Despite dedicating significant resources to fight the influx of vulnerabilities, only 12% of security leaders claim to have achieved their vulnerability remediation goals, with 40% admitting a mostly reactive approach in IT operations, security and DevOps teams. These are among the key findings of the third annual Container Report published by Slim.AI (Slim), the Boston-based startup focused on building a collaborative platform for vulnerability remediation in containers.

The 2023 Container Report provides a reflection of the past year based on Slim’s internal analysis of public container images across all major public repositories. In addition, the report shares the findings of a survey of security and software engineering professionals at large organizations on how they are dealing with software supply chain security complexity. The survey was conducted in partnership with Enterprise Strategy Group (ESG).

Key findings of the report include:

• The Struggle Is Real In Vulnerability Remediation: Only 12% of security leaders claimed to have achieved their vulnerability remediation goals, with 40% admitting a mostly reactive approach in IT operations, security and DevOps teams.
• Software Supply Chain Security is a Team Sport: Companies typically get software containers from dozens of vendors, exchanging hundreds of containers each month. The communication overhead to secure containers across company lines strains both sides, with 63% struggling to manage multiple software producers and 67% noting that external container images increase their attack surface.
• The Spreadsheet Must Die: New Communication Norms Required in Vulnerability Remediation: Simply sharing a vulnerability spreadsheet with your vendor’s SecOps team is a normal practice in today’s consumer-producer relationship. An alarming 75% of organizations are doing this, while 63% hold tedious ad-hoc meetings with vendors. Security leaders are loud and clear in their desire to have a centralized collaboration platform for managing vulnerabilities (84%).
• Alert Fatigue and False Positives: Organizations are inundated with frequent vulnerability alerts and a high rate of false positives, leading to alert fatigue. Forty-four percent of organizations encounter vulnerabilities in production systems that must be addressed immediately several times a week, with 36% detecting them daily. The plurality of organizations estimate that more than 4 in 10 vulnerability alerts are false positives. These results correlate with Slim data on public containers. In 2023, CVE counts jumped up by 39%, despite significant acceleration in open-source package updates, container releases and incident response from last year.
• Increasing Regulatory Pressure: One in three organizations grapples with evolving compliance and regulatory guidelines, with 85% doing extra work to comply with Executive Orders, adding layers of complexity for IT teams.
• The Real Cost of Vulnerabilities: Hampered Innovation and Growth: Vulnerability backlogs hamper business innovation, performance, productivity and team dynamics. For example, 46% of organizations experience performance issues and downtime as a result of a failure to effectively remediate vulnerabilities in containers.