►
Description
In September 2021, the 155+ companies in the CNCF End User Community were asked to describe what their companies recommended for DevSecOps' different solutions: Hold, Assess, Trial, or Adopt. They could also give more detailed comments. As the answers were submitted via a Google Spreadsheet, they were neither private nor anonymized within the group.
Twenty-four companies, including Discover Financial Service, Allianz Direct, Intuit, Squarespace, Spotify, and Shopify, submitted 252 data points. These were sorted to determine the final positions. The Radar Team then curated the responses, chose outcomes, and described any patterns or themes they saw in the data or from their own experience.
A
Hello,
everyone
and
welcome
to
the
september
2021
end
user
technology
radar.
I
am
excited
to
have
here
with
me
today:
the
technology
radar
team
featuring
representatives
from
organizations
such
as
aliens
direct
and
discover
financial
services
and
today
we're
going
to
have
a
look
through
the
technology
radar
that
they've
produced
over
the
last
couple
of
weeks.
A
A
Once
we
actually
choose
a
theme
or
the
technology
radar
team
chooses
a
theme
we'll
go
to
the
end
user
community
and
ask
for
their
feedback
based
on
their
feedback
on
votes.
We
will
categorize
tools
and
frameworks
in
one
of
these
levels.
Adopt
pretty
much
means
that
this
tool
is
highly
recommended
by
the
end
user
community.
They
have
been
using
this
tool
in
their
production
systems
and
is
proven
to
be
stable
and
useful.
A
The
tools
that
are
categorized
as
trial
is
pretty
much
other
tools
that
have
had
success
with
the
engineer
community
and
they
definitely
recommend
to
have
a
closer
look
at
those
and
the
assess
tools.
These
are
pretty
much
tools
that
focus
on
maybe
solving
very
specific
problems.
Very
specific
and
small
problems,
the
end
user
community
did
poc
it
or
investigated
in
the
past
and
definitely
would
recommend
for
you
to
look
as
well.
If
you
face
the
same
problem
in
your
organization,.
A
B
Of
course,
thank
you
katie.
My
name
is
sergey
patan,
I'm
the
head
of
devops
italians,
direct,
I'm
responsible
for
operating
and
growing
the
platform
for
the
whole
company.
You
might
know
about
allianz,
but
alien
direct
has
a
little
bit
of
different
identity.
We
are
seen
they're,
seeing
it's
ourselves
as
an
id
company,
a
technology
company
with
a
license
for
insurance,
and
you
can
see
that
in
I
guess
in
our
in
our
technology
stack.
C
Yeah
thanks
katie,
I'm
keith
nielsen.
I
am
director
of
cloud
architecture
at
discover
financial
services.
My
responsibilities
here
are
sort
of
focusing
on
strategies
around
how
we
consume
public
cloud.
The
services
of
public
cloud
in
relation
to
our
private
cloud,
so
part
of
those
strategies
are
obviously
the
platforms.
The
services
how
we
securely
deploy
our
applications
and
secure
the
services
of
public
public
cloud
assets
that
we
consume
for
those
that
may
not
be
familiar
discover.
C
A
A
Now
the
theme
of
this
technology
radar
was
deafsec
ops
and
I
would
like
to
ask
our
techradar
team:
why
did
you
choose
devsecops
as
the
main
topic
for
this
radar?
Maybe
you
could
link
it
to
some
of
the
challenges
you
face
in
your
organizations
or
maybe
some
of
the
tools
that
you
currently
use
within
your
organization
who
would
like
to
start.
B
I
could
start
because
it's
something
very,
very
important
for
us.
We
are
at
the
moment
at
crosstrek.
Basically,
we
are
now
changing
the
cicd
pipeline
and
really
change
the
way
we
deliver
code
and
while
doing
that,
after
a
few
months
of
of
exploring,
we
finally
set
up
on
a
technology
stack
and
realize
that
more
than
half
of
the
technologies
that
we're
using
in
the
cicd
were
actually
security
oriented.
B
And
then
we
said:
okay,
let's,
let's
stop
a
little
bit
and
let's
see
what
we
are
doing.
