SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

CNCF End User Technology Radar Eyes DevSecOps

September 27, 2021

The Cloud Native Computing Foundation released the latest CNCF End User Technology Radar, a guide to a set of emerging technologies based on the experience of the CNCF End User Community. The theme of this sixth edition for the third quarter of 2021 is DevSecOps.

DevSecOps is the practice of integrating security into release cycles in modern, cloud native applications. It builds on DevOps by bridging the gap between development and security teams and automating many security processes. The Radar team selected DevSecOps as a topic because the members felt it was one of the fastest-changing spaces in application development. Many organizations are trying to balance the desire to go fast with the importance of securing the entire application lifecycle.

“The maturity of cloud native software has enabled organizations to design more complex and layered architectures with Kubernetes as a centerpiece,” said Katie Gamanji, ecosystem advocate, Cloud Native Computing Foundation. “However, a mature ecosystem implies that security is tightly intertwined in the development cycle. By shifting security to the left, organizations can share ownership across teams and define DevSecOps principles, enabling specialists to focus on vulnerabilities in well-known components and creating fast and effective feedback loops.”

Overall, the team found that the DevSecOps space is growing and changing rapidly, with new tools constantly emerging. However, the developer experience is lagging. It is often cumbersome, with developers and teams struggling to keep pace and many tools geared more toward security teams. Another problem is that many organizations are unable to operationalize segmentation within their cloud native environments. One solution is to use tools like Calico and Cilium for micro-segmentation capabilities at Layer 3-4 alongside Layer 7 segmentation mesh technologies like Istio and Linkerd.

After reviewing the data provided by the end user organizations, the team came up with a Radar showcasing 16 tools across three levels. Half of these, including projects like ArgoCD and Open Policy Agent, ended up in the Adopt category, meaning the End User community recommends them for adoption in production. Only one tool, XRay, ended up in Trial. The remaining seven were in Assess, meaning they are very promising and are good at solving at least one problem, but there is room for consolidation. This includes the likes of Cilium, GitHub Actions, and Linkerd.

“As organizations are moving to Kubernetes and cloud native, they are realizing the old way of doing security doesn’t work anymore,” said Sergiu Petean, head of DevOps, Allianz Direct. “To address these problems as they arise, smaller, more niche companies are developing new tools. However, this is creating a fractured market where there is no one size fits all approach or to DevSecOps. This introduces complexity for developer and security teams who need to evaluate and agree on the best solution.”

“Through our research, we did find many great tools that allow teams to improve their security posture, although no one tool or suite of vendor tools provided a holistic approach to solving all challenges within the DevSecOps space,” said Keith Nielsen, director of cloud architecture, Discover Financial Services. “At the end of the day, organizations need to find what works best for them – sometimes it is about the technology, and sometimes it is about changing mindsets and team culture.”

The CNCF Technology Radar is an initiative from the CNCF End User Community, a group of more than 155 leading-edge companies and startups, such as Airbnb, Capital One, and Twitter, who use cloud native technologies and aim to identify challenges and best practices when adopting them. The Technology Radar shares insight into which tools end users use and how and which tools end users recommend for broad adoption.

To learn more about the Radar results, watch the webinar with the Radar team and visit radar.cncf.io. You can also view previous Technology Radars on Continuous Delivery, Observability, Database Storage, and Secrets Management.

About the Methodology

In September 2021, the 155+ companies in the CNCF End User Community were asked to describe what their companies recommended for different solutions: Hold, Assess, Trial, or Adopt. They could also give more detailed comments. As the answers were submitted via a Google Spreadsheet, they were neither private nor anonymized within the group.

Twenty-one companies, including Box, Intuit, Shopify, and Zendesk, submitted 171 data points on 35 tools. These were sorted to determine the final positions. The Radar Team then curated the responses, chose outcomes, and described any patterns or themes they saw in the data or from their own experience.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement