1、State of Kubernetes security report2023Executive summaryOur 2023 edition of the State of Kubernetes Security Report delves into the latest findings from our annual survey around cloud-native security,focusing on containerized workloads and Kubernetes.This report is based on a survey of 600 DevOps,en
2、gineering,and security professionals from across the globe spanning large enterprises and small-to-medium sized organizations.The report uncovers some of the most common security challenges organizations face on their cloud-native adoption journey,and their impact on the business.We examine specific
3、 security risks that organizations are most worried about and the steps they take to mitigate those risks,including risks to their software supply chain and their applications at runtime.In addition,we identify the types of security incidents and how often survey respondents experienced them in thei
4、r Kubernetes environment,and provide best practices and guidance for application development and security teams that could lower their security risk.With security as one of the biggest concerns with Kubernetes adoption,and security identified as the#1 IT funded priority for 2023,its never been more
5、important for the Security team to collaborate with the Development and Operations team and embed security controls earlier in the developer workflows.Our report looks at how responsibility for Kubernetes security is distributed across Dev,Sec,and Ops,and reveals the latest trends in DevSecOps adopt
6、ion.As always,we encourage readers to benchmark the health of their Kubernetes security against the findings in this report to find areas of improvement and get insights into how to reduce or eliminate security gaps.Container and Kubernetes security,while challenging,offers an opportunity for organi
7、zations to confidently accelerate development velocity,but only if security isnt treated as an afterthought.Much like the presence of brakes in an automobile allows you to accelerate at high speeds with confidence,security,when done right,can embolden the organization to innovate faster and deliver
8、value with confidence.Executive summaryKey findingsSecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes1.Red Hat blog.“Red Hat Global Customer Tech Outlook 2023:Security
9、 is the top priority as digital transformation continues,”15 Nov 2022.2Executive summaryKey findingsReported delaying or slowing down deployment due to Kubernetes security concernsExperienced revenue or customer loss due to a container/Kubernetes security incidentCite security as a top concern with
10、container and Kubernetes strategiesReported having no DevSecOps initiatives,with DevOps and Security remaining separateSaid their existing container and Kubernetes security solution slows down developmentIdentified vulnerabilities as their biggest worry for their container and Kubernetes environment
11、67%37%38%17%35%30%Executive summaryKey findingsSecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes3Executive summarySecurity issues continue to impact business outcomes
12、67%of companies have delayed or slowed down deployment due to a security issueOrganizations are adopting cloud native technologies like Kubernetes and microservices-based application architectures to transform how they build,run,and scale applications.While some are building all new applications as
13、microservices,others are refactoring existing applications alongside managing monoliths.However,our survey found that 67%of respondents have had to delay or slow down application deployment due to security concerns.This is not surprising,as new technologies often create unforeseen security challenge
14、s.When security becomes an afterthought,the agility gained from containerization-more rapid release cycles,faster bug fixes,and greater flexibility to run and manage applications across hybrid environments-is negated.Some organizations are overwhelmed by security needs that stretch across all aspect
15、s of the application life cycle,from development through deployment and maintenance.Therefore,they need a simplified way to protect their containerized applications without slowing development or increasing operational complexity.When security is prioritized early,organizations are making an investm
16、ent in protecting their valuable business assets,such as sensitive data,intellectual property,and customer information.They are also able to better meet regulatory requirements,ensure business continuity,maintain customer trust,and reduce their long-term cost of remediating security issues later in
17、the development life cycle or after it has been exploited.Executive summarySecurity concernsImpacting business outcomesThe price of incidentsPrevalence of security incidentsSecurity is a top concernSecurity is decentralizedDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips
18、 for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes4Executive summaryHave you ever delayed or slowed down application deployment into production due to container or Kubernetes security concerns?33%No67%YesBoth employees and organizations as a whole pay the price
19、 for security incidents1 in 5 respondents said a security incident led to employee termination,and more than 1 in 3 experienced revenue or customer lossAs mentioned previously,container and Kubernetes security issues often delay application rollout.Our survey found that there are other,possibly even