This
is
not
just
devops
because,
like
just
talking
about
the
divorce,
this
is
definitely
a
big
uppercase
sec,
as
that's
the
course
and
and
obviously
yeah
it
started
from
there.
I
started
a
curiosity,
I
guess
an
exploration
and
then
the
realization
and
then
there's
a
cop.
It's
it's
basically
everywhere.
C
Yeah
from
my
perspective,
when
we
look
at
you
know,
public
cloud
consumption
trying
to
deploy
applications
consume
the
services,
I
would
say
more
than
half
of
our
our
time
spent
discussing
designs,
focuses
around
security,
and
so
introducing
security
obviously
is
first
of
mind
for
for
any
company,
but
particularly
a
financial
services
company
and
so
trying
to
balance
the
desire
to
go
fast
and
quickly
from
our
business
and
our
development
community
has
to
be
balanced
against
security.
So
it's
a
constant
sort
of
balance
and
discussion
about
how
we
secure
these
things.
While.
C
Our
business
to
go
fast-
and
the
second
part
is-
is
that
the
rate
of
change
you
know
in
this
space
is
is
probably
one
of
the
fastest
right.
If
you
look
at
the
the
landscape
in
the
ecosystem,
it's
there's
new
products
coming
out
every
day,
and
so
it's
it's
a
very
interesting
space,
but
one
that's
constantly
sort
of
forcing
us
to
reevaluate
sort
of
our
security
posture
and
balancing
that
against
our
our
desire
to
go
fast.
A
Now
this
is
actually
very
good
insights,
because,
personally,
I
think,
especially
in
the
last
year,
cloud
native
has
had
a
major
focus
on
security
and
we've
seen
that
from
tag
security
as
well
with
the
release
of
security
white
paper
and
the
white
paper
on
the
supply
supply
chain
as
well
as
well.
In
the
past,
we
had
a
tech
radar
which
was
solely
focused
on
secrets
management
as
well.
So
again,
this
is
an
area
of
hud
interest
for
our
end
user
community.
A
Now,
once
the
decorator
theme
chooses
a
topic,
in
this
case,
their
psychops,
what
we
usually
do
we
go
back
to
our
end
user
community
and
ask
for
their
feedback,
pretty
much
we'd
like
to
understand
what
kind
of
tools
they
use
currently
that
are
related
to
devstakops,
if
they
would
recommend
them
to
be
used
by
our
organizations
or
they
stopped
using
some
of
the
tools
because
they
overcome
the
challenges.
So
we
are
actually
asking
for
their
votes,
and
currently
we
had
252
votes
from
our
end
users
across
35
tools.
A
The
tech
radar
will
only
showcase
a
small
portion
of
that
that
we
can
showcase
within
the
radar.
We
had
organizations
from
again
from
different
industries
and
sectors.
Majority
of
them
actually
categorized
themselves
as
software,
which
is
quite
generic,
to
be
honest,
but
if
you
look
into
the
size
of
the
organizations,
most
of
them
come
from
large
companies,
meaning
that
again,
security
is
at
the
forefront
for
organizations
that
are
operating
at
scale.
A
Now
before
we
look
into
the
finalized
degrader,
I
would
like
to
ask
the
tech
radar
team.
What
were
your
expectations
when
you
thought
about
producing
this
kind
of
radar
based
on
your
expertise
and
maybe
some
interactions
with
other
end
users?
What
did
you
expect
to
be
the
end
result
of
this
decorator.
C
C
I
would
have
hoped
for
a
little
more
sort
of
consolidation,
but
what
what
we're
seeing
is
a
highly,
I
would
say,
fractured
strategy
from
from
different
companies
and
and
that's
represented
in
the
sheer
number
of
tools
that
were
articulated
in
the
survey
survey.
So
in
one
one
respect
I
think
it
it
surprised
me
a
little
bit,
but
on
the
other
hand,
it
wasn't
given
sort
of
what
discovers
is
facing
and
sort
of
trying
to
come
up
with
a
cohesive
strategy
as
it
pertains
to
devsecops.
B
B
Yeah,
I'm
100
aligned
with
kids
yeah,
it's
it's.
I
guess
I
I
received
something
else
than
I
was
actually
expecting.
