The state of cloud native security—and DevSecOps

Sysdig’s 2023 Cloud Native Security and Usage Report released last week, giving us an updated peek at the state of container security and utilization. The study is based on data from “a subset of [Sysdig’s] customers,” mid-market to large enterprises from North and South America, the EU, Japan, the UK, and Australia. Ultimately, the report is building on data from over seven million containers. According to the report, 87% of container images included serious vulnerabilities, and 15% of those vulnerabilities reached production environments.  

On the container usage side, Sysdig found that almost 60% of containers don’t have defined CPU limits and 69% of requested CPU resources are never actually used, contributing to an estimated $10 million in cumulative overprovisioning. For an individual organization, Sysdig estimates that this translates to an average overspend of up to 40%.

There’s a unifying theme here, and it’s one that lines up with other studies we’ve seen recently - configuration errors or suboptimal configurations are extremely commonplace across the cloud native stack, from specific images to the cluster to the CI/CD processes that should catch problems. When you’re talking about technologies that scale, those errors and inefficiencies can compound into massive losses. 

Part of the reason for rampant and costly misconfiguration is surely Kubernetes’ difficulty, as well as some over-confident DIY initiatives. But many technical challenges have social roots. DevSecOps philosophies aim to unify DevOps and security folks, ideally putting all the right people on the same page and stopping common errors from falling through the cracks. But according to a recent survey from Dynatrace, the biggest impediment to unifying DevOps and security teams is…well, DevOps and security teams. 

According to Dynatrace, 55% of surveyed CIOs say their security teams don’t trust developers and won’t adopt DevSecOps approaches. Those same CIOs say that 49% of developers perceive security teams as blockers to innovation. 

Dynatrace founder and CTO Bernd Greifeneder sees automation as part of the solution. “Organizations know that manual approaches aren’t scalable,” he says. “Teams can’t afford to waste time and effort chasing false positives, searching for vulnerabilities whenever a new threat alert appears, or conducting forensics to understand whether data has been compromised.  They need to work together to drive faster, more secure innovation.”

So how can teams encourage this collaboration? In Greifeneder’s view, automation can help “converge observability and security data to eliminate the silos between teams. By bringing their data together and retaining its context, DevOps and security teams can unlock the insights they need.”

Automation is a crucial component of a ZeroOps strategy–but you have to implement your automation on infrastructure that’s fit for purpose, and that needs to be properly configured, too.  Leveraging the right cloud native expertise is a crucial piece of the puzzle.

More broadly, organizations need platforms that provide a common language for their teams. A cloud native stack tailored to your needs and built from the right components can help you build thoughtful automations that help teams work together to succeed. And with the support of a DevOps-as-a-service model, teams can turn their attention to the problems that really matter.

This story is excerpted from Radio Cloud Native, a biweekly news podcast from Mirantis. Listen to the full episode below.