20、 more severe,impacts on business.21%of respondents said that a security incident led to employee termination,and 25%said the organization was fined.This could result in a loss of valuable talent,knowledge,and experience,which could affect the businesss ability to operate effectively.Furthermore,busi
21、nesses that face regulatory fines due to compliance violations or data breaches face a significant financial burden,not to mention negative publicity.Another potential negative impact of container and Kubernetes security incidents is slowing business growth.37%of respondents identified revenue/custo
22、mer loss as a result of a container and Kubernetes security incident.Security breaches could result in the delay of critical projects or product releases,as businesses must prioritize security efforts to address the vulnerabilities that were missed in the development stage.This delay could have a ri
23、pple effect on the business,resulting in lost revenue,customer dissatisfaction,or even loss of market share to competitors.Furthermore,a security incident could lead to customer loss,as customers may lose trust in the businesss ability to protect their data and may seek out competitors with a strong
24、er security track record.In the past 12 months,have you experienced any of the following impacts to your business as a result of containers/Kubernetes security or compliance issues or incidents?(Select all that apply.)44%Project delays39%Negative impact to product success37%Revenue or customer loss2
25、5%Fines21%Employee terminationExecutive summarySecurity concernsImpacting business outcomesThe price of incidentsPrevalence of security incidentsSecurity is a top concernSecurity is decentralizedDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout ou
26、r respondentsRed Hat Advanced Cluster Security for Kubernetes5Executive summarySecurity incidents are prevalent,impacting all phases of the application development life cycle90%of respondents experienced at least one security incident in the last 12 monthsOur survey found that security incidents are
27、nt confined to just when applications are running.Container and Kubernetes security incidents impact the full application development life cycle.We discovered that while most of container and Kubernetes security incidents in the last 12 months occurred during the runtime phase(49%),the build/deploy
28、phases were impacted nearly equally.Kubernetes and containers were designed for developer productivity and ease of use,not necessarily security.For example,security controls such as SELinux are critical to hardening the application yet challenging to customize and integrate into an operational envir
29、onment.Therefore,some organizations may choose to disable them,which can leave the application more vulnerable to attack.Another such example is the default behavior of pod-to-pod communication within a cluster.By default,pods within a Kubernetes cluster are allowed to communicate with each other,wh
30、ich creates security weak points if not properly configured.While Kubernetes does provide mechanisms for enhancing security,such as network policies and role-based access control,these features may not be enabled by default and require additional configuration.For this reason,its not surprising that
31、 an alarming 45%of respondents experienced a misconfiguration incident and another 42%discovered a major vulnerability to remediate.Additionally,27%reported failing an audit.These incidents highlight the critical need for robust security measures that can keep pace with the demands of application de
32、velopment teams while providing the necessary protection for the full application development life cycle.In the past 12 months,what security incidents or issues related to containers and/or Kubernetes have you experienced?(Select all that apply.)49%Security incident during runtime45%Detected misconf
33、iguration42%Major vunerability to remediate27%Failed audit10%NoneExecutive summarySecurity concernsImpacting business outcomesThe price of incidentsPrevalence of security incidentsSecurity is a top concernSecurity is decentralizedDevSecOpsMisconfigurationsSoftware supply chainOpen source security to
34、olsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes6Executive summarySecurity remains a top concern with container and Kubernetes strategies38%of respondents either think security isnt taken seriously enough or security investment is inadequate As the de
35、facto container orchestrator,Kubernetes adoption continues to grow as the demand for cloud-native architectures and containerization increases.This growth hasnt always been followed by the same growth in security investments.Containers and Kubernetes introduce a new layer of complexity to the softwa
36、re stack,leading to additional security challenges.As mentioned previously,containers,often used in cloud-native environments,emphasize agility.Continuous delivery pipelines,for example,may not emphasize security testing and verification to the same extent as speed of deployment.Investing in contain
37、er and Kubernetes security means understanding the complexity of Kubernetes and the potential security risks associated with containerized applications,as well as implementing the necessary controls that encompass all layers of the container and Kubernetes stack.This includes the underlying infrastr