I
was
expecting
to
see
a
different
kind
of
products,
different
kind
of
adoption
and
some
of
the
tools-
and
I
was
definitely
not
expecting
to
see
so
many
new
comments
on
the
security
table
and
security
space.
So
that's
really
amazing
to
see
so
much
so
much
development
going
on
in
that
direction.
It's
we
are
in
need
in
a
great
need
for
better
tools
and
better
education
around
security.
B
A
Amazing,
well,
I
think
this
is
a
great
segway
to
present.
Oh,
I
think
I
one
more
click
to
present
our
desktops
technology
radar
from
the
cncf
end
user
community.
So,
in
the
current
trader
we
showcase
16
tools
across
three
levels.
In
the
adopt
we
have
istio
sonar,
cube,
artifactory,
hashicorp,
vault,
calico,
slash,
tigera,
terraform,
argo,
cd
and
lpa,
and,
as
a
reminder,
the
adult
level
pretty
much
are
the
tools
that
the
end
user
community
definitely
did
use
in
the
production
system.
A
They
are
stable
and
they
definitely
recommend
for
other
organizations
to
have
a
look
at
in
the
trial
level.
We
have
x-ray
so
pretty
much.
These
are
the
tools
that
again
the
end
users
had
some
success
with
and
would
recommend
to
look
at
these
tools
and
within
the
ss
again
very
well
represented
here.
We
have
tools
such
as
psyllium
harness
sona,
sonotype,
nexus,
hashicorp,
sentinel,
github
actions,
linker
d
and
3d
again.
Assess
tools
currently
are
the
tools
that
are
very
promising.
A
A
The
first
one
is
that
the
security
is
the
main
focus
of
the
devsecops,
but
at
the
time
it's
at
the
expense
of
the
developer.
Experience
now
sergio.
I
know
you
disagree
with
this
particular
thing,
but
would
you
maybe
share
your
thoughts
why
the
security
is
compromised
at
the
expense
of
developer
experience?
Actually
why
the
developer
experience
is
compromised
at
the
expense
of
security.
B
B
I
could
explain
the
expense
of
developers
experience
through
the
fact
that
not
many
organizations
maybe
realize
that
they
need
to
hire
in
the
evolve
steam.
They
need
to
hire
some
specialties
that
focus
on
security,
and
that
means
that
they
resources
that
normally
should
focus
on
development
experience.
You
take
them
and
you
focus
them
on
security.
B
I
believe
the
the
the
security
is
now
seeing
like
the
golden
age
and
a
big
amount
of
the
tools
that
we're
seeing
and
the
options
that
are
currently
being
developed
are
giving
you
the
space
to
to
finally
execute
on
reaching
the
security
that
you
are
always
dreaming
as
a
cso
or
as
a
security
expert.
I'm
saying
it
more
in
this
life
in
a
more
positive
light
and,
and
maybe
a
more
idealistic,
there's
a
course
environment
where
you
can
balance
the
development
experience
with
the
security
narrative.
C
Yeah,
it's
definitely
impactful,
I
I
would
say
sometimes
at
the
expense
of
developer
experience.
Our
developer
community
would
probably
say
always,
but
it's
about
striking
a
balance
for
sure,
and
I
think
the
tools
are
getting
better,
but
still
there's
not
a
sort
of
a
cohesive
sort
of
prescriptive
way
to
securely
develop
for
the
cloud
and
the
cloud
is,
is
so
many
things
to
so
many
people.
So
it's
hard
to
come
up
with
just
one
thing
and
and
the
the
landscape's
always
shifting,
which
also
makes
it
difficult
right.
There's
a
new
attacks.
C
A
And
are
there
any
tools
currently
from
the
from
our
desk
ops,
decorator,
that
you
would
say
that
are
focusing
more
on
the
developer
experience
and
maybe
bridging
the
gap
between?
How
can
we
integrate
the
security
but
at
the
same
time
make
it
easier
for
the
engineers
or
users
to
implement
the
security
rules.
B
I
would
say
it's
it's
working
progress.
I
guess
the
main
focus
was
delivering
on
the
security
promise,
for
example,
even
when
you,
when
you
build
the
five
lines,
and
you
have
to
realize
that
you
have
different
audiences
for
the
final
feedback
now.
