 Hello everyone and welcome to the September 2021 end user technology radar. I'm excited to have here with me today the technology radar team, featuring representatives from organizations such as Alliance Direct and Discover Financial Services. And today we're going to have a look through the technology radar that they've produced over the last couple of weeks. So, let me just start by showing my screen. Very quick, quick. Just a bit about myself. My name is Katie Gumanji and currently I am the ecosystem advocate at CNCF. My mission is to make end user successful, but at the same time to bridge the gap between the adopters and the projects within the ecosystem. You can find me on social media such as Twitter and LinkedIn for further questions about today's radar or anything related to the end user community. Now I've mentioned the end user community and I'd like to maybe provide a bit more information of what it actually represents. The end user community is formed of more than 155 organizations that use cloud native technologies to build and distribute their services. These organizations, we have a wide range of them across different sectors and industries featuring startups quite innovative and disruptive and big household names that have been in the industry for many years. The end user community is one of the largest end user open source community out there and extends at the center of CNCF's goal of end user driven open source. One of the main initiatives for the end user community is to provide a bit more insights into how they use cloud native. And this is the purpose of the technology radar. The tick radar is something which intends to showcase the real usage of cloud native. As such, we're going to have a radar composed of three main rings. And within these rings we're going to have adopt, trial and assess levels. Once we actually choose a theme or the technology radar team chooses a theme, we will go to the end user community and ask for their feedback. Based on their feedback and votes, we will categorize tools and frameworks in one of these levels. Adopt pretty much means that this tool is highly recommended by the end user community. They have been using this tool in their production systems and it's proven to be stable and useful. The tools that are categorized as trial is pretty much other tools that have had success with the end user community and they definitely recommend to have a closer look at those. The assess tools, these are pretty much tools that focus on maybe solving very specific problems, very specific and small problems. The end user community did POC or investigated in the past and definitely would recommend for you to look as well. If you face the same problem in your organization. Now before we actually look into the tech radar that we've produced for this quarter, I would like to introduce the tech radar team. Currently we have Sergio and Keith joining us today. Sergio, would you like to introduce yourself please? Of course. Thank you, Katie. My name is Sergio Petan, I'm the head of DevOps at Alliance Direct. I'm responsible for operating and then growing the platform for the whole company. You might know about Alliance, but Alliance Direct has a little bit of different identity. We are seeing it's ourselves as an IT company, a technology company with license for insurance. And you can see that in, I guess, in our technology stack. Awesome. Thank you for joining us today and Keith, would you like to introduce yourself as well? Yeah, thanks, Katie. I'm Keith Nielsen. I am director of cloud architecture at Discover Financial Services. My responsibilities here are sort of focusing on strategies around how we consume public cloud, the services of public cloud in relations to our private cloud. So part of those strategies are obviously the platforms, the services, how we securely deploy our applications and secure the services of public cloud assets that we consume. For those that may not be familiar, Discover Financial Services started out as a credit card company along with as a payment network. So we're around the globe as a payment company, credit card company, also banking, so typical deposits, checking products as well. So I'm happy to be here to talk about the tech radar. Thank you for being here, Keith. As well, I'd like to thank you, the technology radar team for contributing their time over the past couple of weeks to produce this tech radar, and of course contributing their expertise to the wider community. Now, the theme of this technology radar was DevSecOps, and I'd like to ask our tech radar team, why did you choose DevSecOps as the main topic for this radar? Maybe you could link it to some of the challenges you face in your organizations, or maybe some of the tools that you currently use within your organization. Who'd like to start? I could start, because it's something very, very important for us. We are at the moment at the cross check, basically we are now changing the whole CI CD pipeline and really change the other way we deliver code. And while doing that, after a few months of exploring, we finally set up on a technology stack and realized that more than half of the technologies that we're using in the CI CD were actually security oriented. And then we said, okay, let's start a little bit and let's see what we are doing. This is not just DevOps, because like just talking about the DevOps, this is definitely a big uppercase sec as the DevSecOps. And obviously, yeah, it