《Linux基金會&CNCF：2024年云原生安全報告（英文版）（28頁）.pdf》由會員分享，可在線閱讀，更多相關《Linux基金會&CNCF：2024年云原生安全報告（英文版）（28頁）.pdf（28頁珍藏版）》請在三個皮匠報告上搜索。

1、2024 Cloud Native Security ReportHow Organizations Are Addressing Security for Cloud Native Application DevelopmentStephen Hendrick,The Linux Foundation Adrienn Lawson,The Linux Foundation Jeffrey Sica,The Linux FoundationForeword by Eddie Knight,SonatypeOctober 2024Copyright 2024 The Linux Foundati

2、on|October 2024.This report is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International Public License2024 Cloud Native Security Report49%of organizations use CI/CD security testing on every update.The#1 security assessment growth area:vulnerability scanning and remediation.of

3、 respondents report that manual code reviews are either extremely important or important.67%of respondents use CNCF webinars/workshops&confer-ences to stay informed about cloud native security tools&updates.65%of respondents rely on CNCF best practices to make progress in securing their cloud native

4、 applications.51%of organizations use manual code reviews to assess security on every update.40%of organizations experience cloud infra-structure and services security incidents.76%of organizations report much or nearly all their application development is cloud native.84%of organizations report the

5、ir cloud native applications are more secure than they were two years ago.63%of organizations are using static application security testing(SAST)tools.The#1 challenge in securing cloud native applications:the complexity of software and infrastructure.The#1 vendor challenge in securing cloud native a

6、pplications:keeping up with emerging threats.84%Vulnerability scanning,automated security testing,and CI/CD security are a fast path to improved security.18Verification of the leading cloud native security strategies.20Webinars and conferences are the primary sources for staying informed about CNCF

7、security tools and updates.21Best practices and training materials are the most desired content to improve the security of cloud native applications.22Methodology.23About the survey.23Data.World access.25Respondent demographics.26About the authors.27Acknowledgements.28About Linux Foundation Research

8、.29ContentsForeword.4Introduction.5Cloud native security study findings.6The relationship between the cloud native app security and the adoption of cloud native techniques.6The leading challenges in securing cloud native applications by scope of cloud native development.7The leading challenges in se

9、curing cloud native applications by type of organization.7Cloud infrastructure and services dominate where security incidents occur.10Security incidents highlight the cybersecurity risks inherent in a cloud native journey.11How survivorship bias can skew perceptions of security in cloud native appli

10、cations.12Security assessments and testing tools are a critical aspect of cloud native computing.14An increased use of security tools is having a positive impact on the security of cloud native applications.16Key security strategies include code reviews and CI/CD security.1742024 CLOUD NATIVE SECURI

11、TY REPORTForewordThe work produced by LF Research is a pillar of innovation across the open source community,for main-tainers and users alike.This collaboration between CNCF and LF Research has demonstrated that signif-icant progress is being made to improve the security of software globally,and rev

12、eals the elements that the community finds most valuable for cybersecurity.In recent years weve seen a significant rise in the number of cyber attacks,including more malicious open source packages being produced in 2024 than all other years combined and this report also shows that 76%of organization

13、s now rely heavily on cloud native development.The attack surface of our most critical infrastructures is now larger and more complex than many of us thought was possible but this report features a glimmer of hope:84%of organizations report their cloud native applications are more secure today than

14、they were two years ago.Much of this hope stems from the rising usage of automation such as Software Composition Analysis(SCA)tools,which help identify vulnerabilities and mitigate risks related to the open source components that power modern applications.But simply having automated tooling is not e

15、nough and many organizations seem to understand that.For the other half of the room,Ill remind you:Manual testing,policies,and reviews are essential.Without proper human review of SCA policy violations,evaluation of proper test coverage,and manual line-by-line security reviews,the attack surface is

16、inadequately defended.Beyond the tools and technologies,this report highlights another essential aspect of security:staying informed.The threat landscape is constantly evolving,and keeping up with the latest risks and best practices can be challenging.Thats why 67%of respondents turn to CNCF webinar

17、s,workshops,and conferences.The reason that Sonatype has supported events such as KubeCon/CloudNativeCon for the past several years is that we know these spaces provide the most effective tools for participants to share knowledge and learn how to apply best practices in their own environments.This r

18、eport offers a clear picture of the current state of cloud native security and serves as a reminder that continuous learning and adaptation are essential,and multifaceted.Whether its through leveraging the right tools or actively participating in community events,staying engaged and informed is key

19、to keeping our systems secure in an ever-changing environment.Eddie Knight,CNCF TAG Security Co-Chair,FINOS Technical Oversight Committee,Sonatype OSPO Lead52024 CLOUD NATIVE SECURITY REPORTIntroductionThe building blocks of cloud native computingcontaineriza-tion and microservices architecturebegan

20、 their IT ascent about fifteen years ago.Five years later,orchestration(Kubernetes)and DevOps(CI/CD)added key infrastructural and procedural elements that would foster industry-wide cloud native computing adoption.Building on past generational experience and best practices,cloud native computing saw

21、 the addition of tooling(often open source)to enable key capabilities,including automated provisioning,version control,on-demand scalability,decentralized manage-ability,API-driven interactions,observability,traffic management,and polygraph programming.The result has been that cloud native computing