So
the
question
is
where,
where
do
you
go?
First,
with
the
feedback,
do
you
go
to
developer?
Does
it
have
the
knowledge
and
the
expertise,
the
figure
security
or
you
completely
skip
him
and
you
go
to
the
season
and
the
ciso
has
a
team
that
focuses
on
that.
So
I
guess
it's.
B
The
narrative
is
just
just
starting
to
to
get
there.
I
guess
it's
going
to
be
a
fiction
at
the
beginning
and
the
the
developers
and
the
architects
of
the
pipeline
will
have
to
make
some
tough
decisions
and
then
maybe
indeed
we're
gonna
see
some
sacrifice
also
being
made
in
the
first
iteration.
But
I
guess
we
are
getting
there
soon.
C
Yeah,
I
would
think,
there's
there's
not
one
specific
there.
I
don't
think
the
tools
themselves
make
it
easier.
I
think
if
you
look
at
the
public
cloud
providers
and
what
they're
trying
to
do
and
sort
of
create
an
end-to-end
experience
with
all
of
the
tooling,
I
think
that's
that's
sort
of
compelling
for
some
companies
where
you're
not
stitching
individual
tools
together,
but
at
the
end
of
the
day
you
have
a
pipeline
and
you
have
to
automate
all
of
these
things
right
now.
The
tools
have
gotten
better.
C
You
know
fully
rest
enabled
and
things
like
that,
but
still
you're
sort
of
unless
you're
going
all
in
with
a
public
cloud
or
provider
set
of
tools
and
pipelines,
you're
sort
of
stitching
these
things
together
yourself
right,
but
the
tools
have
definitely
gotten
better
in
terms
of
how
you
interact
with
them
and
sort
of
the
information
they
give.
You
back,
but
there's
no
simple
bullet
here.
A
Let's
move
to
our
second
theme
and
it's
this
one
actually
mentions
that
the
pace
of
changing
the
security
space
is
rapid.
Now,
you've
mentioned
previously
that
there
are
plethora
of
tools
currently
covering
the
devsecop
space,
and
there
is
very
little
consolidation
now
do
you.
Why
do
you
think
the
security
space
is
moving
so
fast.
C
I
I
would
think
it's
partially
because
if
you
look
at
the
public
cloud
providers
right,
you
take
aws,
google
azure,
the
major
ones,
the
rate
at
which
they're
introducing
new
services
and
capabilities
to
the
enterprise
is
pretty
staggering
right.
So
not
only
do
you
have
to
understand
how
how
to
consume
those,
you
have
to
understand
how
to
consume
them
securely
right.
You
then
factor
in
technologies
like
kubernetes
right,
which
is
sort
of
an
explosion
of
what's
possible
and
things
that
are
running
within
kubernetes.
C
Then
you
just
have
this
this
multiplicative
factor
in
terms
of
what
you're
looking
at
and
things
you
have
to
secure.
So
not
only
are
you
looking
at
end
user
capabilities,
but
now
you
have
to
secure
them,
and
so
the
the
security
tools
are
trying
to
keep
up
with
the
services
the
services
and
and
how
you
host
them
and
run
them,
and
so
it's
sort
of
a
never-ending
you
know
trying
to
keep
up
with.
You
know
what
what
the
public
cloud
providers
are
doing
and
what
the
kubernetes
environment
is
doing.
C
B
I
I
agree
with
that,
I
would
add
a
different
dimension
and
that's
probably
the
the
speed
of
innovation
currently
and
of
digitalization
right,
because
now
you
have
most
of
the
companies
dropping
their
own
premise.
They
moved
to
cloud
today.
They
fully
go
to
kubernetes
and
the
whole
kubernetes
environment
is
evolving.
So
so
far,
so
you
you
just
find
yourself
in
a
place
where
the
old
way
of
doing
security
doesn't
work
anymore.
The
way
it
used
to
work,
so
you
are
looking
for
different
security.
B
So
I
I
can
give
you
an
example
is
like
like
there's
a
check
of
open
source
project
right
there
once
you
do
the
infrastructure
as
a
code,
and
you
declare
everything
in
some
some
documentation
or
define
it
in
the
yaml
file
on
the
json
file.
Then
security
has
a
different
connotation.