started from there. It started curiosity, I guess, and exploration, and then realization, and then DevSecOps, it's basically everywhere. Yeah, from my perspective, when we look at, you know, public cloud consumption, trying to deploy applications, consume the services, I would say more than half of our time spent discussing designs focuses around security. And so introducing security, obviously it's first of mine for any company, but particularly a financial services company. And so trying to balance the desire to go fast and quickly from our business and their development community has to be balanced against security. So it's a constant sort of balance and discussion about how we secure these things while allowing our business to go fast. And the second part is, is that the rate of change, you know, in this space is probably one of the fastest, right? So if you look at the landscape in the ecosystem, it's, there's new products coming out every day. And so it's a very interesting space, but one that's constantly sort of forcing us to reevaluate sort of our security posture and balancing that against our desire to go fast. So this is actually very good insights because personally, I think, especially in the last year cloud native has had a major focus on security, and we've seen that from tag security as well with the release of security white paper and white paper on the supply supply chain as well. As well in the past, we had a tech radar which was solely focused on secrets management as well. So again, this is an area of hot interest for our end user community. Now, once the tech radar team chooses a topic in this case DevSecOps, what we usually do we go back to our end user community and ask for their feedback. Pretty much would like to understand what kind of tools they use currently that are related to DevSecOps, if they would recommend them to be used by our organizations or they stopped using some of the tools because they overcome the challenges. So we are actually asking for their votes. And currently we had 252 votes from our end users across 35 tools. The tech radar will only showcase a small portion of that that we can showcase within the radar. We had organizations from again from different industries and sectors, majority of them actually categorize themselves as software, which is quite generic to be honest. But if you look into the size of the organizations, most of them come from large companies, meaning that again security is at the forefront for organizations that are operating at scale. So before we look into the finalistic radar, I would like to ask the tech radar team. What were your expectations, when you thought about producing this kind of radar based on your expertise and maybe some interactions with other end users. What did you expect to be the end result of this tech radar. I can go first. I think I was what I was expecting is that we, there would be a sort of a consolidation on on certain capabilities. I think the capabilities are sort of represented but the sheer number of products is a bit staggering. So, I don't know if it was unexpected. I hoped for a little more sort of consolidation but what what we're seeing is a highly, I would say fractured strategy from from different companies and that's represented in the sheer number of tools that were articulated in the survey survey so in one one respect I think it surprised me a little bit but on the other hand it wasn't given sort of what discovers is facing and sort of trying to come up with a cohesive strategy as it pertains to DevSecOps. Sergio, I've seen you've noted a couple of times there. Do you kind of align these kind of expectations. Yeah, I'm 100% aligned with you. It's it's, I guess, I received something else and I was actually expecting. I was expecting to see a different kind of products, different kind of adoption and some of the tools and I was definitely not expecting to see so many new comers on the security table and security space. That's really amazing to see so much so much development going on in that direction. It's we are in need and great needs for better tools and then better education around security. So it's good to see that the community is providing you with so many options. It's hard to keep up with with everything that is being thrown at you right now probably, but it's always better to have options and then have to have them. That's amazing. Well, I think this is a great segue to present. Oh, I think I want to click to present our DevSecOps technology radar from the CNCF in user community. In the radar we showcase 16 tools across three levels. In the adopt, we have Istio, SonarCube, Artifactory, HashiCorpVold, Calico slash Tigera, Terraform, Argo CD and LPA. And as a reminder, the adopt level pretty much are the tools that the end user community definitely did use in the production system. They're stable and they definitely recommend for other organizations to have a look at. In the trial level, we have X-ray, so pretty much these are the tools that again the end users had some success with and would recommend to look at these tools. And within the assess again very well represented here, we have tools such as Silium, Harness, Sonar, Sonotype Nexus, HashiCorp Sentinel, GitHub Actions, LinkerD and Treve. The assess tools currently are the tools that are very promising. They are very good at solving one particular problem and the end user community would recommend to look into these tools if you're facing