Written by Ivan Milenkovic, Vice President Risk Technology EMEA, Qualys
For the better part of the last decade,we have engaged in a comfortable fiction around security and development. If we could only "shift left" and get developers to take a modicum more responsibility for security alongside their coding, testing and infrastructure deployment, the digital world would become a safer, faster and cheaper place. Instead, the fundamental conflict between speed and security has got worse.
Why did this fail? Developers are under crushing pressure. The classic triangle of project management - Fast, Good, Cheap; pick two - has been smashed to pieces.
Businesses demand fast, good, cheap and secure. When push comes to shove, "fast" always wins. At the same time, we pushed too much cognitive load onto developers who were already drowning.
When they choose to use public container images to speed up development, they are trying to meet their goals, but they are also open to potential risk. So how can we understand what the real problem is, and then work to solve that?
Business demands beat security recommendations
There is a pervasive narrative in the security industry that developers are lazy or careless. This is absolutely not true. Developers are not lazy; they are overloaded, pragmatic professionals reacting to the incentives placed before them. If their bonus depends on shipping features by Friday and the security scan takes four hours to run and blocks the build, they will find a way around the scan.
Businesses demand results faster and faster, which has created an environment where security protocols are seen as a barrier to productivity rather than an integral part of engineering. When security tools are noisy, slow, and disconnected from the workflow, they are a barrier.
However, the result of this is that organisations have lost control of what is actually running in their environments. We have pipelines that deploy code automatically, infrastructure that scales up and down without human intervention, and AI agents that can now write and execute their own scripts.
Into this high-speed, automated chaos, we treat public registries like curated libraries, assuming that because an image is on Docker Hub, it must be safe. But pulling a container from a public registry like Docker Hub is a trust decision.
... continue reading