NeuVector today announced it has appointed Stephanie Fohn to be CEO of the container security platform provider.
Previously, Fohn was CEO of Remotium, a provider of a virtual mobile computing platform, and WhiteHat Security, a provider of application security software. Fohn takes the helm of NeuVector from Fei Huang, who will become chief strategy officer and remains on the board.
Fohn says that while NeuVector has gained traction with early adopters of containers, the next phase of its growth will be driven by corporate customers looking to standardize on container security platforms as they embrace best DevSecOps processes.
Most recently, NeuVector moved to advance that goal by adding a Security Policy as Code capability that enables DevOps teams to employ Kubernetes Custom Resource Definitions (CRDs) to define and manage application security policies.
The primary DevSecOps challenge many enterprise IT organizations are facing is the need to first define separation of cybersecurity duties. Developers are clearly taking on more responsibility for application security. However, cybersecurity teams still need to verify that the appropriate controls have been in place. At the same time, cybersecurity teams need to work more closely with IT operations teams to also ensure that IT infrastructure is secure. As part of that transition, most cybersecurity professionals may not need to learn how to develop applications, but they will be expected to know how YAML files can be employed to enforce cybersecurity policies.
NeuVector is one of a handful of cybersecurity companies focused exclusively on container security following a wave of acquisitions across the sector in 2019. Whether that wave will continue into 2020 remains to be seen. Startups such as NeuVector contend container security in the age of microservices requires a whole new approach to attaching cybersecurity policies and controls to containerized applications. Incumbent cybersecurity vendors don’t necessarily disagree on that point. However, they are making a case for a unified control plane that can be applied to security platforms that span emerging microservices applications based on containers and legacy monolithic applications.
To make matters even more challenging, serverless computing frameworks that need to be secured are also emerging as extensions to both classes of applications.
Of course, adoption of DevSecOps assumes developers and cybersecurity teams can get over years of antagonistic relationships. Many cybersecurity professionals don’t necessarily trust developers, while developers have often viewed cybersecurity teams as an obstacle to building and deploying code faster. It’s not that developers don’t have an appreciation for the need to build secure applications. It’s just the processes relied on today to achieve that goal are viewed as being cumbersome at best.
In the age of containers, cybersecurity teams will also need to come to terms with the ephemeral nature of many application workloads that may have come and gone before they were even made aware of their existence. Like it or not, cybersecurity professionals will need to adapt to a “trust but verify” approach to cybersecurity.
Whatever the outcome, however, those same cybersecurity professionals should take some comfort in the fact that containerized applications should prove to be more secure over the long term if for no other reason than it’s a lot easier to rip and replace a few infected containers than it is to patch an entire monolithic application.