Why I Joined StackRox - the Kubernetes Security Shift

AppSec Has Changed

Application security has matured, transformed, “shifted left”, been rebranded, de-centralised and even to an extent re-centralised over the past 10 years.

Keeping up with what is relevant, with a keen eye on what is coming, is a juggling act of Cirque du Soleil proportions and something that even the keenly enthused must work above and beyond to get a firm yet perpetually slippery grasp on.

The Catalyst

Kubernetes won the orchestration battle – so decisively that just last year (2019) Kelsey Hightower was elucidating his not-so-distant vision of a world where it was so ubiquitous, we no longer considered it. A post-KubeCon world where we focused on next layer and next generation innovations.

From this, the concept of Kubernetes-native security will be the phoenix from the ashes of early innovations in container security, which focused on the container itself. Where this is a required step in the evolution towards what should, and will become, a declarative model for security, early solutions in this space are already looking dated.

With the acceptance and industry normalisation of infrastructure as code, there is a move to modernising this as ‘everything as code’. Security must follow suit.

Tools like the recently announced KubeLinter open source project from StackRox are a representation of how we secure the future of cloud native. The product of our ‘everything as code’ will be ‘security by default’. This will vastly reduce the burden on runtime and incident response, the complexity of developer workflows around security, and the business risk of human error. The by-product will of course be velocity and innovation. Security as an enabler can be realised.

The Plan

When I first spoke to Ali Golshan about StackRox he laid out a plan for security that transcended Kubernetes. His vision was set and aligned with our industry thought leaders, and it was the first time I’d heard somebody speak of declarative security with such casual obviousness. I entered the conversation a skeptic and left a convert.

The first thing that blew me away was when I heard that way back in 2017 StackRox put all of their chips on the table, betting that a declarative model for security utilising Kubernetes-native capabilities was the way forward. Kubernetes was approximately at release 1.7 at the time and was far far away from hardened and stable. Native capabilities needed a lot of work but the adoption was skyrocketing.

This was brave at best and a risky “all in” bet at worst. StackRox was a player in the cloud native security space and was barely a blip on my radar. Today, StackRox has emerged as a thought leader and innovator in Kubernetes security. The bet has paid off, and I’m happy to say I’m now “all in”.

What’s Next

While still not perfect, the vision will continue to mature alongside the fundamental building block of our cloud native ecosystem. If you want to work in and with Kubernetes and want a security solution that speaks your language, there is only one security solution available. If you want to align with a vision that sees security being something as declarative and ubiquitous as kubernetes itself, there is only one answer and that is StackRox.

…and I am over the moon to be part of it.