38、ucture,Kubernetes control plane,the network,container images and registries,and many other components.Executive summarySecurity concernsImpacting business outcomesThe price of incidentsPrevalence of security incidentsSecurity is a top concernSecurity is decentralizedDevSecOpsMisconfigurationsSoftwar
39、e supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes7Executive summaryWhat is your biggest concern about your companys container strategy?(Select only one response.)25%It is progressing too slowly14%It doesnt account fo
40、r compliance needs13%It doesnt address skills gaps on our team10%It doesnt account for cultural or process changes38%It isnt taking security seriously or investing in security adequately38%25%14%13%10%Kubernetes security responsibility is highly decentralizedLess than a third of respondents consider
41、 the security team to be responsible for Kubernetes securityOur data once again shows that Kubernetes security responsibility isnt standardized to a single role across organizations.Only 28%of respondents consider their Security Team as the role most responsible for container and Kubernetes security
42、.Protecting Kubernetes applications spans multiple teams because multiple teams usually contribute towards building containerized applications and Kubernetes,from building container images to setting up the cluster infrastructure,configuring the control plane,and implementing proper access controls
43、and authorization mechanisms.Safeguarding containerized applications requires different roles to own a piece of the system and processes used in the development life cycle,such as the DevOps team responsible for managing the cluster infrastructure,the security team responsible for implementing secur
44、ity policies and controls,the application developers responsible for securing their applications and the images used by them,and the operations team responsible for managing access controls and authorization mechanisms.To bridge these gaps,container and Kubernetes security processes and tooling must
45、 facilitate close collaboration among different teamsfrom developers to DevOps to operations to securityinstead of perpetuating team isolation that may plague organizations.Executive summarySecurity concernsImpacting business outcomesThe price of incidentsPrevalence of security incidentsSecurity is
46、a top concernSecurity is decentralizedDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes8Executive summaryWhat role at your company is most responsible for container and Kubernetes sec
47、urity?(Select only one response.)18%DevOps15%DevSecOps28%Security(cloud security,security eng.,InfoSec)20%Developer20%Ops(architect,platform,infrastructure,SRE,cloud)20%18%15%28%20%DevSecOps isnt just a buzzwordNearly half of respondents have a DevSecOps initiative in an advanced stageOur survey fou
48、nd that the majority of organizations are embracing DevSecOpsa term that encompasses the processes and tooling that allow security to be built into the application development life cycle,rather than as a separate process.As organizations recognize the importance of integrating and automating securit
49、y throughout the software development life cycle,they are likely to be more proactive and effective in identifying and mitigating security risks early in their container and Kubernetes deployments.According to our survey,45%of respondents have reached an advanced stage of DevSecOps integration,where
50、 security is integrated and automated throughout the software development life cycle(SDLC).This indicates that these organizations have successfully implemented DevSecOps practices and tools such as automated security testing,continuous security monitoring,and security-focused code reviews.Another 3
51、9%understand the value of DevSecOps and are in the early stage of adoption.However,with 17%of organizations operating security separate from DevOps,lacking any DevSecOps initiatives,they may also be missing out on the benefits of integrating security into the SDLC,such as improved efficiency,speed,a
52、nd quality of software delivery.This could indicate that these organizations may be more reactive in their approach to security,only addressing security issues when they arise at runtime or right before deploying applications in production rather than proactively working to prevent them.They are lik
53、ely paying the price in the form of slower application rollouts.Executive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes9Executive summaryDo you have a DecS
54、ecOps initiative in your organization?(Select only one response.)39%YesIts in an early stage,with DevOps and security collaborating on joint policies and workflows17%NoDevOps and Security remain separate,with minimal collaboration45%YesIts in an advanced stage,where were integrating and automating s
55、ecurity throughout the life cycle45%39%17%Vulnerabilities and misconfigurations are top security concerns with container and Kubernetes environmentsMore than 50%of respondents are worried about misconfigurations and vulnerabilities,owing to the fact that containers and Kubernetes are highly customiz
56、ableContainers and Kubernetes are highly complex,with various components that need to be securely configured.The dynamic environments in which containers operate,with containers turning on and off rapidly,also makes it a challenge to maintain consistent security posture.The shared host operating sys
