The Cloud Native Computing Foundation (CNCF) was formed in 2015 by 22 supporting member companies.1 At launch, the mission statement was “to create and drive the adoption of a new computing paradigm that is optimized for modern distributed systems environments“. 2
Today, the CNCF mission is, according to their charter, “to make cloud native computing ubiquitous”.3 In addition, there are now 23 “Platinum” supporting companies, 27 “Gold” supporting companies, 659 “Silver” supporting companies, 103 “End User” supporting companies, 21 “Non-profit” members, and 4 “Academic” members — or ~837 member companies in total if you are looking for the big number.
CNCF produces a landscape of projects and members that, as of this post, represents a market cap of $18.9T and $54.2B in funding.4
Clearly, the landscape is a bit of an eye chart.
So, what’s new? In a word, as of this week, the observability company, Sidekick.
You might have noted the Gartner Survey of 2203 CIOs findings this week.5
Represents $322B in spending across 81 countries
Respondents were grouped by increased investments (emphasis mine)
cyber and information security (66%)
business intelligence/data analytics (55%)
cloud platforms (50%)
artificial intelligence (32%)
When you think of cyber and information security you probably think SecOps and for cloud platforms, you probably think DevOps. So, let’s think of these as connected topics as applying both AI and automation as DevSecOps.
So, let’s apply the findings using the lens of a CNCF End User Technology Radar for DevSecOps that was published this time last year.6
The Adopt list contains a few interesting DevSecOps references such as Istio and Open Policy Agent (OPA). The Assess list entries that caught my attention were Harness and Trivy.
The trial list only contains XRay which CNCF links to XRay (an Idera Company)7 which also turned out to be very popular for Atlassian Jira shops at the time of this radar publishing when I tried to understand the relevance to DevSecOps.
When I learned that XRay linked to in the Trial range was XRay, an Idera Company — not JFrog Xray8 the DevSecOps SCA toolset used with Artifactory in the Adopt range — I was confused. So, I'm not sure if this distinction was made clear in the radar methodology but I would suspect XRay (Idera) being linked to vs Xray (JFrog) might confuse more folks than just me.
Maybe I’m out of touch or maybe this just goes to show that common names for technologies, projects, products, and even companies can and will collide or become overloaded terms. Maybe… I should consider a pull request.9
Lastly, if the CNCF continues to publish radar findings year over year, the tracking of specific groups of technologies from assess to trial to adopt will be an even more valuable guide for the community. One possible consideration might be to enrich these radar findings with a stackshare.io10 drift over time.
So what’s the next DevSecOps Adopt candidate set for 2023?
Until next time… Place your bets!
As a reminder, I work at Taos, an IBM Company. If you’d like to learn more about Taos, you can register for our digital event this week on Thursday 27-October 2022 to hear Larry LaBas and Tim Clark discuss Transforming Security into a Business Enabler.
I am linking to my disclosure.