CNCF End User Technology Radar Provides Insights into DevSecOps
The Cloud Native Computing Foundation (CNCF), which builds sustainable ecosystems for cloud native software, announced the findings of the latest CNCF End User Technology Radar, a guide to a set of emerging technologies based on the experience of the CNCF End User Community. The theme of this sixth edition for the third quarter of 2021 is DevSecOps.
DevSecOps is the practice of integrating security into release cycles in modern, cloud native applications. It builds on DevOps by bridging the gap between development and security teams and automating many security processes. The Radar team selected DevSecOps as a topic because the members felt it was one of the fastest-changing spaces in application development. Many organizations are trying to balance the desire to go fast with the importance of securing the entire application lifecycle.
“The maturity of cloud native software has enabled organizations to design more complex and layered architectures with Kubernetes as a centerpiece,” said Katie Gamanji, ecosystem advocate, Cloud Native Computing Foundation. “However, a mature ecosystem implies that security is tightly intertwined in the development cycle. By shifting security to the left, organizations can share ownership across teams and define DevSecOps principles, enabling specialists to focus on vulnerabilities in well-known components and creating fast and effective feedback loops.”
Overall, the team found that the DevSecOps space is growing and changing rapidly, with new tools constantly emerging. However, the developer experience is lagging. It is often cumbersome, with developers and teams struggling to keep pace and many tools geared more toward security teams. Another problem is that many organizations are unable to operationalize segmentation within their cloud native environments. One solution is to use tools like Calico and Cilium for micro-segmentation capabilities at Layer 3-4 alongside Layer 7 segmentation mesh technologies like Istio and Linkerd. The team summarized these findings in three key themes, which can be viewed in more detail on the Radar page.
After reviewing the data provided by the end user organizations, the team came up with a Radar showcasing 16 tools across three levels. Half of these, including projects like ArgoCD and Open Policy Agent, ended up in the Adopt category, meaning the End User community recommends them for adoption in production. Only one tool, XRay, ended up in Trial. The remaining seven were in Assess, meaning they are very promising and are good at solving at least one problem, but there is room for consolidation. This includes the likes of Cilium, GitHub Actions, and Linkerd.
Recommended AI News: Movable Ink Continues Global Expansion with New Hires Across Germany
“As organizations are moving to Kubernetes and cloud native, they are realizing the old way of doing security doesn’t work anymore,” said Sergiu Petean, head of DevOps, Allianz Direct. “To address these problems as they arise, smaller, more niche companies are developing new tools. However, this is creating a fractured market where there is no one size fits all approach or to DevSecOps. This introduces complexity for developer and security teams who need to evaluate and agree on the best solution.”
“Through our research, we did find many great tools that allow teams to improve their security posture, although no one tool or suite of vendor tools provided a holistic approach to solving all challenges within the DevSecOps space,” said Keith Nielsen, director of cloud architecture, Discover Financial Services. “At the end of the day, organizations need to find what works best for them – sometimes it is about the technology, and sometimes it is about changing mindsets and team culture.”
The CNCF Technology Radar is an initiative from the CNCF End User Community, a group of more than 155 leading-edge companies and startups, such as Airbnb, Capital One, and Twitter, who use cloud native technologies and aim to identify challenges and best practices when adopting them. The Technology Radar shares insight into which tools end users use and how and which tools end users recommend for broad adoption.
[To share your insights with us, please write to firstname.lastname@example.org]