2022 Container Security Trends Report: Exploring ownership, education, expertise, and more
2022年4月27日
0 分で読めますWith dependence on containers growing more every year, developers need the best container security solutions they can find, and those solutions have to integrate seamlessly into existing development workflows. Snyk’s partnership with Sysdig has helped us strengthen our commitment to building tools for container security, and growing those tools to meet the evolving needs of developers. And as a developer-first organization, we truly value feedback that comes right from developers themselves.
So we recently partnered with Techstrong Research to gather data on developers’ priorities for securing cloud environments. Techstrong distributed flash polls to their member community, which includes people interested in DevOps, cloud-native, development, security, and digital transformation. Over 1700 community members responded to the polls, revealing valuable insight on how security considerations impact deployments; the complexities of securing cloud-native and container environments; and how security work is distributed across organizations. All of this data is presented and analyzed in the 2022 Container Security Trends Report.
First, the poll addresses the question of whether developers feel that security slows the cloud deployment process. We know that traditionally, security has been viewed as an extra step, one that might slow the overall workflow. However, the poll numbers show that security is slowly catching up with application teams and DevOps teams regarding becoming equal stakeholders during deployment. (Interestingly, nearly 20% of respondents said security is helping them move faster, which is a sentiment we think many teams see as part of their "ideal version" of DevSecOps.)
Next, the poll points to the question of who understands security practices, and how developers can be educated about security. Scanning for vulnerabilities isn’t a new practice, but some organizations still have a limited understanding of how vulnerabilities can have an impact on container deployments. For example, many container and Kubernetes platforms have security controls built in by default, but depending on your business model, you may need tighter, more granular security settings in place. Kubernetes comes with a learning curve, and the nuances of applying security policies to namespaces and clusters are complex. All of this might not be intuitive for application teams.
On that note, respondents were asked if they believe that application teams have enough experience to identify cloud security vulnerabilities. The majority said no. This points back to all of the expectations put on developers: they have to create great user experiences, address bugs, make applications usable, and now also manage security and testing. When you hear the phrase “full-stack developer,” you might initially think of a developer who can create both the front and back end of an application. But with cloud-native apps, “full stack” can include the full technical stack, all the way down to containers and IaC. A great way to give security context to application teams is to give them the tools that help them understand vulnerabilities and how to mitigate them.
While not all developers can be security experts, some organizations have identified developers who can act as security champions, bringing stakeholders together to discuss security concerns across a project. This makes security a shared responsibility. Poll responses showed a trend in this direction: the largest percentage of respondents said that security is a collaborative effort in their organizations.
Continuing with that trend, approximately half of poll respondents reported that the work of creating cloud infrastructure configurations, and also of designing and configuring containers, was a collaborative effort across cloud, operations, development, and security teams. As the work of securing cloud environments and containers becomes a shared effort in more organizations, tools that enable teams to incorporate security into their processes — like Snyk Container — are becoming even more valuable.
"It does get a little more tricky [when you’re working with containers]. There are security teams who say 'We'd better get educated quickly on what containers bring. How is it different, and if it is different, are there things we need to shift and change in how we handle it and what tools we’re using?'"
Eric Carter
Director of Product Marketing, Sysdig
A platform that enables people on various teams to identify and fix container security issues can add considerable power and flexibility to your workflow.
Read the report... and check out the webinar
Hear a full discussion about the top findings from the report in a webinar with panelists from Snyk and Sysdig, hosted by Techstrong.