CNCF End User Technology Radar: Insights into DevSecOps

CNCF end-user community gives recommendations for tools to use in the rapidly growing DevSecOps space

TL;DR

CNCF end-user community came up with a new guide on the emerging technologies for security in the software development lifecycle based on their experience. This is the sixth edition of the CNCF end-user technology radar, and the theme for this edition is on DevSecOps.

The CNCF decided to pick DevSecOps for this edition of the technology radar because of the fast-growing adoption
The CNCF decided to pick DevSecOps for this edition of the technology radar because of the fast-growing adoption
Key Facts
  1. 1

    The CNCF end-user technology Radar was introduced on the 12th of June, 2020

  2. 2

    The CNCF end-user community consist of about 155 organizations or more, coming together to use cloud native technologies for their product and services.

  3. 3

    This edition of the CNCF end-user technology radar is focused on integrating security at every phase of the software development lifecycle.

  4. 4

    This edition of the guide is also based on the three generally used key ideas, Adopt, Trial, Assess or hold

  5. 5

    The technology team chose 21 companies to use 16 tools and submit data points on the tools.

Details

CNCF (Cloud Native Computing Foundation) end-user community launched a new initiative (CNCF end-user technology radar) towards the end of Q2 in the year 2020. The initiative helps in setting an opinionated guide to a set of emerging technologies. The initiative aimed to provide adequate knowledge to technical audiences that want to understand what solutions end-users use in CNCF, what they will recommend, and how they used it.

The CNCF end-user community consists of about 155 companies and startups, including Airbnb, Twitter, and Capital One, always coming together to discuss the challenges faced and best practices when adopting cloud native technology.

The CNCF end-user community has released six editions of the technology radar so far, and the 6th edition is the most recent released on the 22nd of September, 2021, and focused on DevSecOps. DevSecOps entails the integration of security into your software development as it moves from one phase to the other. DevSecOps is an initiative that bridges the gap between DevOps and security while automating many security processes. The CNCF decided to pick DevSecOps for this edition of the technology radar because of the fast-growing adoption in the DevOps space, and many organizations are trying to catch up with the growth of the DevOps while keeping security in mind.

The maturity of cloud native software has enabled organizations to design more complex and layered architectures with Kubernetes as a centerpiece; however, a mature ecosystem implies that security is tightly intertwined in the development cycle. By shifting security to the left, organizations can share ownership across teams and define DevSecOps principles, enabling specialists to focus on vulnerabilities in well-known components and creating fast and effective feedback loops.
Katie Gamanji
Ecosystem Advocate at CNCF

In the survey of tools for recommendation by the CNCF end-user community, 8 tools including Terraform, Hashicorp Vault, Artifactory, Sonarqube, Calico/Tigera, ArgoCD, Open Policy Agent, and Istio were chosen for the Adopt level. Xray is the only tool recommended for the Trial level, while Sonatype Nexus, GitHub Actions, Cilium, Harness, Linkerd, Hashicorp Sentinel, and Trivy, summing up to 7 were recommended for the Assess level. The companies that made the recommendations range across different industries including, 7 companies from the software industry, 4 from E-commerce, 3 from Financial Services, 2 from Insurance, and 1 company each from Education, Food and Beverage, Media, Email, and Scientific Equipment industry.

The 21 companies, including Box, Intuit, Shopify, Spotify, Squarespace, and Zendesk, submitted 117 data points, with a total of 252votes on the 16 tools they worked with.

After carefully reviewing the submitted data points by 21 companies, the technology radar team reported their findings in three themes:

  1. The CNCF technology radar team discovered that the DevSecOps space is changing rapidly, and new tools are constantly emerging, but developers are not privileged to grow with the trend because these tools are all geared towards security teams.
  2. The security space is rapidly changing as more tools come to the DevSecOps market, and practitioners find it hard to know which tool is best to use.
  3. Tools like calico and cilium offer micro-segmentation capabilities at layers 3-4. These tools are becoming more important because many organizations find it hard to operationalize segmentation within cloud native environments. In contrast, layer 7 segmentation is done with mesh technologies like Istio and Linkerd. Tools like Artifactory, SonarCube, Xray, and GitHub now focus on security, and they offer a mutual Transport Security Layer to users’ stacks.

Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories


DevOps and Downed Systems: How to Prepare

Downed systems can cost thousands of dollars in immediate losses and more in reputation damage …

Cloud: AWS Improves the Trigger Functions for Amazon SQS

The improved AWS feature allows users to trigger Lambda functions from an SQS queue.

Google Takes Security up a Notch for CI/CD With ClusterFuzzLite

Google makes fuzzing easier and faster with ClusterFuzzLite

HashiCorp Announces Vault 1.9

Vault 1.9 released into general availability with new features

Azure Container Apps: This Is What You Need to Know

HTTP-based autoscaling and scale to zero capability on a serverless platform