Secure development focus at KubeCon + CloudNativeCon 2022

Increasing security vulnerabilities

A presentation by Ayse Kaya, senior director of strategic insights and analytics at Slim.AI, highlighted the results of its "2022 Public Container Report," which showed the increase in vulnerabilities as development speeds up. Some key stats echoed throughout the conference include the following:

• Sixty percent of the top public containers have more vulnerabilities today than a year ago.
• Seventy percent of developers said their customers demand that their containers have no vulnerabilities.
• Today's average public container has 287 vulnerabilities. Of those vulnerabilities, 30% belong in a high or critical category, up from 20% last year.
• High-severity instances saw a 50% increase, followed by a 10% increase in critical vulnerabilities.

Kaya also described how the increasing complexity of applications -- software components, packages, licenses and dependencies -- make it more challenging to remove vulnerabilities.

Software supply chain security

Securing the software supply chain also garnered a lot of discussion. Recent U.S. government guidelines, as well as attacks including SolarWinds and Log4j, have brought attention to the need to secure all application components -- particularly with the increasing amount of OSS containing cloud-native applications.

The second day of KubeCon featured the general availability of Sigstore -- an industry effort supported by established vendors that include Red Hat, GitHub, VMware, Cisco and Google, as well as the startup Chainguard -- and the first annual SigstoreCon. Sigstore aims to address supply chain security with an automated way to digitally sign code commits and track usage of software components.

I talked with Dan Lorenc, founder and CEO of Chainguard, which is focused on building a developer platform for software supply chain security and largely managing the Sigstore project. He described Sigstore as a community infrastructure that helps make it easier to understand what code is where, in order to implement better controls that support rapid development and faster response to attacks. He pointed out the challenges with security scanners, such as software composition analysis tools, which could help in cases such as Log4j, but are not helpful to detect an attack such as SolarWinds, which used stolen credentials to gain access to and modify code.

This is a major issue with cloud-native development security. The scale and speed of development, along with the complexity of application components, create security visibility and control challenges. Sigstore should be helpful as a proactive way to better track code use and access for better security results. Lorenc added that his goal isn't to add another security tool or platform, but to build development tools that are secure.

Developers' security responsibility

My research addresses the need to shift security responsibilities left to developers. The sessions and hallway conversations I heard at KubeCon + CloudNativeCon continue to convince me that developers care about taking responsibility for security as part of cloud-native development. If a security incident occurs to their applications, operational implications can affect the business.

The messaging of the "2022 Public Container Report" wasn't "security needs to keep up"; it was "vulnerabilities continue to increase and developers struggle to keep up." Developers need help and support to better incorporate security into their processes.

The myth that security teams don't have the right mindset to address modern software development continues with the idea that traditional security approaches can't keep up with cloud-native development. Developers are more willing to work with security teams that understand modern development processes and can help them more easily secure their code within their current tools and workflows, without context switching or slowing things down.

Optimizing efficiency and cost savings

Efficiency drives the benefits of cloud-native development. The goal for security must therefore be to work with development instead of against it. This means not adding complexity, friction or extra tools and components that create extra work, slow things down or increase the attack surface.

Organizations are looking for ways to optimize efficiency. This includes getting the most out of their current tools, consolidating tools so they don't have too many siloed products generating too much noise or too many alerts, and sharing tools across teams for multiple use cases to get the most out of their investment. For example, some companies are looking for ways to use application performance monitoring products for security use cases.

The increasing role of CNCF for security

While this was my first KubeCon, I've noticed that over the past years, it has become an increasingly important conference for cybersecurity. More and more organizations are moving their applications to the cloud. Security teams need to modernize their approach to support cloud-native environments and application development. And as teams increasingly use OSS security tools, it's important to incorporate them into security strategies in an efficient way that scales for development.

I look forward to tracking the innovation in this area.

Enterprise Strategy Group is a division of TechTarget.