that problem within your organization. Now, based on the votes that we had from our end user community and the expertise from the TechRadar team, the TechRadar team as well summarized the TechRadar using in free things. So let's go through them in a bit more details. The first one is that the security is the main focus of the DevSecOps, but at the time it's at the expense of the developer experience. Now, Sergio, I know you disagree with this particular thing, but would you maybe share your thoughts why the security is compromised at the expense of developer experience? Actually why the developer experience is compromised at the expense of security? I disagree with the lights where we are actually seeing now the security. It's like you always have to compromise something to get a basic function that is such a security. I could explain the expense of developer experience through the fact that not many organizations maybe realize that they need to hire in the dev of steam, they need to hire some specialties that focus on security. And that means that daily sources are normally focused on developer experience. You take them and you focus them on security. I believe the security is now seeing like the golden age and a big amount of the tools that we're seeing and the options that are currently being developed are giving you the space to finally execute on reaching the security that you are always dreaming as a CISO or as a security expert. I'm saying it more in this life, in a more positive life and maybe a more idealistic, the sake of environment where you can balance the development experience with a security narrative. Steve, what are your thoughts on security and the ratio it has with the developer experience? Yeah, it's definitely impactful. I would say sometimes at the expense of developer experience, our developer community would probably say always, but it's about striking a balance for sure. And I think the tools are getting better. But still, there's not a sort of a cohesive sort of prescriptive way to securely develop for the cloud. And the cloud is so many things to so many people, so it's hard to come up with just one thing. And the landscape is always shifting, which also makes it difficult, right? There's a new attacks, there's, you know, new things that we always have to account for. This is pure overhead from a developer perspective, right? But we sort of are uncompromising in terms of our security posture, the public cloud. So, yes, it's definitely impactful. But I think at the end of the day everybody realizes it just takes one misstep to sort of create an exposure that can impact you for years. So, but I would agree with this for sure. And other any tools currently from the, from our desiccops decorator that you would say that are focusing more on the developer experience and maybe bridging the gap between how can we integrate security, but at the same time make it easier for the engineers or users to implement the security rules. I would say it's working progress. I guess the main focus was delivering on the security province. For example, even when you build a pipeline, then you have to realize that you have different audiences for the final feedback now. The question is, where do you go first with the feedback? Do you go to developer? Does it have the knowledge and expertise to figure security? Or you completely skip him and you go to the CSO and the CSO has a team that focuses on that. So, I guess it's the narrative is just starting to get there. I guess it's going to be a friction at the beginning. And the developers and the architects of the pipeline will have to make some tough decisions. And then maybe indeed we're going to see some sacrifice also being made in the first iteration, but I guess we're getting this one. Yeah, I would think there's not one specific, I don't think the tools themselves make it easier. I think if you look at the public cloud providers and what they're trying to do and sort of create an end to end experience with all of the tooling, I think that's sort of compelling for some companies where you're not stitching individual tools together. But at the end of the day, you have a pipeline and you have to automate all of these things, right? Now, the tools have gotten better, you know, fully rest enabled and things like that, but still you're sort of, unless you're going all in with a public cloud or provider set of tools and pipelines, you're sort of stitching these things together yourself, right? But the tools have definitely gotten better in terms of how you interact with them and sort of the information they give you back from, but there's no simple bullet here. I was actually about to say it seems like there is not one solution that's going to fit all the problems that we have out there. Let's move to our second theme. And it's this one actually mentions that the pace of changing the security space is rapid. Now you've mentioned previously that there are plethora of tools currently covering the DevSecOps space and there is barely to consolidation. Now, do you, why do you think the security space is moving so fast? I would think it's partially because if you look at the public cloud providers, right, you take AWS Google Azure, the major ones, the rate at which they're introducing new services and capabilities to the enterprise is pretty staggering, right? So not only do you have to understand how to consume those, you have to understand how to consume them