22、 represents a thoroughly modern approach to applica-tion development,deployment,and operations.However,the attributes that enable cloud native computing to be powerful,effective,and productive demand a sophisti-cated approach to cybersecurity.The distributed architecture of cloud native computing me

23、ans that each microservice may have its own set of vulnerabilities,and the communication between services needs to be secure to prevent data breaches and unau-thorized access.The dynamic nature of cloud native environments(frequent deployments,bidirectional scaling,and infrastructural changes)can ma

24、ke traditional security measures less effective and require security practices that are automated,scalable,and adapt-able to new threats.The complexity of cloud native architectures,which include containers,serverless functions,and orchestration tools,increases the available attack surface with each

25、 component,introducing potential vulnerabilities that require monitoring and security on a continual basis.The threat landscape is also continuously evolving with attackers developing new methods to exploit cloud environments.Continuous monitoring,threat intelligence,and adaptive security measures a

26、re all necessary to stay ahead of potential threats.The Cloud Native Computing Foundation(CNCF)engaged Linux Foundation Research in March 2024 to develop and execute an empirical research study to understand how organizations are addressing cloud native security.The target audience included responde

27、nts who met the following criteria:Must be involved in the development of cloud native applications Must be familiar with how the organization they work for deals with the security of its cloud native applications The organization must be using cloud native technologies and techniques Must be employ

28、edSurvey development by Linux Foundation Research occurred in March 2024,and the survey was fielded in April 2024,yielding 200 completed surveys.For more information about the survey methodology and survey demographics,see the About the survey section toward the end of this report.62024 CLOUD NATIVE

29、 SECURITY REPORTCloud native security study findingsThe relationship between the cloud native app security and the adoption of cloud native techniquesThe focus of most organizations on cybersecurity over the last two years has been paying off.In this survey,when we asked organi-zations how secure th

30、eir cloud native apps were compared to two years ago(Q21),only 1%(just three respondents)said less secure,14%said about the same,and 85%said more secure as shown in FIGURE 1.The 85%saying more secure is composed of 40%that said somewhat more secure and 45%that said significantly more secure.This sug

31、gests that organizations have consciously been investing in cybersecurity.When we look at the adoption of cloud native techniques(Q7,not shown),just 5%were beginning to use cloud native techniques,19%reported some development was cloud native,44%said much of their development was cloud native,and 33

32、%said that nearly all their development was cloud native.FIGURE 1DEEPER CLOUD NATIVE ADOPTION SUGGESTS INCREASED PERCEIVED SECURITY IN CLOUD NATIVE APPLICATIONS2024 Cloud Native Security Survey,Q21a x Q7a,Sample Size=18814%40%46%26%47%26%13%39%48%8%38%54%About the sameHow secure are you cloud native

33、 apps compared to 2 years ago?(select one)segmented by:To what extent has your organization adopted cloud native techniques(select one)Somewhat more secureSignificantly more secureTotalSome cloud native technique useMuch cloud native technique useNearly all cloud native technique use72024 CLOUD NATI

34、VE SECURITY REPORTHowever,when we compare these improvements in application security to what extent the organization has adopted cloud native techniques,a more nuanced picture begins to emerge.Of the 14%of organizations that reported no material change in their appli-cation security,the mix of organ

35、izations included 26%that said some of their application development was cloud native,13%that reported that much of their application development was cloud native,and just 8%that said that nearly all their application development was cloud native.At the other end of the security continuum,of the 45%

36、of organizations that reported their appli-cations were significantly more secure,the mix of organizations included 26%that said some of their application development was cloud native,47%that reported that much of their application development was cloud native,and 54%that said that nearly all of the

37、ir application development was cloud native.So,one can infer that greater adoption of cloud native techniques leads to better security or that increased security drives more organizations to adopt cloud native techniques.The degree to which organizations have adopted cloud native techniques may infl

38、uence their percep-tion of security improvement.Those deeply invested in cloud native technologies feel more secure,likely due to better and more integrated security practices.Either way,its a win.The leading challenges in securing cloud native applications by scope of cloud native developmentThe le

39、ading challenges that organizations experience in securing their cloud native applications depend on where they are in their cloud native journey.FIGURE 2 shows the top eight leading chal-lenges,which showcase several key findings.Complexity remains consistent:Across all levels of adoption,complexit

40、y remains a top challenge,indicating that as cloud native techniques become more integral to operations,the systems intri-cacies and the need for sophisticated management increase.Emerging threats and advanced adoption:Higher levels of cloud native adoption correlate with an increased emphasis on se

41、curity challenges related to emerging threats,reflecting the ongoing need for vigilance and continuous improvement in security capabilities.Regulatory compliance:As organizations deepen their reliance on cloud technologies,compliance with regulations becomes more challenging,underscoring the need fo

42、r robust governance frameworks.The challenge of beginning a cloud native journey:FIGURE 2 generally shows a dichotomy between organizations that are early in their cloud native journey compared to organizations where much or nearly all development is cloud native.Money(37%)and lack of security aware

43、ness(32%)are leading challenges for organi-zations where just some development is cloud native but far less so for other more mature cloud native organizations.Alternatively,keeping up with threats(29%),secure deployment(24%),and regu-latory compliance(21%)are far less of a concern for organizations

