Blog | Linux Foundation

Cloud Native Security Study: How Do You Secure Your Cloud Native Applications?

Written by Mike Dover | May 23, 2024 2:45:28 PM

Hello! The Cloud Native Computing Foundation (CNCF) is joining forces with LF Research to explore the security practices within the cloud native community. We are interested in learning from you about how your organization manages security for cloud native applications. Whether it's the strategies you employ, the tools you depend on, the challenges you've encountered, or how you think CNCF could lend support, your input is incredibly important to us! Taking the survey will only take about 5 minutes, and your insights will play a crucial role in shaping the future of our community. You will also receive a 25% discount on registration to CloudNativeSecurityCon, taking place June 26-24, 2024 in Seattle!

 

As we have seen in the past weeks following the social engineering attack on XZ Utils, the security of software applications continues to be an essential focal point of the open source community. CNCF is running this project in order to assess how its own community is tackling security within their cloud native tech stacks and which cloud native tools are proving successful, so that it can provide the most effective support possible. The survey aims to achieve three primary goals:

  1. Raising awareness about the usage of various open source tools within the community, shedding light on which tools are commonly utilized and how they are perceived by users. 
  2. Assessing the progress made with these tools, allowing participants to provide feedback on their satisfaction levels and experiences with their primary tools across different categories such as policy management, security monitoring, signing and verification, secrets management, attestation, and SBOM validation.
  3. Identify implementation barriers and resource needs from the Cloud Native Computing Foundation (CNCF) that could facilitate further progress in the adoption and effectiveness of these tools. 

By addressing these three key areas, the survey aims to provide valuable insights into the current landscape of open source tool usage and help shape future initiatives within the CNCF ecosystem.

Who should take the survey? We want to gather insights from individuals actively involved in open source projects, encompassing various roles within the contributor community, from lead maintainers to occasional contributors. Additionally, the survey seeks input from non-development contributors who contribute to the community broadly,  such as by working on documentation, design, marketing, community management, and fundraising. This diverse group of respondents will provide valuable perspectives on various aspects of open source project involvement.

The survey explores various security strategies employed within cloud native ecosystems and evaluates their frequency of practice within organizations. Below are examples of questions from the survey:  

  • How do you implement strategies such as code reviews, automated security testing, secrets management, vulnerability scanning and remediation, and configuration management? 
  • How do you rate the importance of each of these security strategies? 
  • What types of security assessments do you perform, from static application security testing (SAST) to compliance auditing?
  •  What are the biggest challenges you encounter in securing your cloud native applications?

This comprehensive assessment aims to uncover current practices, priorities, and challenges in cloud native application security.

The survey also looks at how users feel about different open source tooling, to help us get a handle on which tools are popular and how people feel about them. We also want to explore how users feel about different open source tools for policy management and enforcement, node-level security monitoring, signing and verification, secrets management, attestation, and SBOM validation. 

Your participation in this survey is invaluable to us and the entire cloud native community. By sharing your insights and experiences, you're not only helping us understand the current landscape of security practices but also shaping the future of cloud-native technologies. Your voice matters, and your contributions will directly influence the development of strategies and resources within CNCF. Together, we can foster a more secure and resilient ecosystem for cloud-native applications. Remember, open source thrives on collaboration and collective knowledge-sharing, and your input will contribute to evidence-backed insights that industry leaders rely on to shape their strategies. So, join us in making a difference and be a part of driving positive change within our community.