SANS 2022 DevSecOps Survey
Create a culture to significantly improve your organization’s security posture.
Download Now >Share: 
Join me for highlights of some of the more interesting and relevant (to DeepFactor) parts of the 2021 Cloud Native Computing Foundation Annual Report released on February 10, 2022.
I hope you enjoy my perspective … especially with this being my first time reviewing the report as a “security professional” focused on empowering engineering teams to develop secure and compliant code!
Before joining DeepFactor, I was a Technical-Marketing-Engineer-turned-Product-Manager at Cisco Systems. My focus area was products/solutions for deploying and managing applications and cloud infrastructure. For many reasons—I mean, generally, product management can be very taxing— managing our product vision and roadmap was a formidable task!
This became especially true as the industry began exploring the transition from monolithic workloads (i.e.virtual machines) to containers. In 2015, the CNCF was formed to “drive alignment among container technologies,” with Kubernetes being accepted as its first major project in 2016. Suddenly, owning a product for “deploying and managing applications and cloud infrastructure” became a challenging responsibility.
Thankfully—especially for those of us in technical marketing and product management struggling to “keep up” with the rapid pace of innovation—the introduction of Kubernetes was foundational (pun very much intended) in establishing the CNCF as a valuable and trusted source of information. So, in the spirit of highlighting that authority, they released the first-ever Cloud Native Computing Foundation Annual Report in 2017. From its humble beginnings as a 14-page PDF naively highlighting the growing attendance of Kubernetes training, to a multi-part resource now focused on the hundreds of projects helping cloud native technologies, such as Kubernetes, “cross the chasm” into the mainstream, the annual report continues to be a fascinating resource for everyone to analyze and appreciate! And this year is certainly no different.
Kubernetes Has Crossed The Adoption Chasm … And Stumbled On The Security Fissure
According to the most recent State of Cloud Native Development Report, produced for CNCF by SlashData, Kubernetes acceptance continues to grow. With over 5.6 million Kubernetes developers worldwide (up from 3.9 in 2020), there’s been a reported 37% year-on-year increase in adoption, with large enterprises (i.e. 5,000+ FTEs) more likely to use Kubernetes than smaller organizations.
In last year’s CNCF Annual Report, much focus was spent on the impact cloud native technologies was having on modern development practices—55% of respondents released code weekly or more frequently, with 18% releasing multiple times per day**. And now, with Kubernetes entering the mainstream, DeepFactor believes continued adoption and implementation is going to magnify the importance of observability and application security. I mean, how else are developers and operations going to ensure the security of the application before shipping to production? Can engineering teams really afford to gate releases waiting on drawn-out AppSec “checkpoints”?
**Sidebar: I would love for the CNCF to continue providing this data yearly. It’s a valuable metric to track, especially as containerization continues to speed up the pace of development.
According to the RedHat State of Kubernetes Security 2021 Report, “94% of respondents experienced at least one security incident in their Kubernetes environments in the last 12 months” with “55% of respondents … [delaying] an application rollout because of security concerns.” Though the adoption continues to grow unabated, addressing and navigating these security challenges remains a major objective for enterprises hoping to modernize around Kubernetes. As we discussed in a recent DeepFactor webinar, “Digital Transformation” should also include modernizing the application security tools integrated into your CI/CD pipeline.
Kubernetes Is Starting To Go “Under The Hood” … Who’s The Mechanic?
Given the focus on Kubernetes adoption (i.e “mainstream status solidified”) much of the 2021 CNCF Annual Report is spent highlighting how this changes the way people—most importantly, developers and engineering teams—interact with the technology. “What’s fascinating about this is how quickly Kubernetes has grown from a niche technology to something so utterly ubiquitous that folks don’t even know they are using technologies built on it, as the value for end users has moved up the stack,” comments Chris Aniszczyk, CTO of the CNCF.
In a similar fashion to Linux, this ubiquity is helping camouflage the use of Kubernetes, creating a positive correlation between overall adoption and the intensive use of managed services. According to the report, 79% of respondents are using Certified K8s Hosted Platforms, using offerings from Amazon (e.g. EKS, ECS), Azure (AKS) and Google Cloud (GKE). This is further supported by Datadog’s 2021 Container Report, which shows “nearly 90 percent of Kubernetes users leverage cloud-managed services,” almost a 70% increase from 2020.
<
However, as abstractions often do, obscuring complexity can restrict functionality and limit visibility for the end user. In some cases, this is great—e.g. as summarized by Douglas Murray, CEO at Valtix, in a VentureBeat article: “cloud-native security solutions can abstract much of the security complexity that can be introduced by cloud initiatives”. But for engineering teams responsible for adopting DevSecOps best practices**, these abstractions can disrupt these initiatives by removing access to valuable information related to application behavior. With Kubernetes moving “under the hood”—to keep the metaphor going—what tools can engineering teams provide developers to help discover and resolve security vulnerabilities, supply chain risks, and compliance violations early in development?
**Sidebar: If you’re looking to understand the larger challenges around building security culture into your engineering team, highly recommend our recent webinar with renowned former CISO, Jim Routh, and DeepFactor Founder and CEO, Kiran Kamity, as they discuss strategies and best practices available to engineering teams wanting to manage security risks before shipping applications to production.
Rest assured, there’s a new-ish crop of tools arriving to address this challenge head-on. Many of them—including, of course, DeepFactor, belong to an emerging category called Cloud-Native Application Protection Platforms (CNAPP). As described by our CMO, Seth Knox in his blog, What is a Cloud Native Application Protection Platform? :
“The vision of CNAPP is to address cloud native applications risks … in the development and testing phases of the SDLC, before applications go into production. This is accomplished by providing developers with a consolidated view of cloud native application risks and the information they need to fix known vulnerabilities, misconfigurations, behavior violations, and compliance issues in their own tools and CI/CD pipeline. By shifting security left to development, businesses that embrace CNAPP will be able to reduce the risk of breaches and regulatory penalties, lower the total cost of fixing vulnerable applications, and help engineering teams deliver secure cloud native applications faster.”
The other important consideration to make is ensuring the tool is purpose-built with your environment (i.e. infrastructure) and applications in mind. This can be particularly important as organizations increasingly use managed services, as outlined in the CNCF Annual Report. For example, certain methods of observing application behavior via api interception—such as ePBF— might be difficult, or near impossible, to implement depending on the underlying technology of the managed service being used.
Final Thoughts
The 2021 CNCF Annual Report is a very valuable resource for anyone interested in cloud native technologies. For those in product management and technical marketing, the focus on Kubernetes maturity, and the increasing adoption of managed services, should inform roadmaps (i.e. containers are indubitably “the future”) and identify potential subjects worth highlighting in marketing and educational content. More importantly though, for end-users, such as developers, the report provides valuable context to underscore the technologies and initiatives that are shaping the decisions being made around them. Intimately understanding both angles is going to be a marker of a successful organization navigating the evolving landscape. And finally, as always, thank you to the CNCF for producing this insightful report.
If you would like to discuss more of these findings with the DeepFactor time, you can contact us here.