End User Community reports that there are many tools and approaches for DevSecOps, and the space is continuing to grow

SAN FRANCISCO, Calif. – September 22, 2021 – The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced the findings of the latest CNCF End User Technology Radar, a guide to a set of emerging technologies based on the experience of the CNCF End User Community. The theme of this sixth edition for the third quarter of 2021 is DevSecOps. 

DevSecOps is the practice of integrating security into release cycles in modern, cloud native applications. It builds on DevOps by bridging the gap between development and security teams and automating many security processes. The Radar team selected DevSecOps as a topic because the members felt it was one of the fastest-changing spaces in application development. Many organizations are trying to balance the desire to go fast with the importance of securing the entire application lifecycle. 

“The maturity of cloud native software has enabled organizations to design more complex and layered architectures with Kubernetes as a centerpiece,” said Katie Gamanji, ecosystem advocate, Cloud Native Computing Foundation. “However, a mature ecosystem implies that security is tightly intertwined in the development cycle. By shifting security to the left, organizations can share ownership across teams and define DevSecOps principles, enabling specialists to focus on vulnerabilities in well-known components and creating fast and effective feedback loops.”

Overall, the team found that the DevSecOps space is growing and changing rapidly, with new tools constantly emerging. However, the developer experience is lagging. It is often cumbersome, with developers and teams struggling to keep pace and many tools geared more toward security teams. Another problem is that many organizations are unable to operationalize segmentation within their cloud native environments. One solution is to use tools like Calico and Cilium for micro-segmentation capabilities at Layer 3-4 alongside Layer 7 segmentation mesh technologies like Istio and Linkerd. The team summarized these findings in three key themes, which can be viewed in more detail on the Radar page.

After reviewing the data provided by the end user organizations, the team came up with a Radar showcasing 16 tools across three levels. Half of these, including projects like ArgoCD and Open Policy Agent, ended up in the Adopt category, meaning the End User community recommends them for adoption in production. Only one tool, XRay, ended up in Trial. The remaining seven were in Assess, meaning they are very promising and are good at solving at least one problem, but there is room for consolidation. This includes the likes of Cilium, GitHub Actions, and Linkerd. 

“As organizations are moving to Kubernetes and cloud native, they are realizing the old way of doing security doesn’t work anymore,” said Sergiu Petean, head of DevOps, Allianz Direct. “To address these problems as they arise, smaller, more niche companies are developing new tools. However, this is creating a fractured market where there is no one size fits all approach or to DevSecOps. This introduces complexity for developer and security teams who need to evaluate and agree on the best solution.”

“Through our research, we did find many great tools that allow teams to improve their security posture, although no one tool or suite of vendor tools provided a holistic approach to solving all challenges within the DevSecOps space,” said Keith Nielsen, director of cloud architecture, Discover Financial Services. “At the end of the day, organizations need to find what works best for them – sometimes it is about the technology, and sometimes it is about changing mindsets and team culture.”

The CNCF Technology Radar is an initiative from the CNCF End User Community, a group of more than 155 leading-edge companies and startups, such as Airbnb, Capital One, and Twitter,  who use cloud native technologies and aim to identify challenges and best practices when adopting them. The Technology Radar shares insight into which tools end users use and how and which tools end users recommend for broad adoption. 

To learn more about the Radar results, watch the webinar with the Radar team and visit radar.cncf.io. You can also view previous Technology Radars on Continuous Delivery, Observability, Database Storage, and Secrets Management. 

About the Methodology

In September 2021, the 155+ companies in the CNCF End User Community were asked to describe what their companies recommended for different solutions: Hold, Assess, Trial, or Adopt. They could also give more detailed comments. As the answers were submitted via a Google Spreadsheet, they were neither private nor anonymized within the group.

Twenty-one companies, including Box, Intuit, Shopify, and Zendesk, submitted 171 data points on 35 tools. These were sorted to determine the final positions. The Radar Team then curated the responses, chose outcomes, and described any patterns or themes they saw in the data or from their own experience.

About the Radar Team

Sergiu Petean is head of DevOps at Allianz Direct. His highly skilled team is responsible for building,  operating, and evolving the state-of-the-art, Kubernetes-driven, Hybrid Cloud Platform. 

Keith Nielsen is director of cloud architecture at Discover Financial Services and is responsible for Discover’s Cloud Business Office. Keith’s current focus is on solving the challenges of Hybrid Cloud, particularly in the Kubernetes ecosystem, and all the capabilities needed to support it.

Additional Resources

About Cloud Native Computing Foundation

Cloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private, and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. CNCF brings together the industry’s top developers, end users, and vendors, and runs the largest open source developer conferences in the world. Supported by more than 500 members, including the world’s largest cloud computing and software companies, as well as over 200 innovative startups, CNCF is part of the nonprofit Linux Foundation. For more information, please visit www.cncf.io.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact

Katie Meinders

The Linux Foundation

PR@CNCF.io