securely, right? And then factor in technologies like Kubernetes, right, which is sort of an explosion of what's possible and things that are running within Kubernetes, then you just have this multiplicative factor in terms of what you're looking at and things you have to secure. So not only are you looking at end user capabilities, but now you have to secure them. And so the security tools are trying to keep up with the services and how you host them and run them. So it's sort of a never ending, you know, trying to keep up with, you know, what the public cloud providers are doing and what the Kubernetes environment is doing. So I don't see it slowing down anytime soon, right? The public cloud providers are not slowing. So I don't expect the pace of change to slow at all. So what are your thoughts on this one? Would you agree? Yes, I agree with that. I would add a different dimension and that's probably the speed of innovation currently and of digitalization, right? Because now you have most of the companies dropping their own premise, they moved to cloud, they fully go to Kubernetes and the whole Kubernetes environment is evolving so so far. So you just find yourself in a place where the old way of doing security doesn't work anymore the way it used to work. So you are looking for different security, different problems now that you have to deal with. And then of course you have a lot of small companies, a lot of niche companies that come forward and give you the solution for the problem that you're facing at the moment. And then of course a new cycle enters and then a new space is being discovered. And then of course you have to deal with that. I can give you an example is like the check off open source project, right? Once you do the infrastructure as a code and declare everything in some documentation or define it in a YAML file or an adjacent file, then security has a different connotation. You have to look at how you declare everything and you need to find the security in your declaration. So that's a different mindset of doing security. Awesome. And actually here I have a follow up question. So it seems like we have plethora again of tools to cover different small areas where we need to integrate security across different stages. Like, you know, in the stage we develop an application, we deploy it and we actually execute it within our production environments. Now, do you feel like this amount or great amount of tools within the ecosystem? Does this increase the complexity of integrating security or does it simplify? I don't think it simplifies, right? Yeah, go ahead. It's probably complicating it right now in order to simplify it in the future. I would say like that. I mean, now we are like struggling to find the best tools and then to integrate it in what we are doing. So of course we're going to see a lot of options. We are not seeing one single tool that does everything. So that means that you need to first understand the promise of the tool then you need to find an integration in your technology stack. So obviously the complexity is there. It's going to be on the shoulder of few, which ideally they're going to manage to maybe simplify for the whole organization at the end of the day. Yeah, I think it's complicated. What I would suggest is, you know, I constantly say at our company, it's almost more important what we choose not to do than what we do, right? Because there's so much distraction, new tools coming out every day. Vendors that started in one space are now emerging and trying to get into other spaces, right? Which then allows for a consolidation. So it's a constant challenge. But you need to get started and stay focused on sort of your path and get something, you know, the door otherwise you're in this perpetual sort of analysis paralysis. It's very easy in this space. Exactly. At the moment, you might end up with maybe five tools or frameworks added in your technology stack that do the same thing. And then the complexity comes like who does it best. Right. So you need to evaluate the already existing tools and then compare the results. And obviously this also evolves in time. So one that does very good today might not do as well as today in the future. So it's a struggle to find the right balance of relevant and irrelevant and then also to make the optimal decision on every point in time. So it's complex. It's a complex situation right now. It seems like in constant iteration of, you know, increasing that like optimizing the way integrate security, but at the same time, you know, make it as, you know, simple for, you know, engineers to use it for it as well. So let's move to our third thing. And this one specifies that micro segmentation capability is very important, but presents a significant challenge. Now I have a question for Keith because he mentioned micro segmentations first within the desiccants radar so would you be able maybe to explain what you mean by the micro segmentation capability and maybe going to explaining why it's such a challenge at the moment. I think, you know, the tools and, you know, we're trying, I think we're painting a bit of a dark picture. There's great tools that allow you to actually improve your security posture make no mistake about it. This is a prime example so if you look at things like service mesh, right, things represented on the radar like Istio, right, or Calico, you know, from a network micro segmentation. So these things started out years ago, right, and sort