For Cloud-native App Security, Few Companies Have Embraced DevSecOps

A recent study identified some startling news when it comes to the state of security and cloud-native apps. The Security for DevOps Enterprise Survey Report, conducted by the research firm Enterprise Strategy Group on behalf of Data Theorem found only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today.

The survey did provide some hope: those companies employing DevSecOps practices should jump from that paltry 8% to 68% of companies that are securing 75% or more of their cloud-native applications with DevSecOps practices in two years. 

The study results also revealed that API-related vulnerabilities are the top threat respondents are concerned about, at 63%, when it comes to serverless usage within organizations. Additional study findings include:

• API security was the top area reported for current or projected incremental spend; and API security was reported as most important by respondents among the cloud-native application security controls, at 37%. 
• According to the study, 82% of organizations have different teams assigned to secure cloud-native apps. Of this group, 50% of respondents’ organizations plan to merge these responsibilities in the future, while 32% of respondents’ organizations do not plan to merge these responsibilities.
• More than half of respondents indicated their organization’s software developers are already using serverless functions to some extent, with another 44% either evaluating or planning to start using serverless within the next two years. 
• When asked what to identify the most important pre-deployment cloud-native application security controls, software vulnerability scanning of registry-resident container images was the top answer at 26%. The next most important pre-deployment cloud-native application security control was API vulnerability management, at 25%.
• According to respondents, deployment flexibility and support for all types of servers and compute platforms were the top two answers (both at 38%) when indicating the most important attributes of products used to secure cloud-native apps. 

The survey found that workloads not only continue to move to public cloud platforms, but more organizations are also embracing serverless capabilities. The report found the general shift to everything consumed as-a-service continues. The report predicts that production workloads will continue to shift to public cloud platforms as organizations report that more than 40% of their production applications run on public cloud infrastructure.

“Given this affinity for and commitment to public cloud infrastructure, it follows that there is already an appreciable use of serverless functions, especially in the enterprise, with many evaluating or planning to use serverless functions. Specifically, more than half of respondents indicate that their organization’s software developers are already using serverless functions to some extent, with another 44% either evaluating or planning to start using serverless within the next two years. Those who are planning or evaluating will need to understand the associated threat model and means of mitigating risks.” The report states.

While enterprises are increasingly turning to public infrastructure and serverless, the future will most likely be a mix of workload types. “Containers and serverless are marginally cannibalizing virtual machines and bare metal servers and are expected to coexist with these server types as the underpinnings of both cloud-native and legacy applications,” the report states.

“However, while the server type mix for the typical organization is skewed toward VMs and bare metal today, this is expected to shift noticeably in the next 24 months, with containers and serverless platforms supporting, on average, 46% of production applications,” it continues.

“This study reveals that while organizations have started, there is more work to be done when it comes to securing their cloud-native apps with the benefits DevSecOps offers,” says Doug Cahill, senior analyst and group practice director of cybersecurity for ESG. “Fundamental changes to application architectures and the infrastructure platforms that host them are antiquating existing cybersecurity technologies and challenging traditional approaches to protecting business-critical workloads,” he continues.

The report advises organizations to consider newer approaches to securing their cloud-native apps, especially technologies that mitigate the risks associated with API-related vulnerabilities. The report found that API risks topped the minds of respondents.

If organizations are going to ultimately get a handle on cloud, serverless and, more broadly, API risks they can’t have (as 82% of organizations claim to do today) separate security teams for cloud-native apps and other systems. It’s a good sign that 50% of respondents’ plan to merge those security efforts.

It’s problematic that 32% currently have no such plans.

This study, Security for DevOps – Enterprise Survey Report, is based on responses from 371 IT and cybersecurity professionals at organizations in North America responsible for evaluating, purchasing, and managing cloud security technology products and services.