StackRox Acquisition By Red Hat Underscores The Significance Of DevSecOps
Last week, Red Hat announced that it’s acquiring StackRox, a California-based Kubernetes security company founded in 2014.
This is one of the most strategic acquisitions for Red Hat, which is squarely focused on increasing the enterprise infrastructure market share. StackRox complements Red Hat’s current portfolio by bringing critical security capabilities missing from its infrastructure and platform offerings.
The founders of StackRox, Ali Goshan and Wei Lien Dang, have a strong security background. Ali worked at Microsoft and PwC as a security researcher while Wei led secure product initiatives at CoreOS, AWS, Splunk, and Bracket Computing. In 2018, StackRox appointed Kamal Shah, an industry veteran, and an investor, as the president and CEO.
DevSecOps, the best of DevOps and security operations, is becoming a top priority for enterprise customers. StackRox, with its integration with existing DevOps and CI/CD tools, delivers seamless DevSecOps for Kubernetes.
How is StackRox Different?
Since its inception, StackRox has focused on securing the software supply chain. With the rise of containers and Kubernetes, the company doubled down on the Kubernetes-native security platform.
StackRox claims that its unique differentiator lies in the tight integration with Kubernetes. While the competition is focused on traditional security approaches, StackRox covers the entire spectrum of the Kubernetes platform by leveraging the primitives and native workflows of Kubernetes. It brings contextual insights by tapping into Common Vulnerabilities and Exposures (CVE), severity scores and Kubernetes components such as pods, deployments, and namespaces.
StackRox tightly integrates with image registries to discover vulnerabilities in container images on one side of the software supply chain. On the other end of the spectrum, it integrates with the Kubernetes control plane to leverage native capabilities such as admission controllers to block misconfigured images, containers, and deployments. StackRox works natively with Istio to provide real-time security analysis and visualization of traffic.
What’s in it for Red Hat?
Over the last decade, Red Hat has gradually shifted its focus to modern infrastructure based on containers and Kubernetes. OpenShift, Red Hat’s flagship container platform, has transformed from being a developer-oriented PaaS to a mature enterprise platform.
The acquisition of CoreOS in 2018 enabled Red Hat to integrate Quay, a proven container registry, with OpenShift. But it still lacked a native container scanning and security tool to scan images stored in Quay. StackRox will be tightly integrated with Quay bringing in native image scanning to OpenShift.
With the integration of StackRox with OpenShift API and Web Console, customers can automate running the CSI benchmarks.
StackRox will bring end-to-end security and visibility into OpenShift through the native integration with CRI-O (container runtime), OpenShift SDN (CNI network), and OpenShift Service Mesh based on Istio.
The acquisition of StackRox is excellent news for Red Hat customers. It brings the most essential and critical capability to OpenShift – security.
StackRox Fuels the Multi-Cloud Ambitions of Red Hat
Red Hat knows that it has to tackle the cluster lifecycle and workload management of applications running on non-OpenShift environments such as Amazon EKS, Microsoft AKS, GKE, and IBM Kubernetes Service.
After IBM’s acquisition, Red Hat transformed the IBM Multicloud Manager into an open source project and rebranded that as Red Hat Advanced Cluster Management for Kubernetes (ACS). This product competes with other meta-control plane offerings such as Anthos, Azure Arc, Rancher and Tanzu Mission Control.
StackRox is designed to work with both the managed Kubernetes offerings running in the cloud, and those distributions meant for on-premises. By integrating StackRox with ACS, Red Hat will become one of the first in the industry to bring security to the multi-cloud cluster management. Any cluster registered with ACS would be able to take advantage of the security capabilities. This enhances the value proposition of Red Hat Advanced Cluster Management for Kubernetes.
Red Hat has mentioned that StackRox will continue to support multiple Kubernetes platforms, including the public cloud-based managed offerings.
Red Hat Commits to Open Sourcing StackRox
Continuing on its promise of open sourcing all its products, Red Hat mentioned that it is committed to open-sourcing the StackRox security platform. This will be a win for both the customers and the OSS community.
KubeLinter is one of the popular open source tools from StackRox to analyze Kubernetes YAML files and Helm charts’ production-readiness. Going forward, the KubeLinter project would be maintained by Red Hat.
DevSecOps Market is Hot
Last year, VMware acquired Octarine and integrated that with Carbon Black, a security company that it bought in 2019 for $2.1 billion. At KubeCon 2019, Palo Alto Networks announced that it is acquiring Twistlock for $410 million.
Though the price is not disclosed, the acquisition of StackRox by Red Hat is expected to be over $100 million.