You
have
to
look
at
how
you
declare
everything
and
you
need
to
find
the
security
in
your
in
your
declaration.
So
that's
a
different
mindset
of
building
security.
A
Awesome,
and
actually
here
I
have
a
follow-up
question,
so
it
seems
like
we
have
plethora
again
of
tools
to
cover
different
small
areas
where
we
need
to
integrate
security
across
different
stages.
Like
you
know,
in
in
the
stage
with
the
developing
application
we
deployed
and
we
actually
executed
within
our
production
environments
now
do
you
feel
like
this
amount
or
great
amount
of
tools
within
the
ecosystem?
B
Apologize
right,
yeah
yeah
go
ahead.
For
me,
it's
it's!
It's
probably
complicating
it
right
now
in
order
to
simplify
it
in
the
future.
I
I
would
see
like
that.
I
mean
now
we
are
like
struggling
to
find
the
best
tools
and
then
to
integrate
it
in
what
we
are
doing.
So,
of
course,
we're
going
to
see
a
lot
of
options.
We
are
not
seeing
one
single
tool
that
does
everything.
So
that
means
that
you
need
to
first
understand
the
promise
of
the
tool.
B
A
C
I
I
think
it
I
think
it's
complicated
in
it.
What
I
would
suggest
is
you
know
I
constantly
say
at
our
company:
it's
it's
almost
more
important.
What
we
choose
not
to
do
than
what
we
do
right,
because
there's
so
much
distraction
new
tools
coming
out
every
day,
vendors
that
started
in
one
space
are
now
emerging
and
trying
to
get
into
other
spaces
right,
which
then
allows
for
a
consolidation.
C
B
At
the
moment,
you
might
end
up
with
maybe
five
tools
or
frameworks
added
in
your
technology
stack
that
do
the
same
thing
and
then
the
complexity
comes
like
who
does
it
best
right?
So
you
need
to
evaluate
the
already
existing
tools
and
then
compare
the
results,
and
obviously
this
also
evolves
in
time.
So
one
that
does
very
very
good
today
might
not
do
as
well
as
today
in
the
future.
B
A
It
seems
like
in
constant
iteration
of
you
know,
increasing
that
of
like
optimizing.
The
way
you
integrate
security,
but
at
the
same
time
you
know
make
it,
as
you
know,
simple
for
you
know
engineers
to
use
it
for
it
as
well,
and
let's
move
to
our
deferred
fame,
and
this
one
specifies
that
micro
segmentation
capability
is
very
important
but
presents
a
significant
challenge.
Now
I
have
a
question
for
kate
because
he
mentioned
micro
segmentations
first
within
the
desktops
radar.
C
Yeah,
I
think
you
know
the
the
tools,
and
you
know
we're
trying
to.
I
think
we're
painting
a
bit
of
a
dark
picture,
there's
great
tools
that
allow
you
to
actually
improve
your
security
posture.
Make
no
mistake
about
it.
This
is
a
prime
example.
So
if
you
look
at
things
like
service
mesh
right
things
represented
on
the
radar
like
istio,
right
or
calico,
you
know
from
a
network
micro
segmentation.
C
These
things
started
out
years
ago,
right
and
sort
of
are
still
trying
to
to
get
full
traction
and
adoption.
They're
bumping
up
against
sort
of,
like
even
you're
in
the
kubernetes
space,
you're
you're
bumping
up
against
sort
of
these
sort
of
legacy
sort
of
implementations
within
your
own
private
data.
Centers,
where
you
have
you
know
these
firewalls
that
sit
in
the
edge
right,
so
integrating
all
of
these
capabilities
within
your
sort
of
traditional
data
centers
and
being
in
bringing
everybody
along
for
that
ride
and
coming
to
again,
a
consolidated
strategy
is
challenging.
C
So
sometimes
it's
about
the
tech,
but
sometimes
it's
about
the
enterprise
and
sort
of
what
you
have
traditionally
done
in
changing
mindsets.
So
it's
not
all
about
the
difficulty
about
absorbing
tech.
That's
a
real
challenge,
but
it's
also,
you
know,
culturally,
you
know,
historically
what
you've
done.
