Survey: DevSecOps Own Enterprise Containerized Application Security
There’s a lot going on in the container world. Just last month we learned that Docker added Kubernetes support to their platform in a move that clearly indicates Kubernetes’ dominance in the container orchestration world. Prior to that, Kubernetes added RBAC Authorization and Support for Outbound Network Policies and Auditing in its latest 1.8 release, while RedHat OpenShift announced its Hybrid cloud support with Consistency for hybrid and multi-cloud footprints. These major announcements are fueling the rapid growth of container adoption and are responsible for their rising momentum.
DevOps + Developers ♥ Containers
Developers love containers for their simplicity, efficiency and availability of developer-focused tooling supporting them. DevOps love containers for their agility and speed. As containers become the application development tool of choice, it raises questions regarding the ownership and division of responsibilities around this process. Since container adoption starts with development, developers and DevOps teams are the ones leading the growing adoption of container technology in the enterprise today, but will this always be the case?
So Who Is in Charge of Container Security Today?
At Aqua, we are constantly in touch with enterprises adopting containers, and the question of security governance has been an elusive one. As part of our Container Security in the Enterprise survey, we wanted to answer this question.
A glimpse of the results can be seen in the below charts:
What immediately stands out from the figures is that DevOps play an important role in both current and future ownership of container security. The reason probably lies in the fact that DevOps are the ones that use containers extensively and have a good understanding of how to implement security checks and controls.
What we found out is that DevSecOps are today’s rising star of tomorrow’s secured containerized applications. While only 13% of the surveyed DevSecOps are reported to be responsible for security in the enterprise today, their share doubles to 28% when asked who should own container security moving forward.
While DevSecOps represented 13% for current ownership, the future looks better with support from other roles: Architects are evenly split at 40% between DevOps and Security for current ownership, but they favor Security at 36% and DevSecOps at 29% going forward. Developers, however, favor DevOps at 30% for future ownership and DevOps favors DevSecOps at 37% going forward. This implies that while DevSecOps continue to play a significant role in enterprises using containers, future ownership of container security is still unclear but migrating towards DevSecOps as the most suitable ones to own it.
The benefits of implementing DevSecOps practices in organizations are straightforward and come down to being a key business enabler – working closely with the development and operation teams, and making sure that security is baked into the development pipeline.