44、 where just some development is cloud native but far more so for other more mature cloud native organizations.The leading challenges in securing cloud native applications by type of organizationSecuring cloud native applications will always have its challenges,but these challenges vary considerably

45、depending upon whether the organization is a vendor/service provider or end-user orga-nization(an organization whose product is industry-focused and is an“end user”of IT products and/or services).FIGURE 3 again shows the leading challenges in securing cloud native applications but this time segmente

46、d by type of organization.82024 CLOUD NATIVE SECURITY REPORT2024 Cloud Native Security Survey,Q20 x Q7a,Sample Size=190,Valid Cases=190,Total Mentions=601FIGURE 2LEADING CHALLENGES IN SECURING CLOUD NATIVE APPLICATIONS BY SCOPE OF CLOUD NATIVE DEVELOPMENT47%44%38%35%35%32%25%22%47%29%39%24%21%37%37%

47、32%55%47%39%40%40%33%22%21%37%49%35%35%35%28%22%18%Complexity of software and infrastructureKeeping up with emerging threatsTime constraintsSecure deployment and operationsRegulatory complianceand data privacyIntegration into existing processesMoney constraintsLack of security awareness and training

48、TotalSome cloud native technique useMuch cloud native technique useNearly all cloud native technique useWhat are the biggest challenges you face in securing your cloud native applications?(select all that apply)segmented by:To what extent has your organization adopted cloud native techniques92024 CL

49、OUD NATIVE SECURITY REPORTFIGURE 3LEADING CHALLENGES IN SECURING CLOUD NATIVE APPLICATIONS BY ORGANIZATION TYPE2024 Cloud Native Security Survey,Q20 x Q13a,Sample Size=188,Valid Cases=188,Total Mentions=597TotalEnd-user organizationsVendor or service provider46%44%38%36%36%31%24%23%42%37%36%42%29%29

50、%22%18%51%53%40%28%46%35%26%31%Complexity of software and infrastructureKeeping up with emerging threatsTime constraintsRegulatory compliance and data privacySecure deployment and operationsIntegration into existing processesMoney constraintsLack of security awareness and trainingWhat are the bigges

51、t challenges you face in securing your cloud native applications?(select all that apply)segmented by:What type of organization or entity do you work for?(select one)102024 CLOUD NATIVE SECURITY REPORTFIGURE 3 shows that keeping up with emerging threats(53%),complexity of software and infrastructure(

52、51%),and secure deployments(46%)are the three leading concerns for vendors and service providers.End users see complexity of software and infrastructure(42%),keeping up with emerging threats(37%),and time constraints(36%)as their leading challenges.Vendors and service providers are also significantl

53、y more concerned about all these challenges than end users except for regulatory compliance.The reason could be that software vendors and service providers face more acute challenges in securing cloud native applications because they must manage security across multiple clients,envi-ronments,and inf

54、rastructures,all while maintaining compliance with diverse regulations,defending against sophisticated attacks,and upholding stringent SLAs.The complexity,scale,and higher stakes involved in their operations make securing cloud native environments particularly challenging for these organizations.Clo

55、ud infrastructure and services dominate where security incidents occurFIGURE 4 shows that security incidents are most likely to occur in cloud infrastructure and services by a considerable margin.The primary reason for this is that cloud environments are both highly dynamic and ephemeral.Continual c

56、hange can make it diffi-cult to maintain consistent security policies,leading to potential FIGURE 4WHERE ORGANIZATIONS ARE EXPERIENCING SECURITY INCIDENTS2024 Cloud Native Security Survey,Q22,Sample Size=200,Valid Cases=200,Total Mentions=51940%25%23%22%22%20%19%19%16%16%14%20%1%6%Cloud infrastructu

57、re and servicesConfiguration and secrets managementApplication runtime environmentData storage and managementUser access and identity managementContinuous integration/continuous deployment(CI/CD)pipelinesContainer management systemsMonitoring and logging systemsDependency managementSource code repos

58、itoriesDevelopment and build environmentsNone of the aboveOther(please specify)Dont know or not sureIn which areas of cloud native software development have you experienced security incidents over the last two years?(select all that apply)112024 CLOUD NATIVE SECURITY REPORTgaps that attackers can ex

59、ploit.Cloud infrastructure also involves multiple layersvirtualization,networking,storage,and applica-tion layerseach of which introduces potential vulnerabilities.The complexity of managing and securing these layers increases the likelihood of misconfigurations and security oversights.The data in F

60、IGURE 4 highlights the varied nature of security within cloud native environments(development and/or deployment),with infrastructure,configuration management,and application runtimes highlighted as primary concerns.Organizations must adopt a comprehensive security strategy that encompasses these are

61、as to mitigate risks effectively.The data suggests a signifi-cant spread of vulnerabilities across various components of cloud native systems,reinforcing the need for an integrated and proac-tive approach to cloud security.Security incidents highlight the cybersecurity risks inherent in a cloud nati

62、ve journeyWhen we segment the areas of cloud native software development where there has been a report of security incidents in the last two years by the adoption of cloud native techniques,we observe some disconcerting patterns.FIGURE 5 shows the leading areas where organizations in each segment ha

63、ve experienced security incidents.The significantly lower level of security incidents observed in orga-nizations just beginning to develop cloud native applications is largely due to their smaller,less complex environments;a more cautious and focused approach to security;and the opportunity to build

