Managing Security Issues in Software Containers: From Practitioners Perspective
Maha Sroor, Rahul Mohanani, Ricardo Colomo-Palacios, Sandun Dasanayake, Tommi Mikkonen
TL;DR
This study addresses the gap in container security research by examining the human perspective of security management in containerized projects. It employs two semi-structured interview studies to uncover practitioner perceptions of security challenges and to identify technical and non-technical enablers that improve container security, culminating in integrated conceptual models. Key contributions include a detailed mapping of security patterns (e.g., chain of dependencies, automation reliance) and a bifurcated set of enablers (risk identification, testing, logging, AI, knowledge sharing, and collaboration) that guide robust security strategies. The findings offer practical implications for SE practice, such as prioritizing early security embedding, documenting guidelines, and fostering cross-industry collaboration, while outlining future research directions like standardized security metrics and ethics in AI-enabled security tools.
Abstract
Software development industries are increasingly adopting containers to enhance the scalability and flexibility of software applications. Security in containerized projects is a critical challenge that can lead to data breaches and performance degradation, thereby directly affecting the reliability and operations of the container services. Despite the ongoing effort to manage the security issues in containerized projects in software engineering (SE) research, more focused investigations are needed to explore the human perspective of security management and the technical approaches to security management in containerized projects. This research aims to explore security management in containerized projects by exploring how SE practitioners perceive the security issues in containerized software projects and their approach to managing such issues. A clear understanding of security management in containerized projects will enable industries to develop robust security strategies that enhance software reliability and trust. To achieve this, we conducted two separate semi-structured interview studies to examine how practitioners approach security management. The first study focused on practitioners perceptions of security challenges in containerized environments, where we interviewed 15 participants between December 2022 and October 2023. The second study explored how to enhance container security, with 20 participants interviewed between October 2024 and December 2024. Analyzing the data from both studies reveals how SE practitioners address the various security challenges in containerized projects. Our analysis also identified the technical and non-technical enablers that can be utilized to enhance security.