Background: Cloud-native applications (CNAs), built using microservices and deployed via container orchestration platforms like Kubernetes, have significantly transformed how software is developed, deployed, and scaled. This shift from traditional monolithic architectures introduces new complexities in the realm of security. Unlike conventional IT environments, CNAs require a fundamentally different approach to securing code, infrastructure, and runtime environments due to their distributed, dynamic nature.

Objectives: This thesis aims to explore the security practices employed in managing CNAs within a large IT organization. Specifically, it investigates how security responsibilities are shared across development, operations, and security teams using the 4Cs security framework — Code, Container, Cluster, and Cloud. The study further seeks to evaluate the effectiveness of modern DevSecOps practices, tools, and processes, while identifying ongoing security challenges faced by organizations operating in a cloud-native landscape.

Method: The research adopts a case study methodology grounded in software engineering practices. Data collection was carried out through semi-structured interviews with DevSecOps professionals and a systematic review of organizations’ archival documents. To contextualize and validate these findings, a supplementary review of grey literature and industry security standards, such as OWASP, CIS Benchmarks, and DISA STIGs, was conducted to highlight common practices, gaps, and divergences in industry implementations.

Results: The study reveals that while there is widespread adoption of automation, shift-left security, policy-as-code, and runtime monitoring, their effectiveness is often moderated by organizational culture and the level of ongoing training. Key challenges include balancing development speed with security rigor, managing alert fatigue, and responding to constantly evolving threats and misconfigurations. The research concludes with actionable recommendations that emphasize the importance of adaptive security strategies, continuous alignment with emerging standards, and the role of cross-functional collaboration in securing cloud-native environments.