64、 security expertise as they gradually adopt cloud native practices.As organizations mature and expand their cloud native Leading areas experiencing incidents Some cloud native technique useMuch cloud native technique useNearly all cloud native technique use1Application runtime environment(18%)Cloud

65、infrastructure and services(49%)Cloud infrastructure and services(42%)2Cloud infrastructure and services(18%)Data storage and management(29%)Configuration and secrets management(29%)3Dependency management(18%)Monitoring and logging systems(28%)User access and identity management(28%)Percentage of re

66、spondents who selected”None of the above”37%13%22%FIGURE 5WHERE SECURITY INCIDENTS ARE BEING EXPERIENCED SEGMENTED BY LEVEL OF CLOUD NATIVE USE2024 Cloud Native Security Survey,Q22 x Q7,Sample Size=190,Valid Cases=190,Total Mentions=500In which areas of cloud native software development have you exp

67、erienced security incidents over the last two years?(select all that apply)segmented by:To what extent has your organization adopted cloud native techniques(select one)122024 CLOUD NATIVE SECURITY REPORTdeployments,the increased complexity,broader attack surface,and greater integration with other sy

68、stems make security manage-ment more challenging,leading to a higher likelihood of incidents.Organizations with extensive cloud native development expe-rience more security incidents primarily due to the increased complexity,scale,and dynamic nature of cloud native environ-ments.The frequent changes

69、,reliance on third-party components,challenges in monitoring and incident response,and the need for a mature security culture all contribute to the higher likelihood of security incidents in these organizations.As they scale their cloud native practices,the complexity and potential attack surface ex

70、pand,making security management more challenging.The data indicates that as organizations increase their use of cloud native technologies,the types of security incidents experienced evolve and often increase in certain areas,reflecting both the growing complexity of environments and the higher capab

71、ilities for detection.The shift in challenges from basic infrastructure in lower adoption levels to more sophisticated areas like configura-tion and secrets management in higher adoption stages supports the need for advanced security strategies tailored to the maturity level of cloud native adoption

72、.How survivorship bias can skew perceptions of security in cloud native applicationsFIGURE 6 is a visual representation of survivorship bias.This demonstrative diagram shows where returning WW2-era planes were hit.The suggestion that the red clusters should be reinforced exemplifies selection bias,a

73、s the planes analyzed did not include any with severe enough damage to crash and not return.The sample only included planes with light enough damage to return home.Therefore,the correct action is to reinforce the parts where less damage is visible.Survivorship bias or survival bias is the logical er

74、ror of concentrating on entities that passed a selection process while overlooking those that did not.This can lead to incorrect conclu-sions because of incomplete data.Survivorship bias is crucial to consider when interpreting data on security incidents related to cloud native technologies.Higher i

75、ncident reporting in more mature cloud native organizations does not inherently point to poorer security but may indicate a greater awareness and better detection of security issues.This can skew perceptions,making it appear that higher adoption correlates directly with higher risk,whereas it may ac

76、tually signal more robust security practices and detection capabilities.FIGURE 5 highlights the very different experiences of organizations early in their cloud native journey(some cloud native technique use)compared to those who are well into their journey(much or nearly all cloud native technique

77、use).The potential for survivor-ship bias in cybersecurity is a concern to organizations early in their cloud native journey.The reduced scale of cloud native oper-ations in these organizations generally leads to a more simplistic approach to security,fewer identifiable incidents,and a greater share

78、 of organizations that have not experienced incidents across those areas presented in FIGURE 5.These organizations are likely to underestimate the importance of implementing more compre-hensive security measures as they scale up their cloud native activities.The troublesome finding described in FIGU

79、RE 7 in the next section is yet another indicator that organizations early in their cloud native journey need to not just learn from their own experiences but also learn from the experiences of organizations who have achieved a mature cloud native status.132024 CLOUD NATIVE SECURITY REPORTFIGURE 6BE

80、YOND THE NUMBERS:HOW SURVIVORSHIP BIAS CAN SKEW PERCEPTIONS OF SECURITY IN CLOUD NATIVE APPLICATIONSMartin Grandjean(vector),McGeddon(picture),US Air Force(hit plot concept),CC BY-SA 4.0,via Wikimedia Commons142024 CLOUD NATIVE SECURITY REPORTSecurity assessments and testing tools are a critical asp

81、ect of cloud native computingThe granularity and complexity of cloud native development requires a larger portfolio of bespoke testing tools.The positive finding in FIGURE 7 is that the cardinality and degree of testing tool use is now significantly greater than in past surveys.The average number of

82、 security assessment techniques in use is now 4.5 compared to between 2 to 3 in past surveys from 2022 and 2023.Static application security testing(SAST)and software composition analysis(SCA)tools are cornerstones of security testing,and their penetration is over 60%in organizations where much or ne

83、arly all application development is cloud native.However,these same tools have much less penetration in organizations where only some of their app dev is cloud native.Another exciting development is that between 49%to 57%of organizations are using manual code inspection,which is the gold standard in

84、 security testing.Manual code inspection is valuable for its contextual understanding,ability to catch subtle and complex issues,and role in improving overall code quality and security culturebut it is resource-intensive and may not scale well in large projects.Automated tools like SAST,SCA,and WAS/

85、DAST are excellent at quickly identifying known vulnerabilities and ensuring compliance with established security practices,but they cannot replace the nuanced analysis and judgment that experienced human reviewers bring to the table.In practice,the best approach is often a combination of bothlevera

