content/en/blog/community-survey-2023/index.md
Diving into the Falco community survey, this report unveils the fascinating world of Falco adoption and usage. As an open source cloud-native runtime security project, Falco has captured the attention of a diverse audience. This survey reached out to community members across various channels, including Slack, mailing lists, and social media platforms.
Delving into various aspects of Falco adoption, this report uncovers insights on user roles, cloud providers, adoption motivations, deployment strategies, rule sets, challenges, and integrations. It also highlights areas that need improvement, like documentation and support, to enhance the overall experience for newcomers. These valuable insights will help guide the evolution of Falco, making it an even more robust and user-friendly cloud-native runtime security solution.
Of the 24 individuals who participated in the survey, 22 shared their professional roles. These participants showcased a vibrant mix of positions, such as Software Engineers, DevOps practitioners, Cloud Architects, Security Engineers, Solutions Architects, Product Managers, CEOs, and even ambitious Student Developers. This colorful blend of roles demonstrates that Falco has captured the attention of a wide array of professionals from various fields and levels of expertise.
1. What is your role?
Security threat detection tops the list as the driving force behind Falco adoption, followed closely by auditing and compliance. Sandbox testing and incident response are also cited as compelling reasons to embrace Falco. Notably, one participant isn't using Falco, while a couple of others leverage its libraries and policy language within their unique open source projects. These findings highlight Falco's versatility in catering to diverse security requirements across numerous domains.
2. Why are you adopting Falco?
Falco predominantly finds a home within security teams, though DevOps squads are also known to harness its capabilities. Other adopters include platform engineering units, R&D departments, agent developers, and solution architects in the early stages of adoption. Interestingly, some survey participants don't use Falco at all, while others opt for its libraries directly, bypassing the full solution to meet their unique needs.
3. Which teams use Falco at your company?
Most Falco enthusiasts opt for the official Helm chart when it comes to deployment, but the Falco community is nothing if not creative. Some users prefer official container images, bespoke manifest files, or even official packages like .deb, .rpm, and .tar.gz. Meanwhile, others have ventured off the beaten path, experimenting with custom shell script wrappers atop Helm, homegrown repositories for source compilation, tailor-made Helm charts combined with custom-built container images, or integrating Falco libraries directly into their agent and kernel modules. The sky's the limit when it comes to deploying Falco!
4. How are you deploying Falco?
Most users rely on the default ruleset when using Falco, while a significant number of users prefer to maintain their own ruleset to tailor it to their specific needs. Others choose to take advantage of the new ruleset feature to further enhance their security. The flexibility and adaptability of Falco's ruleset options provide users with a customized and comprehensive approach to their security needs.
5. What ruleset do you use with Falco?
The survey revealed some of the key challenges encountered when adopting Falco. Top among them were kernel module and eBPF probes installations, and management of rules. Other difficulties included integrations with third-party tools, tuning, plugin management, and deployment. A few respondents indicated that they did not use Falco or faced other challenges. Additionally, a couple of participants mentioned their struggle with integrating Falco's security event logs with AWS CloudWatch, while others reported difficulties integrating with AWS FireLens and FluentBit log event forwarding. These challenges demonstrate the importance of ongoing development and improvement of Falco's features and documentation to make it a more seamless and user-friendly security solution.
6. What challenges have you faced with adopting Falco?
The survey sought to identify Falcosidekick integrations in use and what new integrations the community would like to see. Out of the 24 participants, 13 answered this question, with Slack, PagerDuty, and CloudWatch being the most commonly used integrations. Elasticsearch, AWS Lambda, and custom integrations were also mentioned, while one respondent highlighted that they use a fluentbit sidecar container instead of Falcosidekick to populate additional cloud metadata about each node.
On the other hand, when asked about integrations they would like to see, some participants expressed interest in Falcosidekick being usable by other threat detection systems like Tetragon. Others mentioned a desire for direct integrations with CloudWatch and/or Container Insights, as well as more cloud outputs. These results highlight the diverse integrations already in use, while identifying areas where the Falcosidekick community would like to see further development and expansion.
7. What integrations with Falcosidekick are you using? What would you like to see?
Out of 24 respondents, 12 answered the question on their usage and desired integrations of Falco plugins. The k8s_audit plugin was the most commonly used, followed by Cloudtrail and k8saudit. Some respondents also mentioned using plugins for audit logging and GitHub. However, a notable number of participants did not use any Falco plugins.
Regarding desired integrations, a few respondents expressed interest in more diverse plugins, such as EKS Kubernetes kernel monitoring, which could enhance the monitoring of their Kubernetes infrastructure. Other respondents suggested new plugins for monitoring and analyzing different system events, such as DNS resolution or SSL handshake failures. The results suggest that there is a desire for more plugins that can address diverse security issues in different system components.
