At Kubecon Europe 2022, some of cloud native computing’s best and brightest security minds talked about where we’re at now and where we’re going. The really short version is, “We’ll be shifting security left into DevSecOps as fast as we can.” But all the experts admitted, that’s easier said than done.

The fundamental reason security is shifting is that threats can come from anywhere. Owen Garrett, head of products and community at cloud native observability firm Deepfence pointed out that “In the old days when we built an application it was like a castle. We protected it by building a big wall and putting a gate and a gatekeeper because we knew what the castle was and where people entered, and we could protect it by stopping people coming in.”

That’s no longer the case. Today, Garrett continued, our applications are no longer castles, they’re “like cities, that grow and change over time. They have porous boundaries, you can’t put a wall around it, and the threats come from outside or inside in a manner that opponents within the city aren’t fully trusted. So you have to take a much broader team view of how you can secure applications. That spans from development through to operations in order to ensure the integrity of our application.”

Cultural Change

As Liz Rice, cloud native security firm Isovalent‘s chief open source officer said, “There’s a cultural change there around the speed and agility of how things are developed and deployed.” In addition, “in cloud native, we deploy applications into pods and those pods get IP addresses allocated dynamically. A traditional network security tool using IP addresses and port numbers isn’t really meaningful in a cloud native environment. That’s where the cloud native generation of security tools stands head and shoulders above the traditional approaches for what we’re trying to do today.”

Therefore, Andrew Martin, CEO of cloud native security consultancy Control Plane, noted that we’re seeing a “morphing of