86、ging the speed and coverage of automated tools alongside the depth and insight of manual code inspection.This hybrid approach helps organizations maximize security while managing the limitations of both methods.This leads us to a troublesome finding in FIGURE 7 which is that organizations that use s

87、ome cloud native techniques are laggards in their adoption of SAST,SCA,and WAS/DAST.Given that these three tool categories account for the highest penetration of use by organizations where much or nearly all their application develop-ment is cloud native,the dichotomy in penetration is startling.Sta

88、tic application security testing(SAST)and software composition analysis(SCA)tools are cornerstones of security testing,and their penetration is over 60%in organizations where much or nearly all application development is cloud native152024 CLOUD NATIVE SECURITY REPORTFIGURE 7SECURITY ASSESSMENTS IN

89、USE SEGMENTED BY LEVEL OF CLOUD NATIVE DEVELOPMENT2024 Cloud Native Security Survey,Q19 x Q7,Sample Size=190,Valid Cases=190,Total Mentions=865,DKNS responses excluded46%57%34%69%46%51%57%57%6%70%55%64%59%57%51%51%53%11%68%65%63%52%57%54%49%46%12%Static Application Security Testing(SAST)Container sc

90、anningSoftware Composition Analysis(SCA)Dependency scanningWeb application scanning(WAS)Compliance auditingManual code inspectionPenetration testingFuzzingSome cloud native technique useMuch cloud native technique useNearly all cloud native technique useWhat types of security assessments do you perf

91、orm?(select all that apply)segmented by:To What extent has your organization adopted cloud native techniques(select one)162024 CLOUD NATIVE SECURITY REPORTAn increased use of security tools is having a positive impact on the security of cloud native applicationsThe increased use of security tools sh

92、own in FIGURE 7 is delivering its intended results.As mentioned in FIGURE 1,84%of respondents believe that their cloud native applications are more secure than they were two years ago.FIGURE 8 segments the use of security tools and assessments segmented by perceptions of how security has improved.Us

93、ing the“About the Same”response as a baseline,significant gains in security occur when using SAST,SCA,and WAS(DAST)tools.Container scanning and dependency scanning also show material gains.FIGURE 8SECURITY ASSESSMENTS IN USE SEGMENTED BY HOW THE SECURITY OF CLOUD NATIVE APPLICATIONS HAS CHANGED2024

94、Cloud Native Security Survey,Q19 by Q21a,Sample Size=197,Valid Cases=197,Total Mentions=89155%48%48%45%38%45%41%45%7%3%58%65%65%47%49%55%53%52%12%4%69%53%52%67%63%51%53%53%11%Static Application Security Testing(SAST)Container scanningDependency scanningSoftware Composition Analysis(SCA)Web applicati

95、on scanning(WAS)Manual code inspectionPenetration testingCompliance auditingFuzzingOther(please specify)Dont know or not sureAbout the sameSomewhat more secureSignificantly more secureWhat types of security assessments do you perform?(select all that apply)segmented by:How secure are you cloud nativ

96、e apps compared to 2 years ago?(select one)172024 CLOUD NATIVE SECURITY REPORTKey security strategies include code reviews and CI/CD securityFIGURE 9 shows that manual code reviews are an effective tool for improving cloud native security,offering deep insights into business logic,architectural patt

97、erns,and complex security issues that automated tools may miss.When combined with auto-mated security testing tools like SAST and SCA,manual reviews can significantly enhance the security posture of cloud native applications by addressing both technical vulnerabilities and context-specific threats.F

98、IGURE 9USAGE CHARACTERISTICS OF COMMON SECURITY STRATEGIES FOR CLOUD NATIVE APPLICATION DEVELOPMENT2024 Cloud Native Security Survey,Q17,Sample Size=200 51%49%43%41%41%39%32%30%25%22%17%28%25%28%24%21%14%12%13%12%19%17%27%22%7%9%15%8%10%8%10%13%0%10%20%30%40%50%60%70%80%90%100%Code reviewsContinuous

99、 integration and deployment securitySecrets managementAutomated security testingConfiguration managementVulnerability scanning and remediationUpdate dependenciesCompliance checksOn every updateWeeklyMonthlyQuarterlyYearlyRarely or neverNot Sure or not applicableHow often does your organization pract

100、ice the following security strategies within cloud native ecosystems?(one response per row)182024 CLOUD NATIVE SECURITY REPORTHowever,the effectiveness of manual reviews depends on the expertise of the reviewers,the thoroughness of the review process,and the ability to integrate the findings into th

101、e broader development and security workflows.In practice,you achieve the best results by using manual code reviews in conjunction with automated tools to create a comprehensive security strategy.CI/CD security is essential for ensuring that the automation and efficiency benefits of CI/CD pipelines d

102、o not come at the expense of security.By embedding security practices throughout the pipelinefrom code development and dependency management to deployment and monitoringorganizations can maintain a strong security posture while delivering software quickly and reliably.One of the strategies shown in

103、FIGURE 9 that could use improve-ment is automated security testing.Given the automated testing capabilities of many security tools and todays reality that only 41%of organizations use these tools on every update,there is clear room for improvement.Vulnerability scanning,automated security testing,an

