Make Cloud Defense a Team Sport by Turning DevOps into a Force Multiplier

Originally published by CrowdStrike.

Written by David Puzas, CrowdStrike.

Enterprises are embracing cloud-native applications in the name of business agility. These applications enable developers to take advantage of the cloud’s scalability and flexibility, allow customers and developers to benefit from the increased velocity of DevOps processes and help businesses quickly react to customer needs and potentially lower their cost of deployment.

Yet as developers deploy cloud-native applications and benefit from the greater efficiency they provide, security challenges and concerns remain.

Faster release cycles raise the pressure to rapidly address security risk, potentially increasing the likelihood of misconfigurations. Approaches such as infrastructure-as-code (IaC) bring automation into DevOps. However, the misconfiguration of an IaC template could create an entry point for attackers. Likewise, broader use of open-source software components in application development saves time, but vulnerabilities in open-source software introduce weaknesses attackers can exploit. In recent research from Enterprise Strategy Group’s (ESG) report, Walking the Line: GitOps and Shift Left Security, 41% of IT and cybersecurity professionals admit they have been victims of cybercriminals targeting popular open-source software.

Here, we discuss how organizations can shift their approaches and address these challenges with developer-focused security.

Security-as-Code: Out with the Old, In with the New

Legacy solutions will not solve this problem, as older application security testing tools were not built to support cloud-native applications. Organizations have responded to these issues by shifting security left and baking it into the CI/CD pipeline to lower risk without sacrificing speed. According to the ESG report, the most commonly cited challenge in implementing security while keeping pace with development cycles is releasing software without security checks or testing, as stated by 45% of respondents, and security lacking visibility and control in development processes (43%). A third challenge cited was a lack of consistency in security processes across different development teams (36%).

Many organizations have already begun implementing security processes such as security-as-code (SaC) and GitOps. For others, those moves may be on the way. The ESG study found 72% of respondents believe SaC will be a “highly relevant” cybersecurity approach within the next two years. However, many worry their security team does not have the necessary expertise to implement it and, further, SaC may not be mature enough to incorporate into their cybersecurity program.

The Key to a Winning Game Plan: Developer-Focused Security

Approaches such as SaC and infrastructure-as-code (IaC) are all part of efforts to shift security responsibilities to developers. Sixty-eight percent of security pros ESG surveyed stated establishing a developer-focused security strategy is a high priority. However, only 36% said they were “completely comfortable” adopting a developer-focused security strategy, as opposed to 64% stating they were either mostly comfortable (49%) or slightly comfortable (15%).

Some of this discomfort can be traced to fears of overburdening developers by giving them additional security responsibilities. Some respondents felt developers might be unqualified to take on these responsibilities and doing so would ultimately create more work for the security team. Developers see the situation somewhat similarly, with the majority being either completely or mostly comfortable taking on more security responsibilities. For those not fully comfortable with a shift-left strategy, the most frequent objections were that security tasks are disruptive to development processes and that security teams should handle security work.

This disconnect represents a threat to enterprise security that must be eliminated. In the past, app development and security teams operated in separate silos. But the needs of today’s organizations require them to function as a high-performing team in support of one another. Only through integration and collaboration can the security of cloud-native applications be effectively addressed.

Change the Game by Making the Secure Thing to Do the Easy Thing to Do

Enterprises need to implement a strategy supported by a cloud-native application protection platform (CNAPP) that addresses the entire application lifecycle across hybrid, public, private and multi-cloud environments. These platforms can be integrated into CI/CD activities to scan changes like infrastructure-as-code configurations and prevent problems before attackers can target them. From cloud security posture management to workload protection, these solutions empower enterprises to take a comprehensive approach to secure their cloud resources.

Modern problems demand modern answers. Traditional approaches to app development are insufficient for organizations looking to take advantage of cloud-native technologies. Weaving security into the CI/CD pipeline allows businesses to identify misconfigurations and other security risks before they evolve into the causes of data breaches or compromises.

To learn more about the challenges organizations face with faster cloud-native development lifecycles and how developers and security teams can work together, download the report.