Security News > 2020 > February > Less Than Half of Vulnerabilities in Popular Docker Images Pose Risk: Study
Cloud security company Rezilion has analyzed some of the most popular Docker container images and determined that while they include many vulnerabilities, less than half of these flaws pose an actual risk.
Rezilion's researchers have analyzed 20 of the most popular container images hosted on DockerHub, the largest library and community for container images.
The analysis revealed that packages containing 60% of the identified vulnerabilities were never actually loaded so they did not pose a risk.
The February review showed that 67% of the vulnerabilities rated "High severity" based on their CVSS scores were never loaded into memory, and in November the percentage was 75%. "If one were prioritizing vulnerability management based on CVSS scores, they would run the risk of spending upward of 70% of their time and effort on vulnerabilities that posed no risk to their production environment," Rezilion explained in a report shared with SecurityWeek.
In the case of containers, Rezilion says a CARTA strategy involves identifying the business importance and criticality for services used in production, identifying vulnerabilities that are actually running in them, prioritizing vulnerabilities that have no defenses or compensating controls, and prioritizing flaws commonly targeted by hackers and malware while also considering the criticality of the asset and its external exposure.