Global Surveyz carried out the poll during July and August 2022. 200 Kubernetes users who worked for businesses with between 100 and 5,000+ employees made up the respondents. All of them worked as software engineers or other cybersecurity teams, DevOps, or DevSecOps stakeholders. 39% of responders were from Europe, 29% from North America, and 14% from Asia-Pacific.
According to research by ARMO, the majority of businesses use open source Kubernetes security software, making open source products a crucial component of the Kubernetes security ecosystem. 55% of respondents to a poll titled The State of Kubernetes Open Source Security claimed they employed at least some open source tools to keep their Kubernetes clusters secure. This includes those who use only open source software and those who combine open source and proprietary solutions.
The study found that using multiple open source security solutions is fairly prevalent. A quarter or more of respondents use five or more different Kubernetes security open source technologies. Numerous open source tools can only do one security-related task, necessitating the employment of numerous tools to obtain thorough coverage.
However, there are difficulties with this mixed strategy, particularly with integration. Open source security solutions are challenging for users to manage (51%), integrate (62%), and set up (45%) with other DevOps technologies. When pressed, 69% acknowledge that integrating open source security products into their current Kubernetes stack is challenging or very tough. The fact that open source programmes frequently have inadequate documentation, support, and instruction may make these difficulties worse.
Other issues may arise as a result of this weakened security environment. Too many alarms were listed as one of the greatest problems with Kubernetes security by 68% of practitioners, along with highly fragmented solutions (62%), complexity (51%) and the absence of all-encompassing solutions (47%). Security’s interference with agility and time-to-market was the other significant issue that was brought up (54%).
Proprietary solutions, however, also face difficulties. According to 69% of respondents, proprietary security products are “black boxes,” providing users with little understanding of how they operate and are programmed and making it more difficult to customise them to a company’s specific requirements. The complexity of the pricing structures for commercial Kubernetes security solutions was mentioned by 62% of respondents, while the sheer cost was mentioned by 47%.
Significant agreement was found in the study about who should be responsible for Kubernetes security, with 63% agreeing that it should be a DevSecOps responsibility and 58% claiming it is. This does indicate some misalignment in actual practise. However, this raises the question of what DevSecOps is exactly and where it fits in a company, whether as a Dev and Ops focused function inside security or as a subdiscipline of DevOps.