8. Which plugin(s) are you using? What would you like to see?
The survey asked participants to rate Falco's documentation on a scale from 1 to 5, with 5 being "very helpful" and 1 being "not helpful." All 24 participants responded to this question, and the average rating for Falco's documentation was 3.7. While this is a solid rating, it indicates that there is room for improvement. Some participants rated Falco's documentation as highly helpful (with ratings of 4 or 5), while others found it to be less helpful (with ratings of 1 or 2). The survey data highlights the importance of clear and concise documentation to assist users in getting the most out of Falco.
9. On a scale of 1 - 5, how would you rate Falco’s documentation?
The survey asked respondents about their opinions on the type of documentation and support that would improve the onboarding and getting started experience for new community members. Out of 24 participants, 16 provided their valuable feedback. The respondents highlighted the need for more examples, tutorials, and step-by-step guides, especially around rule configuration and integration with cloud providers' services like AWS CloudWatch. Other requests included more detailed information on what Falco can and cannot do, more manuals, and more working samples of integrations with AWS Services and different ways to aggregate and route security events.
One participant suggested the need for documentation around the probes, which includes information on when to use one probe over the other, what platforms each probe works with, and insights into typical reasons why a module fails when it does. Additionally, they highlighted the importance of clarifying which platforms are supported, as there were unclear requests around things like k3.
Other recommendations included a contributing guide and templates, end-to-end tutorials from Hello World to complex use cases, and more use cases on public cloud offerings. Respondents emphasized the importance of having up-to-date documentation that keeps pace with the fast-moving nature of Falco. Overall, the survey results provide valuable insights for the Falco community to improve the onboarding and getting started experience for new members, ultimately creating a more user-friendly and accessible cloud-native runtime security project.
10. What type of documentation and support do you believe is needed to improve the onboarding and getting started experience for new community members?
The survey measured the quality of community support for Falco on a scale of 1-5, with an average rating of 4.2, indicating that the majority of respondents found it very helpful. This positive feedback reflects the strength of the Falco community's willingness to provide support to new members, highlighting the essential role of community support in the success of open source projects. A small number of respondents rated Falco's community support as not helpful, with others rating it as somewhat helpful or neutral. Overall, the survey results suggest that the Falco community is a valuable resource for those seeking support and guidance.
11. On a scale of 1 - 5, how would you rate Falco’s community support?
The results highlight a mix of engagement levels within the community and potential for increased involvement from those who would like to contribute.
12. Are you an active contributor to the project?
When it comes to effective communication, Falco is hitting the mark according to a survey that asked users to rate their satisfaction on a scale of 1-5. With an average rating of 4.2 out of 5, most respondents rated Falco's communication as satisfactory or even highly satisfactory. Only a few rated it as not satisfactory, with the rest expressing neutrality or some level of satisfaction. These results suggest that while Falco is doing well in communicating with its community, there is still potential to further enhance communication to meet the diverse needs of its users.
13. On a scale of 1 - 5, how satisfied are you with the communication of the Falco project?
Falco's community calls are an essential part of its communication strategy, allowing users to connect and collaborate with other members of the community. The survey asked participants whether they attend these calls, with 24 out of 24 respondents answering. The results showed that a majority of respondents do not attend the weekly community calls, with an almost equal number of respondents indicating they are planning to attend in the future. A smaller number of respondents attend the calls from time to time, and only a few respondents attend almost every week. These results highlight the importance of ensuring that community calls are accessible and convenient for all members, and that alternative ways of communication are available for those unable to attend.
14. Do you attend the weekly community calls?
Falco's adopters are a proud community, and the project provides opportunities to share their success stories. In a survey of 24 participants, the question of whether they were interested in sharing their Falco adoption story and publishing their company's name in Falco's adopters file was asked. Over half of the respondents (54.2%) preferred not to share their story, while 25% of the respondents were interested in sharing it privately with the maintainers. Meanwhile, 20.8% were enthusiastic about sharing it publicly. These results demonstrate that while many companies may not want to publicize their use of Falco, some are excited to share their adoption story with the larger community.
15. Are you interested in sharing your Falco adoption story and publishing the your company's name in Falco's adopters file?
The Falco community survey provides valuable insights into the experiences and opinions of users in the community. Overall, the survey results demonstrate a high level of satisfaction with Falco, with users praising its effectiveness, ease of use, and flexibility. However, there are areas where the community would like to see further development and expansion, particularly in documentation, integrations, and communication.
Additionally, the survey shows that the Falco community is a diverse group of users from various industries and backgrounds, with different levels of expertise and use cases. It is clear that the Falco project has a strong and supportive community, and its continued growth and success rely on the continued engagement and contributions of its users.