From DevOps to DevSecOps: The Impact of Container Security on Organizational Culture
August 14, 2019

Ali Golshan
StackRox

The fast-moving nature of container and Kubernetes adoption is having a ripple effect throughout organizations. Not only is the adoption of cloud native technologies fueling digital transformation — especially in the areas of operations and service delivery — it's also forcing organizations to rethink how they structure their business units to accommodate the demands of rapid iteration, agile development, and increasingly critical security standards.

In the fall of 2018, StackRox surveyed a number of IT professionals across a range of industries to understand the state of the container and Kubernetes security within their organizations and how the cloud-native stack is shaping security strategies, operations and IT culture. Just six months later, we updated the survey, and the results highlight a number of organizational changes driven by the quick maturation of container and Kubernetes adoption.

We found that, despite rapid container adoption, organizations are still struggling to secure containers. Although respondents reported a staggering uptick in Kubernetes deployments in the last six months — a 51 percent increase — they also reported escalating concerns about container security investments and lack of strategic planning. On the surface, this data might seem alarming, but ultimately it reveals that organizations are thinking more comprehensively about their use of containers, the importance of containerized applications in their business and the role that security plays in maintaining operations.

These same adoption trends are also shaping how businesses are cultivating their IT teams. With the continued growth of containerization, respondents are reporting that the DevSecOps role is taking on increasing prominence in managing container security. Across all operations roles, the allocation of management responsibility by role has remained consistent, but the jump in those citing DevSecOps as the responsible operator for container security is significant. This increase came despite 38% of respondents identifying their role as product development/engineering. We saw an even larger jump in the allocation of responsibility to DevSecOps when we isolated responses to just those who are in a security or compliance role. Among those respondents, 42% view DevSecOps as the right organization to run container security platforms.

These results indicate that security professionals are finding increasing value in designating the specific role of DevSecOps and its responsibility in running containers security platforms. More importantly, however, we see that containers and Kubernetes have the power to unify what used to be very separate disciplines. The opportunity to create "security as code" is powerful with the cloud-native stack, but it requires workflows, processes, and security tooling that creates and enables that integration across groups.

Ultimately, it's clear that organizations are potentially putting the operational benefits of agility and flexibility at risk by not ensuring their cloud-native assets are built, deployed, and running securely. The right security tooling is critical to continue to bridge the gap between DevOps and security teams in order for security to be effective. Moreover, the continued effort to "shift left" with security, propelling the DevSecOps movement, underscores the importance of having security that's built in, not bolted on, for these cloud-native applications and environments.

Ali Golshan is CTO and Co-Founder of StackRox
Share this

Industry News

March 03, 2021

Red Hat announced the latest release of Red Hat Process Automation, which delivers new developer tooling, extended support for eventing and streaming for event-driven architectures (EDA) through integration with Apache Kafka, and new monitoring capabilities through heatmap dashboards.

March 03, 2021

Leaders of the software development industry announced the formation of the Value Stream Management Consortium (VSMC).

March 03, 2021

Delphix and GenRocket announced a technology alliance designed to fulfill the needs of enterprise customers who desire a comprehensive test data solution that improves software quality.

March 02, 2021

JFrog announced that its DevOps Platform tools – JFrog Artifactory and JFrog Xray – are available with native deployment templates for customers using AWS GovCloud (US) and Azure Government clouds.

March 02, 2021

Spectro Cloud announced support for existing Kubernetes environments, including clusters on public cloud services such as Amazon EKS, Azure AKS and Google GKE, has been added to the Spectro Cloud Kubernetes management platform.

March 02, 2021

Idera announced the acquisition of PreEmptive Solutions, LLC, a provider of application protection and security.

March 01, 2021

CloudBolt Software announced the launch of OneFuse Community Edition, a free version of its codeless integration platform for automating, integrating, and extending private and hybrid cloud infrastructures.

March 01, 2021

DBmaestro launched support for Snowflake, the Data Cloud company.

March 01, 2021

Platform9 closed Series-D funding with an additional $12.5 million for a total of $37.5 million.

February 25, 2021

Red Hat announced Red Hat OpenShift 4.7, the latest version of the company’s enterprise Kubernetes platform.

February 25, 2021

Granulate announced the release of its open-source platform, the G-Profiler, a production profiling solution that measures the performance of code in production applications to facilitate compute optimization.

February 25, 2021

Checkmarx announced the launch of KICS (Keeping Infrastructure as Code Secure), an open source static analysis solution that enables developers to write more secure infrastructure as code (IaC).

February 24, 2021

Applause launched its Product Excellence Platform (PEP).

February 24, 2021

Mabl announced the beta release of their new native desktop application that empowers users to easily automate testing for browsers, mobile browsers, and APIs.

February 24, 2021

D2iQ announced the general availability of D2iQ Kaptain, the cloud native end-to-end platform for running ML workloads on Kubernetes.