So
I
think
this
is
one
area,
micro
segmentation
that
we're
bumping
up
against
that,
whether
it's
you
know,
api
gateways
versus
service
mesh,
whether
it's
edge,
firewalls
versus
sort
of
kubernetes
sort
of
federated
firewall
functions
with
something
like
calico.
B
Nothing
to
add
as
a
point
here-
it's
maybe
maybe
maybe
I
keep.
I
can
keep
that
something
like.
Definitely
when
you
talk
about
micro
segmentation,
especially
when
you
look
at
the
mesh
mesh
layer,
it's
extremely
complex,
to
add
it
on
an
already
existing
system,
because
it
it's
challenging
everything
that
you
have.
You
have
to
do
security
differently.
Now
you
have
mutual
tls.
Now
you
have
rotation
of
the
certificates
automatically.
B
Now
you
have
different
policies
that
need
to
somehow
speak
the
same
language
as
the
other
policies
that
you
have
in
in
your
technology
stack.
So
at
one
point
you
need
to
consolidate
on
that
and
go
for
one
single
way
of
specifying
the
policy,
so
it
comes
with
with
a
lot
of
depth.
Once
you
decide
to
have
micro
segmentation,
then
you
need
to
challenge
everything
and
do
it
right.
A
C
Yeah
sure
no
it
was
fun.
I
mean
it's
always.
Sometimes
you
kind
of
get
wrapped
up
in
your
own
eco
chamber
right.
You
sort
of
listen
to
your
own
thoughts
and
the
thoughts
of
those
immediately
around
you.
So
it's
nice
to
step
out
and
see
what
the
community
as
a
whole
is
doing
and
hear
directly
from
other
people
that
are
trying
to
solve
similar
problems
right,
maybe
different
sectors,
but
still
we're
all
facing
the
same
thing.
C
So
to
see
the
sheer
you
know,
the
survey
results
and
the
sheer
number
of
tools
makes
you
feel
a
little
better
in
terms
of
well,
you
know.
Maybe
the
challenges
and
sort
of
the
overwhelming
feelings
that
I
have
at
times
are
aren't.
Aren't
that
bad
right,
because
everybody's
facing
them
right,
but
it
was
fun
it
was.
It
was
fun
to
to
go
through
this
exercise
with
you
with
you
guys.
B
Yeah
same
here
I
had
a
lot
of
fun
and
the
discoveries
are
very,
very
welcome.
You
don't
want
to
be
too
original
when
you
do
when
you
choose
your
next
technology
stack,
so
it's
always
great
to
come
forward.
You
know
just
present
the
technology
stack
and
then
listen
to
the
others
and
then
and
then
listen
to
some
stories
about
why
some
technologies
are
fine.
B
Maybe
why
support
it's
sometimes
much
more
important
than
the
technology
behind
it,
so
these
kind
of
things
you'll
never
get
if
you,
if
you
stay
in
your
own
micro
isolation
right,
so
you
need
to
expand
to
the
community
and
then
you're
definitely
going
to
learn
something
new.
It's
for
us
work
we're
like
really
good.
We
challenge
our
existing
technologies
like
we
looked
closer
to
some
technologies
that
don't
look
that
well,
so
it's
it's!
It's
a
step
forward
for
us.
A
B
A
But,
more
importantly,
I
would
like
to
invite
everyone
to
get
involved.
If,
for
example,
you
have
a
topic
that
you'd
like
to
be
covered
by
the
end
user,
community
you'll
be
able
to
propose
it
by
going
to
cncf.io
forward
slash
techreader.
This
is
pretty
much
a
github
issue,
so
you'll
be
able
to
again
propose
a
topic
or
you'll
be
able
to
upload
some
of
the
existing
topics
as
well.
A
Now,
if
you'd
like
to
contribute
to
one
of
our
technology
radars,
you
pretty
much
have
to
be
an
end
user.
Member,
so
you'll
be
able
to
find
all
of
the
information
of
how
to
join
the
cncf
end
user
community
by
going
to
cncf.io
forward
slash,
end
user,
and
if
you
have
any
feedback
in
regards
to
today's
techradar
or
any
of
the
previous
decorators,
please
send
your
feedback
to
cncf
at
cn
info
cncf.io.