104、d CI/CD security are a fast path to improved securityIntersecting security strategies used in cloud native ecosystems(FIGURE 9)with organizational perceptions on how much cloud native security has improved over the last two years provides insight into strategies that perform best.In FIGURE 10,using“

105、About the same”as a baseline again,the most significant improvements from the baseline are associated with the use of vulnerability scanning and remediation tools,automated security testing,and CI/CD security.There is a clear trend where organizations that perceive their cloud native applications as

106、“Significantly more secure”tend to practice security strategies more frequently.This suggests a correlation between frequent,proactive security measures and improved security perceptions.As organizations increase their commitment to frequent security practices like automated testing,continuous integ

107、ration,and vulnerability scanning,they tend to perceive their environments as more secure.Code reviews are again the gold standard for addressing security concerns.By embedding security practices throughout the pipelinefrom code development and dependency management to deployment and monitoringorgan

108、izations can maintain a strong security posture while delivering software quickly and reliably.192024 CLOUD NATIVE SECURITY REPORTFIGURE 10SECURITY STRATEGIES THAT RESULT IN SIGNIFICANT IMPROVEMENTS TO CLOUD NATIVE APPLICATION SECURITY2024 Cloud Native Security Survey Q17 x Q21a,Sample Size=197,resp

109、ondents who answered“On every update”or“Weekly”.59%52%48%45%45%42%34%27%75%67%65%57%54%65%66%40%80%69%81%65%63%82%75%66%Code reviewsConfiguration managementContinuous integration and deployment securitySecrets managementUpdate dependenciesAutomated security testingVulnerability scanning and remediat

110、ionCompliance checksAbout the sameSomewhat more secureSignificantly more secureWhat types of security assessments do you perform?(select all that apply)segmented by:How secure are you cloud native apps compared to 2 years ago?(select one)202024 CLOUD NATIVE SECURITY REPORTVerification of the leading

111、 cloud native security strategiesIn FIGURE 9,we asked how frequently organizations employ various security strategies.FIGURE 11 employs the same list of strategies but instead asks how important each of these strategies is to the organization.Code reviews once again reside at the top of the list wit

112、h 84%identifying the strategy as either extremely important or very important.Manual reviews are the gold standard when eval-uating security concerns and excel at identifying business logic flaws,architectural flaws,code smells,anti-patterns,logic errors,edge cases,and verification of security tool

113、findings.Manual code reviews can be highly effective in improving cloud native security,provided knowledgeable reviewers conduct them systematically.While automated tools like SAST and SCA play crucial roles in detecting vulnerabilities,manual code reviews offer unique advantages that complement the

114、se tools,particularly in the context of cloud native environments.The importance of CI/CD security(82%),vulnerability scanning and remediation(81%),and automated security testing(80%)aligns with the variance findings in FIGURE 9 confirming the importance of employing these tool categories as part of

115、 an orga-nizations security tool portfolio and tool chain.FIGURE 11THE IMPORTANCE OF SELECTED CLOUD NATIVE SECURITY STRATEGIES2024 Cloud Native Security Survey,Q18,Sample Size=200,sorted by percentage of respondents who selected“Extremely important”or“Very important”50%53%48%48%52%40%39%44%34%29%33%

116、32%24%34%34%26%15%15%14%14%22%21%21%2%3%4%6%5%4%4%7%0%10%20%30%40%50%60%70%80%90%100%Code reviewsContinuous integration and deployment securityVulnerability scanning and remediationAutomated security testingSecrets managementUpdate dependenciesConfiguration managementCompliance checksExtremely impor

117、tantVery importantImportantSlightly importantNot important at allNot Sure or not applicableHow important are each of these security strategies?(one response per row)14%212024 CLOUD NATIVE SECURITY REPORTWebinars and conferences are the primary sources for staying informed about CNCF security tools a

118、nd updatesThe cybersecurity domain is continually changing.New vulner-abilities,threats,exploits,patches,tools,components,and best practices are always surfacing.Even if a component doesnt change,a new vulnerability can be found leading to a race between those seeking to exploit the vulnerability an

119、d those seeking to remediate it.FIGURE 12 shows that CNCF webinars and workshops are the leading approach that 48%of respondents use for staying informed about CNCF security tools and updates.Other leading approaches to stay up to date include conferences(44%),security news websites and blogs(38%),a

120、nd mailing lists and newsletters(34%).Since the majority of respondents used no single approach,is there a combination of approaches preferred by a signifi-cant majority of respondents?There is a combined use of CNCF webinars and conferences by 67%of the sample.Adding mailing lists and newsletters i

121、ncreases the total to 76%of the sample,adding security news websites and blogs increases the total to 82%of the sample,and adding security advisory websites and databases increases the total to 84%of the sample.We recom-mend that it is best to adopt a portfolio of approaches to identify important ev

122、ents as well as corner cases.FIGURE 12HOW RESPONDENTS STAY INFORMED ABOUT CLOUD NATIVE SECURITY PROJECTS,TOOLS,AND ISSUES2024 Cloud Native Security Survey,Q44,Sample Size=200,Valid Cases=200,Total Mentions=664How do you stay informed about CNCF security tools and updates?(select all the apply)48%44%

123、38%34%32%32%29%24%23%18%10%2%2%CNCF webinars/workshopsConferencesSecurity news websites and blogsMailing lists and newslettersOnline forums(e.g.,Stack Overflow)Industry reports and white papersSecurity advisory websites and databasesSocial mediaPodcastsProfessional organizationsNo specific actions a

