Here are the predictions by Branden Wood, Director of U.S. Federal Government at StackRox.
• DevSecOps really starts to take center stage
• Concept of Zero Trust starts to penetrate cloud and containerized applications
• Increased focus on policy and reporting requirements
• Strict focus on the supply chain for DevSecOps
Here is the abridged transcript of the discussion.
Swapnil Bhartiya: This is your host Swapnil Bhartiya. We are at the end of 2020 and this is once again time for predictions for 2021. But this time, we have increased focus on cybersecurity, cloud native security and federal government. So today we have with us, Bendran Wood Director of the US federal government at StackRox. Brendan, first of all, it’s nice to have you back on the show. To get started, let’s talk about StackRox from the perspective of the federal government and security.
Branden Wood: StackRox is a US-based Kubernetes, and security container security platform. We are specializing in full lifecycle security. That means from the time you start building applications to deploying applications, and even during runtime, we provide security for those containerized applications.
For Federal, our biggest use cases are around vulnerability management. Incident responses really became pretty important recently, and behavioral analysis is another big thing where we’re really monitoring the behavior of runtime activity and alerting you to anomalies in that, but compliance still remains the biggest thing. So we give you the ability to assess compliance, utilizing CIS benchmarks, NIST standards, and then leveraging that data to provide the continuous HTL that everyone is trying to get to today.
Swapnil Bhartiya: What predictions do you have for 2021?
Branden Wood: I think, in 2021 DevSecOps really starts to take center stage. If you look at all the different mandates and initiatives that have been going on over the last 2, 3, 4 years, they’re primarily targeted at legacy data center centric applications. I think they’re really starting to move into the new landscape. So the first prediction is going to be the concept of zero trust. We’re going to move over to applying zero trust out of the data center and more into the cloud applications, containerized applications, and really providing zero trust network implementations inside of those new environments. I think it’s going to be kind the first trend that we start seeing.
The next prediction is going to be around policy and reporting requirements. If you look at the programs like continuous diagnostics and mitigation program from DHS, it’s been an amazing accomplishment, Kevin Cox and the CDM, PMO team have achieved the unthinkable. I remember when I started working on the program 10 years ago, when it first came about, it seemed like it was never going to happen; there’s no way you can standardize tools and concepts of reporting across the entire civilian agency. But I believe they did it, they achieved it. I think the focus this year is going to be around those devices and technologies that simply didn’t exist 10 years ago. IoT devices, and more importantly for StackRox, containerized and cloud applications are going to be first in that list. If you think about running simple compliance, vulnerability scan against a Kubernetes cluster, it’s not going to give you visibility into the containers that are running inside of those things. It’s a blind spot for these programs that currently exist. So those containers are essentially just many operating systems themselves and they’re not really accurately being accounted for in these large programs. I think that’s going to be a point of emphasis moving forward in 2021.
The last area of interest that I think we’re going to see in 2021 is a strict focus on supply chain for DevSecOps. So, we’ve been doing supply chain for a long-time, laser-focused on supply chain requirements for hardware and software. But that was mainly focused on cots (Commercial off-the-shelf) products. As you have more and more agencies starting to build their own applications, specifically on containers, it presents a whole new set of problems. To give you an example, let’s say you build your application on STIG based image that you get from IronBank. Well, that’s great. You started with a secure image, but what about all those open-source tools that you pull down from public repos? We don’t have a process in place today that’s accounting for those things. So, I think that the supply chain is going to be a really important point of focus in 2021.
Swapnil Bhartiya: What is going to be the focus of StackRox in 2021?
Branden Wood: I think we’re going to be right alongside with these customers, as they start following these new trends and these new reporting programs and policies that are going to be put in place and zero trust and things like that. But a lot of it’s really just going to be continuing the momentum that we established in 2020. It’s been a banner year for StackRox and Federal. We have had great traction with the FSI community and programs that are being implemented across the entire federal government success inside of DoD. Last week, we talked about our addition to PlatformOne inside of Iron Bank. So leveraging all that, continuing that success means just continuing to integrate with the ecosystem, making sure that organizations really have true DevSecOps, and they don’t need to focus on specific tools. They have an ecosystem of tools that they can leverage. And then the other thing is really just evangelizing and educating. This is still an emerging market; you still need to educate folks on what’s going on out there. And one thing that’s really unique to StackRox is, if you look at our blog posts, for instance, we don’t just blog about StackRox. There’s a post on how to implement and have success with Istio or how to protect Kubernetes in general against the MITRE attack framework. I think that evangelism in that education is going to make us an active participant in this DevSecOps community as we go forward.