57、tem kernel and other resources also mean that a single vulnerability in one container can potentially affect other containers on the same host,while a vulnerability in the host itself can potentially affect all containers running on that host.The large number of third-party components,such as base i
58、mages,libraries,dependencies,adds yet another layer for individuals to configure and ensure that they remain free of vulnerabilities.Taken together,this makes managing security configuration and detecting and mitigating vulnerabilities a particularly challenging task,and something that our survey re
59、spondents worry about the most.One of the ways to mitigate the risks of misconfigurations and vulnerabilities is to automate the security scanning necessary to detect the most common security issues,such as making sure containers arent running with root privileges,fixable vulnerabilities dont end up
60、 in production environments,and you are not running with default configurations for security-sensitive components.Executive summarySecurity concernsDevSecOpsMisconfigurationsMisconfiguration is a top concernAddressing misconfigurationConsequences of misconfigurationSoftware supply chainOpen source s
61、ecurity toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes10Executive summaryOf the following risks,which one are you most worried about for your container and Kubernetes environments?(Select only one response.)28%Misconfigurations/exposures25%Attacks1
62、8%Failing compliance(SOC2,PCI,HIPAA,etc.)30%Vulnerabilities30%28%25%18%The majority of companies with security misconfiguration concerns are taking steps to address themExposed/unprotected sensitive data is the most worrying security misconfiguration(32%)With security configuration as one of the lea
63、ding causes for concern,we asked respondents the exact misconfigurations that worry them the most,and the responses made it clear there isnt a single misconfiguration that is significantly more worrisome than the rest.This underscores the challenge of and the need for taking a comprehensive approach
64、 to understanding all the various components of containers and Kubernetes that expose you to a security risk and implementing developer-friendly controls that bring your security risk down to an acceptable level.The good news in our finding is that organizations arent simply ignoring these security
65、risks,but are actively taking steps to address them.For example,retaining default configurations has often been a pain point for many security experts across all IT functions,and 75%of our respondents who worried about retaining default configurations are also taking steps to address it.Which of the
66、 following types of security misconfigurations are you most worried about?(Select all that apply.)Which of the following types of security misconfigurations is your company taking steps to address?(Select all that apply.Results among those who cite each concerns.)Exposed/unprotected sensitive dataUn
67、patched flawsRetaining default configurationsCoding errorsUnused components deployed increasing attack surfacePoor network securityOverprivileged containersUse of insecure/untrusted image rootsInadequate access controls(IAM,RBAC)Undetected malwarePresence of known fixable vulnerabilityStale,unscanne
68、d,or unverified imagesExposed network port70%75%72%67%76%70%59%67%71%60%66%52%32%72%29%28%28%26%26%24%24%23%23%20%23%16%Executive summarySecurity concernsDevSecOpsMisconfigurationsMisconfiguration is a top concernAddressing misconfigurationConsequences of misconfigurationSoftware supply chainOpen so
69、urce security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes11Executive summaryThe consequences of a security misconfiguration can lead to serious problems for the application or business at largeRansomware attacks due to a misconfiguration are the
70、 most often cited concern(40%)Researchers often find that human error is behind the vast majority of security breaches.Whats especially concerning about breaches due to human error is that they can take longer to detect and mitigate,increasing the overall cost of the breach.Security misconfiguration
71、s are often a human-driven process and therefore pose a serious threat to containers and Kubernetes,especially when there isnt an automated way to scan the systems to detect the misconfiguration.41%of our respondents worry the most about ransomware attacks as a consequence of security misconfigurati
72、on,and a whopping 53%of those have experienced a ransomware attack in the last 12 months.In every instance where a respondent selected a particular consequence of a misconfiguration as one of their worries,a significantly larger number of the respondents had actually experienced that consequence.For
73、 example,while 34%of respondents worry about data deletion as a consequence of a security misconfiguration,46%of respondents have actually experienced their data being deleted due to a security misconfiguration.Executive summarySecurity concernsDevSecOpsMisconfigurationsMisconfiguration is a top con
74、cernAddressing misconfigurationConsequences of misconfigurationSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes12Executive summaryOne explanation for this phenomenon could be that individuals are inundated wi
75、th the number of security issues to worry about and some are simply not worth worrying about,despite the prevalence of security incidents tied to that worry.This could be due to lack of resources and understaffing for critical security roles.Another reason could be that container and Kubernetes secu
