While cloud native adoption has transformed the way organisations build modern applications, it has also resulted in increased security threats and concerns, according to new research by Snyk.
Snyk’s inaugural State of Cloud Native Application Security Report found that more than half of companies surveyed experienced a security incident due to misconfiguration or a known vulnerability in their cloud native applications, and developers are three times more likely to view security as their responsibility versus their security peers. It also found deploying automation makes it 17 times more likely that security tests run daily or more frequently.
“We are at a pivot point in terms of the evolution of both the developers role as well as a transformation within the security industry as a whole,” says Guy Podjarny, co-founder and president, Snyk.
“As this latest research demonstrates, enterprises that choose to empower their development teams with the right security tools will ship their applications faster and safer than their competition, best positioning them to lead their industries in the coming decade,” he says.
Cloud native adoption changes the way organisations defend against cloud threats, with misconfigurations and known vulnerabilities distinctly emerging as primary concerns.
Key findings from the survey show:
- 60% of respondents have increased security concerns since adopting cloud native.
- Misconfigurations were noted as the biggest area of increased concern (over half of respondents stated its now a bigger problem since moving to a cloud native platform).
- Known unpatched vulnerabilities (38%) are responsible for the greatest number of security incidents in their cloud native environments.
Developers Three Times More Likely to View Security as Their Responsibility
Developers today require solutions that enable them to build security into the whole application from code and open source to containers and cloud infrastructure, and they now have the opportunity to take on a pivotal security leadership position within their organisations as their role evolves to take on greater authority and autonomy.
Significant findings indicate greater security ownership is now being embraced by development teams faster than security teams are willing to let go of their own historic role in the traditional process.
For example, respondents in security roles were almost three times more likely to attribute security ownership to their team versus their development team counterparts. Meanwhile, more than one-third (36%) of developers admit they feel responsible for the security of their cloud native environments, while at the same time, less than 10% of respondents in security roles believed any security responsibility lay with developers.
“Each one of the over two million developers building applications securely with Snyk today are proof positive that development teams are both ready and willing to take on greater security ownership, resulting in safer enterprises globally,” says Podjarny.
“It’s now up to security organisations to also embrace this shift, supporting their developer colleagues and in turn evolving their own traditional roles and responsibilities.”
Deploying Automation Makes It 17 Times More Likely Security Tests Run Daily
Adopting a broader and deeper approach to cybersecurity by embedding security tools and best practices throughout the software development lifecycle is the make or break factor in achieving cloud native application security success.
Report findings demonstrate that companies with high levels of cloud native automation also have greater adoption of security testing. Companies who automate were also twice as likely to implement security testing and twice as likely to adopt static application security testing (SAST) and Software Composition Analysis (SCA) tooling into their development lifecycles.
Automation also makes it easier to conduct more frequent testing, allowing for vulnerabilities to be identified and fixed quicker.
- Nearly 70% of respondents with high levels of deployment automation were able to test their security daily (17 times more than respondents who had no deployment automation, with 60% of those only testing their security monthly).
- More than 72% of respondents with high levels of automation have an average time to fix vulnerabilities of less than one week, with over a third (36%) having an average of one day or less.
- Automated testing is also a key enabler of visibility into security issues, with more than a quarter (28%) of organisations with low levels of automation acknowledging they don’t currently know how long it takes them to fix issues.