of are still trying to get full traction and adoption. They're bumping up against sort of like even you're in the Kubernetes space you're bumping up against sort of the sort of legacy sort of implementations within your own private data centers where you have, you know, these firewalls that sit in the edge. So integrating all of these capabilities within your sort of traditional data centers and being in bringing everybody along for that ride and coming to again a consolidated strategy is challenging. So sometimes it's about the tech, but sometimes it's about the enterprise and sort of what you have traditionally done in changing mindset. So it's not all about difficulty about absorbing tech. It's a real challenge, but it's also, you know, culturally, you know, historically what you've done. So I think this is one area micro segmentation that we're bumping up against that whether it's, you know, API gateways versus service mesh whether it's edge firewalls versus sort of Kubernetes sort of federated firewall functions with something like Calico. I think there's there's multiple aspects to this, this theme here. What are your thoughts on this one? Nothing to add, as a point here, it's, maybe, maybe, maybe I keep, I can keep that something like definitely when you talk about micro segmentation, especially when you look at the mesh, mesh layer, it's extremely complex to have it on an already existing system because it's it's challenging everything that you have. You have to do security different. Now you have a mutual TLS, now you have a rotation of the certificates automatically. Now you have different policies that need to somehow speak the same language as the other policies that you have in your technology stack. So at one point you need to consolidate on that and go for one single way of specifying the policies. So it comes with with a lot of depth once you decide to have micro segmentation then you need to challenge everything and do it right. Amazing. Well, thank you both for your very insightful thoughts on the DevSecup themes for this technology radar. Now before we actually conclusion this webinar, I would like to ask about your experience of being part of the tech radar team and producing the technology radar. So could you be able to maybe share your thoughts around it, your experience so far? Keith, do you want to take this? Yeah, sure. No, it was fun. I mean, it's always, sometimes you kind of get wrapped up in your own eco chamber, right? You sort of listen to your own thoughts and the thoughts of those immediately around you. So it's nice to step out and see what the community as a whole is doing and hear directly from other people that are trying to solve similar problems, right? Maybe different sectors, but still we're all facing the same thing. So just see the sheer, you know, the survey results and the sheer number of tools makes you feel a little better in terms of, well, you know, maybe the challenges and sort of the overwhelming feelings that I have at times aren't that bad, right? Because everybody's facing them, right? But it was fun. It was fun to go through this exercise with you guys. Yeah, same here. I had a lot of fun and the discoveries are very, very welcome. You don't want to be too original when you do, when you choose your next technology stack. So it's always great to come forward and I'll just present the technology stack and then listen to the others and then listen to some stories about why some technologies are fine, maybe why support it's sometimes much more important than the technology behind it. So these kind of things you'll never get if you stay in your own micro-isolation, right? So you need to expand to the community and then you're definitely going to learn something. For us, the work was really good. We challenged existing technologies that we looked closer to some technologies that don't look that well. So it's a step forward for us. Amazing. Well, personally, I did enjoy creating this decorator as well and I've learned a lot from this process about DevSecOps by collaborating with both of you as well. So thank you very much for giving up your time and expertise. And just before we wrap up, I would like to mention that we have previous editions of our technology radar that you will be able to find at radar.cncf.io and some of the themes that were chosen in the past focus on multi-cluster management, secret management, database storage, observability and continuous delivery. But more importantly, I would like to invite everyone to get involved. If, for example, you have a topic that you'd like to be covered by the end user community, you'll be able to propose it by going tocncf.io for its slash decorator. This is pretty much a GitHub issue, so you'll be able to again propose a topic or you'll be able to upload some of the existing topics as well. Now, if you'd like to contribute to one of our technology radars, you pretty much have to be an end user member, so you'll be able to find all of the information of how to join thecncf end user community by going tocncf.io for its slash end user. And if you have any feedback in regards to today's decorator or any of the previous decorators, please send your feedback tocncf.io. So, again, I'd like to thank you to the decorator team, Sergio and Keith, thank you very much for being here with me today and recording this webinar on the DevSecOps technology radar. Thanks, Katie. Thank you, and see you for the next iteration. Bye. Bye bye.