Takeaways from the ESG GitOps and Shift Left Security Survey

As more organizations leverage modern software development techniques, developers are better equipped to create and deliver cloud apps rapidly. Security teams have difficulty keeping up with the scale, speed and dynamic components of CI/CD cycles. Although the industry has discussed shifting security to the left to help security scale with its rapid development, firms have found that challenging to implement.

Between May 18 and June 10, the Enterprise Strategy Group (ESG) conducted an online survey of IT and cybersecurity specialists, as well as application developers from both private and public sector organizations in North America. More specifically, the ESG polled 350 IT (30%) and cybersecurity (40%) decision-makers, as well as application developers (30%) who are in charge of evaluating, purchasing and deploying developer-focused security products in mid-market (100 to 999 employees) and enterprise-level (1,000 or more employees) organizations in the United States and Canada.

This post discusses the key takeaways from this survey while also explaining how to build secure, scalable and developer-centric supply chain solutions.

Agentless cloud security and compliance for AWS, Azure, Google Cloud, and Kubernetes – in a fraction of the time and operational costs of other solutions.

Learn More

The latest from Orca

Top Cloud Security Concerns and Challenges Faced in Modern Development

Organizations can innovate faster than ever thanks to modern software development methods. However, improved speed comes with an increased security risk. According to the survey results, organizations are searching for ways to invest in cloud native software development processes while preserving secure workflows. The following are some of the top security concerns mentioned in the survey findings:

The Cloud Native Cybersecurity Threat Landscape Is Intensifying 

The shift to cloud native development, according to the respondents, made them more vulnerable to cybersecurity threats. Cloud native applications were mostly to blame for cybersecurity problems, with APIs being the weakest link. Open source software (OSS), data storage repositories, internally developed source code, application container images, CI/CD pipeline tools, serverless functions and third-party libraries were all susceptible to attacks. The threats that were discovered included zero day exploits on well-known and novel cloud vulnerabilities, compromised cloud accounts, stolen source code secrets and cloud misconfigurations.

Insecure Open Source Software 

Respondents said they use open source components in their development processes to speed up release cycles, but said this introduced additional security risks. For instance, even though eight out of 10 businesses used OSS code, hackers managed to compromise 41% of them. Additionally, more than half of the respondents were unable to comprehend the code composition or the software bill of materials for their third-party software. As a result, they were unable to swiftly respond to vulnerabilities that were discovered.

Misconfigurations and Incidents with IaC Usage

Security has become a major concern with the increasing use of Infrastructure as Code (IaC). Out of the 69% of respondents who said that they use IaC templates to supply their cloud infrastructure, approximately 83% reported an increase in IaC template misconfigurations. The consequences of these misconfigurations ranged from illegal application access to data loss, fines for noncompliance, and the introduction of malware, ransomware and cryptomining malware.

The Challenges of Shifting Left for Developers

The majority of security teams expressed discomfort with participating in the “shift left” paradigm, claiming that developers would be overburdened. The most frequent arguments against developers taking on security responsibilities were that security tasks interfere with development processes (44%), developers are not qualified to handle security issues (42%) and the entire process would result in more work for security teams (43%). These arguments suggest that security teams should instead maintain complete autonomy over the security ecosystem.

Securing Developer Workflows: The ‘Shift Left’ Security Strategy

Given the security challenges of current cloud native development, security teams are collaborating with their developers to integrate security into developer processes to reduce risk. This is because they are aware of the necessity of working with developers and using developer-centric security solutions to effectively address any security vulnerabilities that are discovered.

To adequately secure software without delaying software development, organizations shared the following “shift left” security strategies:

• Use security tools that integrate with development workflows to reduce the amount of context switching required to address coding issues. More than half of firms (56%) have integrated security into their current developer tools and workflows to receive notifications.
• Integrate security monitoring tools with development processes for faster remediation. When an issue is discovered during runtime, the monitoring tool can provide information to the developer to help with remediation.
• Use third-party cloud native application security solutions to gain visibility. To ensure control over their cloud native environments, about 71% of organizations reportedly use consulting or penetration testing services from third parties. As a result, they ensured that testing was carried out and that engineers could make modifications without interfering with workflows.
• Invest in security solutions to protect cloud native development processes. More than two-thirds (69%) of organizations anticipate making substantial investments in security vendor solutions aimed at enhancing application security testing, uncovering secrets contained in source code repositories and implementing runtime API security controls.

Walking the Line: GitOps and Shift Left Security eBook

Given the intensifying cybersecurity threat landscape, organizations must not overlook the security risks associated with cloud native development. Organizations that wish to walk the line between rapid development cycles and security must invest in developer-focused security solutions and practices.

Indeed, 68% of survey respondents believed that investing in developer-focused security solutions and giving developers some security responsibilities should be key priorities. If security is included early in CI/CD pipelines in a frictionless, automated manner, developers will be empowered to build secure applications faster.

To learn more about the security challenges that organizations encounter with faster cloud native development lifecycles, as well as how development and security teams can collaborate, you can download the complete “Walking the Line: GitOps and Shift Left Security” eBook or register for the webinar with ESG on Dec. 13. 

Further Reading

Discover more articles from Orca Security on managing your cloud security infrastructure and mitigating security threats.

• Agentless Cloud Security For Dummies
• Shift Left Security eBook
• Shift Left Security: Addressing Cloud Risks Early in the Development Process

Faith Kilonzi is a full-stack software engineer, technical writer and a DevOps enthusiast with a passion for problem-solving through implementation of high-quality software products. She holds a bachelor’s degree in computer science from Ashesi University."

Read more from Faith Kilonzi