124、re being taken to stay up to dateOther(please specify)Dont know or not sure222024 CLOUD NATIVE SECURITY REPORTBest practices and training materials are the most desired content to improve the security of cloud native applicationsFIGURE 13 shows that cloud native security best practices followed clos

125、ely by training materials are the most desired content that respondents want from the CNCF.This confirms once again the findings in earlier CNCF and OpenSSF surveys.The Linux Foundation provides a large variety of training and certi-fication courses,tutorials,and exams focusing on secure software de

126、velopment,Kubernetes,service meshes,and APIs.Some of these courses are free,and others are fee-based.Most of these courses include best practices distributed across the content.Cybersecurity is a key focal point of established uber-projects including CNCF and OpenSSF.For more information see:trainin

127、g.linuxfoundation.org/resources.FIGURE 13PREFERRED CONTENT FROM CNCF TO SUPPORT CLOUD NATIVE APPLICATION SECURITY2024 Cloud Native Security Survey,Q42,Sample Size=200,Valid Cases=200,Total Mentions=565What do you need from CNCF to make more progress toward securing your cloud native applications?(se

128、lect all that apply)65%54%49%43%42%26%3%3%Best practicesTraining materialsTutorialsSuccess casesCertification examsContent at conferencesOther(please specify)Dont know or not sure232024 CLOUD NATIVE SECURITY REPORTMethodologyAbout the surveyThis study is based on a web survey conducted by Linux Foun

129、dation Research and the CNCF from March 2024 through May 2024.The surveys goal was to understand how organizations are addressing cloud native security.In this section,we present the study methodology and context regarding how we analyzed the data followed by the demographics of the respondents.From

130、 a research perspective,it was important to eliminate any perception of sample bias and ensure high data quality.We handled the elimination of sample bias by sourcing our usable sample from Linux Foundation subscribers,members,partner communities,and social media.We addressed data quality through ex

131、tensive prescreening,survey screening questions,and data quality checks to ensure that respondents had sufficient professional experience to answer questions accurately on behalf of the organization they worked for.We collected survey data from industry-specific companies,IT vendors and service prov

132、iders,nonprofit,academic,and govern-ment organizations.Respondents spanned many vertical industries and companies of all sizes,and we collected data from several geog-raphies,although primarily from North America(76%).The 2024 Cloud Native Security Survey comprised 45 questions that addressed screen

133、ing,respondent demographics,supply chain security for cloud native applications,open source security tool use,and how the CNCF can better support your needs.We have not published open source security tool use in this report,but you can find it in the dataset and survey frequencies on Data.World.For

134、information about access to the 2024 Cloud Native Security Survey,its dataset,and survey frequencies,see the Data.World access information below.The high-level design of the survey is outlined in FIGURE 14.The target audience included respondents who met the following criteria:Must be involved in th

135、e development of cloud native applications Must be familiar with how the organization they work for deals with the security of its cloud native applications The organization must be using cloud native technologies and techniques Must be employedSurvey development by Linux Foundation Research occurre

136、d in March 2024,and the survey was fielded in April 2024.A total of 200 respondents completed the survey.The margin of error for this sample size was+/-5.8%at a 90%confidence level and+/-6.9%at a 95%confidence level.We stratified the data collection by company size,geographic region,and organization

137、 type.The data was primarily segmented by geographic region,company size,and type of organization.242024 CLOUD NATIVE SECURITY REPORTAlthough respondents needed to answer nearly all questions in the survey,we included a provision when a respondent was unable to answer a question by adding a“Dont kno

138、w or not sure”(DKNS)response to the list of responses for every question.However,this created a variety of analytical challenges.One approach was to treat a DKNS just like any other response to determine the percentage of respondents that answered DKNS.The advantage of this approach is that it shows

139、 the exact distri-bution of data collected.The challenge with this approach is that it can distort the distribution of valid responses,i.e.,responses where respondents could answer the question.Some of the analyses in this report exclude DKNS responses.This is because we can classify the missing dat

140、a as either missing at random or missing completely at random.Excluding DKNS data from a question does not change the distribution of data(counts)for the other responses,but it does change the size of the denominator used to calculate the percent of responses across the remaining responses.This has

141、the effect of proportionally increasing the percentage values of the remaining responses.Where we have elected to exclude DKNS data,the footnote for the figure includes the phrase“DKNS responses excluded.”The percentage values in this report may not total to exactly 100%due to rounding.Data.World ac

142、cessLF Research makes each of its empirical project datasets available on Data.World.Included in this dataset are the survey instrument,raw survey data,screening and filtering criteria,and frequency charts for each question in the survey.You can find LF Research datasets,including this project,at da

143、ta.world/thelinuxfoundation.Access to Linux Foundation datasets is free but does require you to create a data.world account.PagesQuestionsQuestion categoriesWho answers the questionsP1 Introduction All respondentsP2Q1 Q7Introductory questionsAll respondents(N=200)P3Q8 Q9Tell us about yourselfAll res

144、pondents(N=200)P4Q10 Q11Tell us about your involvement in open sourceOpen source contributors(N=153)P5Q12 Q16Tell us about the company you work forAll respondents(N=200)P6Q17 Q23Supply chain security of cloud native applicationsAll respondents(N=200)P7 15Q24 Q41Open source security tool use(nine cat

