Secure development focus at KubeCon + CloudNativeCon 2022
The pressure is on. It's time for better security that can keep up with modern software developers. That was the message at this year's KubeCon + CloudNativeCon.
Security was a key theme at this year's KubeCon + CloudNativeCon, the conference that celebrates the thriving cloud-native community and ecosystem. This comes as no surprise. Research from TechTarget's Enterprise Strategy Group has shown that organizations often rate security as the biggest challenge faced with cloud-native applications, followed by meeting and maintaining compliance requirements.
The conference kicked off with a keynote by Cloud Native Computing Foundation (CNCF) executive director Priyanka Sharma. She highlighted the importance of security as global companies use open source and cloud-native platforms for digital transformation amid challenging economic times. While recognizing contributors and maintainers in the community, she emphasized CNCF support to help monitor and improve the security of CNCF projects, including open source software (OSS) fuzzing, running security audits and recognizing the work from the CNCF Security Technical Advisory Group.
The CNCF commitment to security includes a new spinoff event, Cloud Native SecurityCon, which will be held in February in Seattle. The event was previously colocated with KubeCon + CloudNativeCon but will now be its own dedicated conference. As Sharma pointed out, the CNCF community's cultivation of open source is powerful because it gives free access to software and resources. But security needs to be a priority, as it affects global safety with its popularity and wide usage.
So, what was the security buzz at the show? Here are some key themes.
Increasing security vulnerabilities
A presentation by Ayse Kaya, senior director of strategic insights and analytics at Slim.AI, highlighted the results of its "2022 Public Container Report," which showed the increase in vulnerabilities as development speeds up. Some key stats echoed throughout the conference include the following:
- Sixty percent of the top public containers have more vulnerabilities today than a year ago.
- Seventy percent of developers said their customers demand that their containers have no vulnerabilities.
- Today's average public container has 287 vulnerabilities. Of those vulnerabilities, 30% belong in a high or critical category, up from 20% last year.
- High-severity instances saw a 50% increase, followed by a 10% increase in critical vulnerabilities.
Kaya also described how the increasing complexity of applications -- software components, packages, licenses and dependencies -- make it more challenging to remove vulnerabilities.
Software supply chain security
Securing the software supply chain also garnered a lot of discussion. Recent U.S. government guidelines, as well as attacks including SolarWinds and Log4j, have brought attention to the need to secure all application components -- particularly with the increasing amount of OSS containing cloud-native applications.
The second day of KubeCon featured the general availability of Sigstore -- an industry effort supported by established vendors that include Red Hat, GitHub, VMware, Cisco and Google, as well as the startup Chainguard -- and the first annual SigstoreCon. Sigstore aims to address supply chain security with an automated way to digitally sign code commits and track usage of software components.
I talked with Dan Lorenc, founder and CEO of Chainguard, which is focused on building a developer platform for software supply chain security and largely managing the Sigstore project. He described Sigstore as a community infrastructure that helps make it easier to understand what code is where, in order to implement better controls that support rapid development and faster response to attacks. He pointed out the challenges with security scanners, such as software composition analysis tools, which could help in cases such as Log4j, but are not helpful to detect an attack such as SolarWinds, which used stolen credentials to gain access to and modify code.
This is a major issue with cloud-native development security. The scale and speed of development, along with the complexity of application components, create security visibility and control challenges. Sigstore should be helpful as a proactive way to better track code use and access for better security results. Lorenc added that his goal isn't to add another security tool or platform, but to build development tools that are secure.
Developers' security responsibility
My research addresses the need to shift security responsibilities left to developers. The sessions and hallway conversations I heard at KubeCon + CloudNativeCon continue to convince me that developers care about taking responsibility for security as part of cloud-native development. If a security incident occurs to their applications, operational implications can affect the business.
The messaging of the "2022 Public Container Report" wasn't "security needs to keep up"; it was "vulnerabilities continue to increase and developers struggle to keep up." Developers need help and support to better incorporate security into their processes.
The myth that security teams don't have the right mindset to address modern software development continues with the idea that traditional security approaches can't keep up with cloud-native development. Developers are more willing to work with security teams that understand modern development processes and can help them more easily secure their code within their current tools and workflows, without context switching or slowing things down.
Optimizing efficiency and cost savings
Efficiency drives the benefits of cloud-native development. The goal for security must therefore be to work with development instead of against it. This means not adding complexity, friction or extra tools and components that create extra work, slow things down or increase the attack surface.
Organizations are looking for ways to optimize efficiency. This includes getting the most out of their current tools, consolidating tools so they don't have too many siloed products generating too much noise or too many alerts, and sharing tools across teams for multiple use cases to get the most out of their investment. For example, some companies are looking for ways to use application performance monitoring products for security use cases.
The increasing role of CNCF for security
While this was my first KubeCon, I've noticed that over the past years, it has become an increasingly important conference for cybersecurity. More and more organizations are moving their applications to the cloud. Security teams need to modernize their approach to support cloud-native environments and application development. And as teams increasingly use OSS security tools, it's important to incorporate them into security strategies in an efficient way that scales for development.
I look forward to tracking the innovation in this area.
Enterprise Strategy Group is a division of TechTarget.