76、rity responsibility might be too decentralized(as we found out earlier),leading to a lack of strong ownership by any group across the organization,which might explain the general misalignment in how much respondents worry about consequences of misconfigurations compared to how often they experience
77、those consequences.Which of the following consequences of security misconfigurations are you most worried about?(Select all that response.)Which of the following consequences of security misconfigurations has your company experienced in the past 12 months?(Select all that apply.Results among those w
78、ho cite each concerns.)RansomwareMalware execution,resource hijacking,crypto mining,or other unauthorized processes executionDenial of service attackUnauthorized access to internal cloud resourcesCompromised credentialsExposure of sensitive data(PII)Data deletionUnauthorized lateral movement50%46%54
79、%40%34%36%32%29%53%48%57%53%50%38%34%36%Executive summarySecurity concernsDevSecOpsMisconfigurationsMisconfiguration is a top concernAddressing misconfigurationConsequences of misconfigurationSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced
80、 Cluster Security for Kubernetes2.“2022 Data breach investigations report.”Verizon,accessed 14 March 20233.“Cost of a data breach 2022:A million-dollar race to detect and respond.”IBM,accessed 14 March 2023.13Executive summaryUse of open source software is a big concern for software supply chain sec
81、urity35%of respondents worry the most about software vulnerabilities related to their software supply chainSoftware supply chain security has been a hot topic,and supply chain attacks are increasing rapidly,especially after the SolarWinds attack and the discovery of Log4Shell and Spring4Shell vulner
82、ability.For this reason,we asked our survey respondents a variety of questions related to their software supply chain security in Kubernetes.The survey findings indicate that respondents are concerned about various aspects of the software supply chain,with the top concerns being software vulnerabili
83、ties and use of open source software.Concerns about software vulnerabilities are understandable,as software vulnerabilities can lead to serious security incidents,such as data breaches,malware infections,and unauthorized access.The use of open source software poses a security challenge to software s
84、upply chains,as open source software is widely used in modern software development,and it may also introduce security risks if it contains vulnerabilities or is not properly maintained.What aspects of the software supply chain are you worried about the most?(Select all that apply.Top responses repor
85、ted.)35%Software vulnerabilities32%Use of open source software28%Insider threat(accidental or malicious)27%Untrusted content25%3rd party tools used as attack vector24%Images and dependencies24%Source code(IDE)23%DevOps teams23%Repositories19%DeploymentsExecutive summarySecurity concernsDevSecOpsMisc
86、onfigurationsSoftware supply chainOpen source softwareSecurity concerns are validMost important security concernsOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes4.Constantin,Lucian.“Supply chain attacks increased over 600%this ye
87、ar and companies are falling behind.”CSO news analysis,19 Oct.2022.5.Kovacs,Eduard.“Vendors assessing impact of Spring4shell vulnerability.”Securityweek,4 April 2022.14Executive summarySoftware supply chain security concerns are not misplacedMany of those concerned have experienced supply chain secu
88、rity issues in the last 12 monthsTo better understand how organizations measure their security risk from individual components of the software supply chain,we asked respondents which specific software supply chain security issues were they most concerned with and of these,which ones have they experi
89、enced in the last 12 months.Our findings are in line with what would be expected from sprawling software supply chains that are emblematic of a containerized environment.There are many security considerations that affect the security posture of a software supply chain,with the top three being vulner
90、able application components(32%),insufficient access controls(30%),and a lack of software bill of materials(SBOM)or provenance(29%).Whats also alarming is that more than half of the respondents have experienced virtually every issue that we identified in our question,with vulnerable application comp
91、onents and continuous integration/continuous delivery(CI/CD)pipeline weakness as the top two most cited issues that were experienced,with 69%and 68%respectively.Which of the following software supply chain security issues is your company most concerned about?(Select all that apply.)Which of the foll
92、owing software supply chain security issues has your company experienced in the past 12 months?(Select all that apply.Results among those who cite each concern.)Vulnerable application componentsLack of auditabilityLack of Software Bill of Materials(SBOM)or provenanceInconsistent policy enforcementIn
93、sufficient access controlsInsecure container imagesLack of automationCI/CD pipeline weaknessesInsecure IaC templatesVersion control weaknesses58%66%56%68%58%62%32%28%29%24%69%65%62%50%30%27%29%19%19%17%Executive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source softw
