From DevOps to DevSecOps: The Impact of Container Security on Organizational Culture
August 14, 2019

Ali Golshan
StackRox

The fast-moving nature of container and Kubernetes adoption is having a ripple effect throughout organizations. Not only is the adoption of cloud native technologies fueling digital transformation — especially in the areas of operations and service delivery — it's also forcing organizations to rethink how they structure their business units to accommodate the demands of rapid iteration, agile development, and increasingly critical security standards.

In the fall of 2018, StackRox surveyed a number of IT professionals across a range of industries to understand the state of the container and Kubernetes security within their organizations and how the cloud-native stack is shaping security strategies, operations and IT culture. Just six months later, we updated the survey, and the results highlight a number of organizational changes driven by the quick maturation of container and Kubernetes adoption.

We found that, despite rapid container adoption, organizations are still struggling to secure containers. Although respondents reported a staggering uptick in Kubernetes deployments in the last six months — a 51 percent increase — they also reported escalating concerns about container security investments and lack of strategic planning. On the surface, this data might seem alarming, but ultimately it reveals that organizations are thinking more comprehensively about their use of containers, the importance of containerized applications in their business and the role that security plays in maintaining operations.

These same adoption trends are also shaping how businesses are cultivating their IT teams. With the continued growth of containerization, respondents are reporting that the DevSecOps role is taking on increasing prominence in managing container security. Across all operations roles, the allocation of management responsibility by role has remained consistent, but the jump in those citing DevSecOps as the responsible operator for container security is significant. This increase came despite 38% of respondents identifying their role as product development/engineering. We saw an even larger jump in the allocation of responsibility to DevSecOps when we isolated responses to just those who are in a security or compliance role. Among those respondents, 42% view DevSecOps as the right organization to run container security platforms.

These results indicate that security professionals are finding increasing value in designating the specific role of DevSecOps and its responsibility in running containers security platforms. More importantly, however, we see that containers and Kubernetes have the power to unify what used to be very separate disciplines. The opportunity to create "security as code" is powerful with the cloud-native stack, but it requires workflows, processes, and security tooling that creates and enables that integration across groups.

Ultimately, it's clear that organizations are potentially putting the operational benefits of agility and flexibility at risk by not ensuring their cloud-native assets are built, deployed, and running securely. The right security tooling is critical to continue to bridge the gap between DevOps and security teams in order for security to be effective. Moreover, the continued effort to "shift left" with security, propelling the DevSecOps movement, underscores the importance of having security that's built in, not bolted on, for these cloud-native applications and environments.

Ali Golshan is CTO and Co-Founder of StackRox
Share this

Industry News

November 24, 2020

Red Hat announced new capabilities and features for Red Hat OpenShift, the company's enterprise Kubernetes platform.

November 24, 2020

Sectigo released Chef, Jenkins, JetStack Cert-Manager, Puppet, and SaltStack integrations for its certificate management platform.

November 24, 2020

DataStax released K8ssandra, an open-source distribution of Apache Cassandra on Kubernetes.

November 23, 2020

Spectro Cloud has released a new, self-hosted version of its flagship product, Spectro Cloud.

November 23, 2020

GitLab completed integration of Peach Tech, a security software firm specializing in protocol fuzz testing and dynamic application security testing (DAST) API testing, and Fuzzit, a continuous fuzz testing solution providing coverage-guided testing.

November 23, 2020

Fugue announced the availability of its SaaS product in AWS Marketplace, further simplifying the process for Amazon Web Services customers to use Fugue to bring their environments into compliance quickly, demonstrate compliance at any time, and Shift Left on cloud security.

November 19, 2020

Rollbar announced AI-assisted workflows powered by its new automation-grade grouping engine.

November 19, 2020

Buildkite expanded its integration with GitHub and introduced a new onboarding experience.

November 19, 2020

Rancher Labs launched a new Partner Program for the OEM and embedded community.

November 18, 2020

Puppet announced its evolution to an integrated automation platform to enable key business initiatives such as scaling DevOps, risk reduction, policy as code, and evolving cloud strategies.

November 18, 2020

Adaptavist has joined the GitLab partner program as a Select partner.

November 18, 2020

Postman launched the beta version of public workspaces, a hub that makes it possible for both API producers and consumers to seamlessly communicate and collaborate in real time without team or organizational boundaries.

November 17, 2020

Red Hat introduced new capabilities for Red Hat Enterprise Linux and Red Hat OpenShift intended to help enterprises bring edge computing into hybrid cloud deployments.

November 17, 2020

Humio announced the availability of the Humio Operator.

November 17, 2020

Accurics announced that Terrascan, the open source static code analyzer that enables developers to build secure infrastructure as code (IaC), has been extended to support Helm and Kustomize.