StackRox today announced it has picked up an additional $26.5 million in funding that will be used for product development and to expand operations globally.
Company CEO Kamal Shah says the provider of an integrated framework for addressing cybersecurity and compliance requirements in Kubernetes environments plans to enable organizations to bridge the divide between DevOps and cybersecurity teams as responsibility for implementing controls continues to shift further left toward developers.
The challenge organizations are encountering when attempting to adopt best DevSecOps practices in Kubernetes environments stems from the fragmented nature of the tools being provided to developers. In contrast to the commercial tools from StackRox that are natively integrated with Kubernetes, Shah notes many organizations are attempting to stitch together multiple open source tools with different interfaces. DevOps teams not only have to navigate those different interfaces but also DevOps teams must maintain and update those tools.
The StackRox platform addresses everything from vulnerability discovery through incident management and risk profiling using a consistent set of interfaces that are extensions of the core Kubernetes application programming interface (API), notes Shah. IT organizations will require cybersecurity tools that are built into Kubernetes rather than merely bolted on, he says.
As DevSecOps processes continue to mature, he adds, it soon will become apparent to more senior IT leaders that organizations are spending too much time and effort on building and maintaining DevSecOps toolchains. In fact, Shah says, the StackRox approach to securing Kubernetes environments is starting to resonate: The company saw revenues grow more than 240% in the first six months of this year compared to the same period last year.
A recent survey published by the Cloud Native Computing Foundation (CNCF), which oversees the development of Kubernetes, finds nearly 80% of organizations are now running Kubernetes in production environments. Most of those organizations are just now starting to address the security and compliance requirements that stem from deploying Kubernetes in a production environment, Shah says.
While it’s still early days as far as the adoption of Kubernetes is concerned, competition among providers of container security platforms is already fierce. The challenge providers of these platform face has been twofold. For one, many cybersecurity teams initially assume the policies they created for existing monolithic applications could be extended to container applications when in fact most organizations will need to define and create controls for highly ephemeral container environments.
At the same time, responsibility for implementing controls is shifting left toward developers, yet cybersecurity teams are still responsible for defining controls and verifying they have been implemented. Knowing which tools to employ to achieve that goal requires a level of DevSecOps collaboration most organizations have yet to achieve.
IT organizations are running out of time to solve that problem. DevOps teams that rely on tools to automate the configuration of infrastructure have shown an unfortunate tendency to misconfigure IT environments in ways that make them relatively easy to compromise. If DevOps teams don’t solve that issue on their own, it’s only a matter of time before someone else in the organization will decide how to solve it for them.