Only 50% of Docker Image Vulnerabilities Pose Threats
March 2, 2020
reported results of a comprehensive vulnerability analysis, concluding
that only half of the vulnerabilities in cloud containers ever posed a
Rezilion analyzed the top 20 most popular container images on DockerHub
and discovered that 50% of vulnerabilities were never loaded into memory
and therefore did not pose a threat, regardless of Common Vulnerability
Scoring System (CVSS) scores and despite vast resources in budget and
manpower spent on patching or mitigation. Please view a copy of the
By triaging vulnerabilities using a continuous adaptive risk and trust
assessment (CARTA) approach and then prioritizing treatment of those
that are commonly targeted, companies can significantly reduce their
security budgets or free up manpower to focus on other critical issues.
According to IDC, enterprises are spending 7-10% of their security
budget on vulnerability management as daily operations become
increasingly more dependent on cloud services. Vulnerability scanners
overload and confuse security teams with mountainous results that would
be impossible to patch all at once. The existing prioritization
practices such as CVSS provide no notable reduction of breaches in
organizations with mature vulnerability management programs. Firms with
good security posture are equally breached by known vulnerabilities as
those with poor security posture.
recommends in their Implement a Risk-Based Approach to Vulnerability
Management report (Gartner subscription required) that "security and
risk management leaders should rate vulnerabilities on the basis of risk
in order to improve vulnerability management program effectiveness."
Gartner also predicts that "by 2022, approximately 30% of enterprises
will adopt a risk-based approach to vulnerability management" and "by
2022, organizations that use the risk-based vulnerability management
method will suffer 80% fewer breaches."
"A vulnerability is only as dangerous as the threat exploiting it and in
some instances during our research, we found the figure dropped to as
low as 2%. By focusing on actual vs. perceived risk, we found the
security industry has been unnecessarily exaggerating the number of
vulnerabilities security teams must address, which has dangerous
ramifications to the cloud security landscape," said Shlomi Boutnaru,
CTO and co-founder, Rezilion. "A continuous adaptive risk and trust
assessment-based approach reduces friction and overhead by identifying
vulnerabilities running in memory and then prioritizing treatment to
those vulnerabilities commonly targeted by hackers as well as any that
don't have mitigations."