145、egories)Respondents with tool use experience(N=54 to 87)P16Q42 Q45Closing questionsAll respondents(N=200)FIGURE 14SURVEY DESIGN2024 Cloud Native Security Survey252024 CLOUD NATIVE SECURITY REPORTRespondent demographicsThese demographics provide you with a profile of the 2024 Cloud Native Security Su

146、rvey respondents.We have regrouped all of the demographics in FIGURE 15 to facilitate a more insightful analysis.For the original source data and study frequencies,please see the data.world access described above.FIGURE 15RESPONDENT DEMOGRAPHICS10%23%44%46%5%6%8%33%9%26%Location of organization head

147、quartersRespondent roleOSS RoleCloud native adoptionIndustry of organizationCompany size(employees),North AmericaCross-industry ITFinancial servicesRetail&wholesaleManufacturingTelcoOtherAsia PacificEuropeRoW76%31%28%19%32%5%24%10%3%16%5%17%14%44%19%20%13%6%8%2024 Cloud Native Security Survey,Q12,Sa

148、mple Size=2002024 Cloud Native Security Survey,Q8,Sample Size=2002024 Cloud Native Security Survey,Q11,Sample Size=2002024 Cloud Native Security Survey,Q7,Sample Size=2002024 Cloud Native Security Survey,Q14,Sample Size=2002024 Cloud Native Security Survey,Q15,Sample Size=200DeveloperIT ManagementIT

149、 OperationsSystem administrationC-levelOther,MaintainerCore contributor Occasional contributor CommitterNon-dev contributorDoes not contribute,Just beginningSomeMuchNearly all1 to 9991,000 to 4,9995,000 or more262024 CLOUD NATIVE SECURITY REPORTAbout the authorsSTEPHEN HENDRICK is vice president of

150、research at the Linux Foundation,where he is the principal investigator on a variety of research projects core to the Linux Foundations understanding of how open source software is an engine of innovation for producers and consumers of IT.Steve specializes in primary research techniques developed ov

151、er 30 years as a software industry analyst.Steve is a subject-matter expert in application development and deployment topics,including DevOps,application management,and decision analytics.Steve brings experience in a variety of quantitative and qualitative research tech-niques that enable deep insig

152、ht into market dynamics and has pioneered research across many application development and deployment domains.Steve has authored over 1,000 publications and provided market guidance through syndicated research and custom consulting to the worlds leading software vendors and high-profile start-ups.AD

153、RIENN LAWSON is a data analyst at the Linux Foundation.Adrienn obtained a masters degree in social data science from the University of Oxford.She is responsible for survey development,analysis,and report writing.Adrienn has previously conducted research at the University of Oxford,the Budapest Insti

154、tute for Policy Analysis,and the U.K.s Office for National Statistics.She is most fascinated by the collective power of open source collaboration within geographically dispersed communities.Additionally,she is most interested in researching trends and solutions for challenges related to OSS funding,

155、sustainability,and supporting developers in their pursuit of responsible technological advancement.JEFFREY SICA is Head of Projects at the CNCF,with a focus on improving maintainer experience,building communities,and project automation.Before that,he worked at Red Hat and the University of Michigan

156、focusing on cloud native technologies and CICD patterns.Jeffrey has been a contributor to upstream Kubernetes,helping in SIG-Contribex,SIG-Release,and SIG-UI.He passionately advocates for open source development and recognizing and alleviating burnout.272024 CLOUD NATIVE SECURITY REPORTAcknowledgmen

157、tsWe thank all the participants of the survey for kindly sharing their insights and experience in search and analytics.Special thanks to peer reviewers and LF colleagues for their involvement in the various stages of the research process,including:Chris Aniszczyk Elizabeth Bushard Hilary Carter Jorg

158、e Castro Mia Chaszeyka Anna Hermansen Christina Oliviero David Wheeler Katie Greenley282024 CLOUD NATIVE SECURITY REPORTFounded in 2021,Linux Foundation Research explores the growing scale of open source collaboration,providing insight into emerging technology trends,best practices,and the global im

159、pact of open source projects.Through leveraging project databases and networks,and a commitment to best practices in quantitative and qualitative methodologies,Linux Foundation Research is creating the go-to library for open source insights for the benefit of organizations the world over.Copyright 2

160、024 The Linux FoundationThis report is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International Public License.To reference this work,please cite as follows:Stephen Hendrick,Adrienn Lawson,and Jeffrey Sica,“2024 Cloud Native Security Report:How Organizations Are Addressing Sec

161、urity for Cloud Native Application Development,foreword by Eddie Knight,”The Linux Foundation,October native computing leverages an open-source software stack to deploy applications as microservices,where each component is packaged into its own container and orchestrated dynamically to optimize reso

162、urce utilization.The Cloud Native Computing Foundation(CNCF)hosts key projects within the cloud native ecosystem,including Kubernetes,Envoy,Prometheus,and many others.CNCF serves as a neutral hub for collaboration,bringing together leading developers,end users,and vendorsfrom the worlds largest public cloud providers and enterprise software companies to innovative startups.As part of The Linux Foundation,a nonprofit organization,CNCF fosters the growth and adoption of cloud-native technologies across industries.For more information,visit cf.io.