Red Hat Survey Surfaces Cloud-Native Cybersecurity Challenges
A global survey of 600 DevOps, engineering and security professionals published today by Red Hat finds more than two-thirds (67%) have delayed or slowed down deployment of Kubernetes clusters because of a cybersecurity issue. More than half (53%) experienced a software supply chain issue related to cloud-native and containerized development in the past 12 months.
Well over a third (37%) also experience revenue or customer loss because of a cybersecurity incident, with 21% reporting that a security incident led to employee termination and 25% noting their organization was fined. More than a third (38%) also noted that current security investments in containerized operations are either inadequate or that the issue is not taken seriously enough.
The most common cybersecurity incidents include runtime issues (49%), misconfigurations (45%), a major vulnerability that needed to be remediated (42%) and a failed audit (29%), the survey finds.
The top three concerns are vulnerable application components (32%), insufficient access controls (30%) and lack of software bill of materials (SBOM) or provenance (29%).
On the plus side, nearly half of respondents (45%) have a DevSecOps initiative in the advanced stages of adoption, with another 39% reporting their organization at least understands the value of DevSecOps and is in the early stage of adoption. However, 17% of organizations continue to manage cybersecurity in isolation from DevOps, with 28% reporting that their cybersecurity teams are mainly responsible for container and Kubernetes security.
The survey finds the most commonly used tools for securing Kubernetes environments are KubeLinter, an open source YAML and HELM linter for Kubernetes (37%), Kube-hunter, a security testing and scanning tool (32%), and Open Policy Agent (32%), an open source policy engine that provides a unified policy framework. The most commonly used cybersecurity tools, in general, are vulnerability scanners (46%), SBOMs (35%) and static security analysis tools (34%).
Overall, the survey also makes it clear that cybersecurity issues are having an adverse effect on the pace at which cloud-native applications are being developed, with 44% reporting delays to projects and 39% acknowledging an adverse impact on success. Top software supply chain concerns include vulnerabilities (35%), use of open source software (32%), insider threats (28%) and untrusted content (27%).
In fact, the survey finds the two biggest cybersecurity pain points when it comes to Kubernetes are a lack of protection for the application life cycle and that it slows down application development, which tied at 35%.
Ajmal Kohgadai, principal product marketing manager for Red Hat Advanced Cluster Security for Kubernetes, says that while cybersecurity is always a top concern when embracing any new platform, the survey makes it clear that cloud-native security issues and concerns are no longer theoretical as organizations begin to deploy Kubernetes clusters at scale.
The challenge is there is still a lack of container and Kubernetes expertise that many organizations are trying to address as the management of DevOps and cybersecurity continues to converge, he notes.
It may be a while before most organizations are able to achieve that goal by consistently applying DevSecOps best practices, but as cloud-native applications become more pervasively deployed, it’s now more a question of when rather than if that goal will be achieved.