94、areSecurity concerns are validMost important security concernsOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes15Executive summaryScanning and attestation are two of the most important security controls in software supply chainsNe
95、arly half of respondents identified artifact signing as the most importantTrust is a critical component of software supply chain security.Since software is built and maintained by various parties within the supply chain,such as internal developers,third-party vendors,and open source contributors,ens
96、uring that each partys contribution can be trusted can be challenging without the necessary mechanisms.Security attestation provides a way to ensure that the software in use meets minimum security standards and hasnt been tampered with.This builds trust while reducing the risk of security incidents
97、or vulnerabilities being introduced in the software supply chain.As software supply chain attacks continue to increase and awareness around the tools and processes that mitigate the attacks increases,in our future surveys,we hope to see more than 43%of respondents identify security attestation as im
98、portant to their software supply chain security.Which of the following are most important when it comes to software supply chain security?(Select up to three most important aspects.Top responses reported.)47%Vulnerability scanning43%Security attestation(image signing,deployment signing,pipeline atte
99、station,etc.)40%Access and authentication34%Configuration management31%CI/CD integration and security automation29%Registry governance20%IDE scanningExecutive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source softwareSecurity concerns are validMost important security
100、 concernsOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes16Executive summaryKubeLinter and Kube-hunter are the top open source tools in use for Kubernetes securityOpen Policy Agent is tied with Kube-hunter as the second most used
101、 open source security tool.Kubernetes,as one of the fastest growing open source projects ever,is supported by a rich ecosystem of open source tools and dedicated contributors who have closed many of the security gaps in containers and Kubernetes.Alongside commercial Kubernetes security products,our
102、respondents rely on these open source security tools to protect their cloud-native applications.KubeLinter,an open source YAML and HELM linter for Kubernetes,is used by 37%of respondents,while 32%say they use Kube-hunter,a security testing and scanning tool used to identify security issues in Kubern
103、etes clusters and other cloud-native environments.Another 32%use Open Policy Agent(OPA),an open source policy engine that offers a unified policy framework for not just Kubernetes but also Istio,Envoy,Prometheus,and more.Which of the following open source tools do you use for Kubernetes security?(Se
104、lect all that apply.)14%Terrascan19%Falco29%Kube-bench32%Open Policy Agent(OPA)32%Kube-hunter37%KubeLinter14%StackRox10%Clair9%Kyverno8%CheckovExecutive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed H
105、at Advanced Cluster Security for Kubernetes17Executive summary3 tips for achieving better securityWhen security becomes an afterthought,organizations put at risk the core benefit of faster application development and release by not ensuring that their cloud-native environments are built,deployed,and
106、 managed securely.Our findings show that what happens in the build and deploy stages has a significant impact on security,which was underscored by the prevalence of misconfigurations and vulnerabilities across organizations.Security,therefore,must shift left,imperceptibly embedding into DevOps workf
107、lows instead of being“bolted on”when the application is about to be deployed into production.Use Kubernetes-native security architectures and controlsKubernetes-native security uses the rich declarative data and native controls in Kubernetes to deliver several key security benefits.Analyzing the dec
108、larative data available in Kubernetes yields better security,with risk-based insights into configuration management,compliance,segmentation,and Kubernetes specific vulnerabilities.Using the same infrastructure and its controls for application development and security reduces the learning curve and s
109、upports faster analysis and troubleshooting.It also eliminates operational conflict by ensuring security gains the same automation and scalability advantages that Kubernetes extends to infrastructure.1Executive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source securi
110、ty toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes18Executive summarySecurity should start early but extend across the full life cycle,from build/deploy to runtimeSecurity has long been viewed as a business inhibitor,especially by developers and Dev
111、Ops teams whose core mandates are to deliver code fast.With containers and Kubernetes,security should become a business accelerator by helping developers build strong security into their assets right from the start.Look for a container and Kubernetes security platform that incorporates DevOps best p
112、ractices and internal controls as part of its configuration checks.It should also assess the configuration of Kubernetes itself for its security posture,so developers can focus on feature delivery.Transform the developer and DevOps user into a security user by building a bridge between DevOps and Se
