s easy to understand why ‘containers’ is rated as the most-challenging IT security component to defend three years in a row,” Steve Piper, the firm’s CEO told Nextgov, referring to an annual survey published Tuesday of 1,200 public- and private-sector IT professionals based mostly in the U.S.
Government entities like the Defense Department and the National Institutes of Health that make and manage applications have relied on containers to provide increased interoperability and ease of use. But vendors of the tech are often looking to allay and address associated cybersecurity concerns.
“Adoption of container platforms by enterprises is exploding,” not just because of the efficiencies and flexibility they offer, but because the technology promises to embed security into the development operations process, “culminating in a DevSecOps mentality,” Piper said.
Typically, software developers design an application and security is considered afterward, he said. But the ideal is not served if the security personnel isn’t available to work alongside the development team. The Cyberthreat Defense Report draws attention to the global cybersecurity workforce shortage.
“Unfortunately, in many instances, DevOps assumes the lead role for securing container-based applications, [and is] unequipped to fully understand their unique security challenges,” Piper said. “Couple this with a shortage of qualified DevSecOps engineers, and you’ve got yourself a bonafide security challenge.”
Coming in second and third respectively in the firm’s survey for the toughest environments to secure were industrial controls systems, which rely on older technology that wasn’t built with cybersecurity in mind, and the sprawling internet of things, which includes mobile devices that IT professionals don’t have complete control over.