113、cOpsGiven most organizations dont have a clear role or team solely responsible for container and Kubernetes security,your security tooling must help bridge the various teams,from Security and Ops to DevOps and Development.To be effective,the platform must have security controls that make sense in a
114、containerized,Kubernetes-based environment.It should also assess risk appropriately.Telling a developer to fix all 39 discovered vulnerabilities with a Common Vulnerability Scoring System(CVSS)score of seven or higher is inefficient.Identifying for that developer the three deployments that are expos
115、ed to that vulnerability,and showing why they are risky,will significantly improve your security posture.23Executive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kub
116、ernetes19Executive summaryAbout our respondentsKubernetes adoptionMost of our respondents use Kubernetes in production,with Amazon EKS,Red Hat OpenShift,and self-managed Kubernetes,as the three most popular Kubernetes services.What Kubernetes platform do you use to orchestrate your containers?(Selec
117、t all that apply.)34%Kubernetes(self-managed)44%Red Hat OpenShift47%Amazon EKS32%Google GKE32%Azure AKS11%D2iQ Kubernetes Platform10%Mirantis Container CloudAre you running any production workloads on Kubernetes?94%YesExecutive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainO
118、pen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes20Executive summaryCommon pain points with Kubernetes security solutionsLack of full life cycle security and slowing down deployment are the 2 most common complaints with respondents
119、 current Kubernetes security solutionsSecurity tools used for supply chain securityVulnerability scanners are the most used security tool,followed by SBOM,static security analysis,and CI/CD tools.Which of the following types of security tools do you use for your software supply chain?(Select all tha
120、t apply.Top responses reported.)32%CI/CD tool(Tekton,Circle CI)34%Static security analysis35%SBOM tools(Syft,ScanOSS)46%Vulnerability scannersWhich of the following are the biggest pain points you experience with your current Kubernetes security solution?(Select up to three top pain points.)29%Too d
121、ifficult to use,cant be operationalized in our systems31%We have too many security products32%It doesnt work in all of our environments where Kubernetes is used35%Its slowing down development35%It doesnt protect the full application life cycle27%We lack internal talent to use it to its full potentia
122、l21%There are too many false alerts(alerts fatigue)17%It doesnt do what it promises(vaporware)6%We dont have solutionExecutive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Securi
123、ty for Kubernetes21Executive summaryOther cloud-native technology adoptionKubernetes-native CI/CD tools are among the top 3 types of cloud-native technologies in use.Core demographicsWhat other cloud-native technologies are you considering or using currently?Dont knowNo interests in usingInvestigati
124、ngPilotingUsing in productionCode repository2%7%13%25%54%Binary Repo/Container registry(Docker Hub,Quay,etc.)Kubernetes-native CI/CD Tools(Tekton,Argo,etc.)Cloud-native storageFunction as a Service(Lambda,Azure Functions,etc.)Kata containersService Mesh(Istio,Linkerd,Consul,etc.)Open Policy Agent(OP
125、A)or KyvernoOperators/HELM Charts2%6%17%23%53%2%9%27%20%42%2%10%21%28%39%3%11%26%23%37%4%14%23%24%36%3%13%35%20%29%4%16%30%24%27%4%16%31%24%25%Company sizeIndustry25%100 to 499 employees 23%500 to 999 employees 52%1,000+employees 25%Technology 26%Finserv 24%Telco/media/entertainment 25%Other industr
126、iesExecutive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes22Executive summaryCopyright 2023 Red Hat,Inc.Red Hat,the Red Hat logo,and OpenShift are trademar
127、ks or registered trademarks of Red Hat,Inc.or its subsidiaries in the United States and other countries.Learn more about Red Hat Advanced Cluster Security for KubernetesRed Hat Advanced Cluster Security for Kubernetes is a Kubernetes-native container security platform that protects your application
128、across build,deploy,and runtime as you progress on your container journey.As your environment grows more complex and you depend on more automation,our platform will let you operationalize security in those more sophisticated environments and keep pace with the speed of DevOps.Kubernetes-native secur
129、ity provides the following crucial benefits.Minimize operational risk:Align security with DevOps by using Kubernetes-native controls to mitigate threats and enforce security policies that minimize operational risk to your applications.Reduce operational cost:Reduce the overall investment in time,eff
130、ort,and personnel,and streamline security analysis,investigation,and remediation by using a common source of truth.Accelerate DevOps productivity:Accelerate the pace of innovation by providing developers actionable and context-rich guardrails embedded into existing workflows and tooling that support
131、s developer velocity.Ready to see Red Hat Advanced Cluster Security for Kubernetes in action?Get a personalized demo tailored for your business and needs.Request demoExecutive summarySecurity concernsDevSecOpsMisconfigurationsSoftware supply chainOpen source security toolsTips for better securityAbout our respondentsRed Hat Advanced Cluster Security for Kubernetes23Executive summary