Security that Scales with Cloud Native Development
0 likes22 views
As organizations increasingly adopt cloud-native development, security teams must implement advanced platforms to manage risks effectively and support rapid development cycles. The use of open source software (OSS) poses significant security challenges, prompting a shift toward developer-focused strategies to improve security postures. A consolidated approach, like Cloud-Native Application Protection Platforms (CNAPPs), is critical for integrating security into development workflows and addressing vulnerabilities swiftly.
Security that Scales with Cloud Native Development
- 1. SECURITY THAT SCALES WITH CLOUD-NATIVE DEVELOPMENT THE NEED FOR A PLATFORM APPROACH As organizations increasingly leverage cloud platforms and cloud-native development, security teams need an effective way to manage security risk while keeping up with faster development cycles. Cloud-native application development allows developers to quickly assemble applications from third-party code and templates. While this saves them time, it increases the chances of introducing mistakes and vulnerabilities that may be exploited. Adapting Security to Cloud-native Development Conclusion As organizations increasingly adopt cloud-native development for faster release cycles, security teams need an advanced security platform that will enable them to scale to support the rapid growth enabled by cloud-native development. The right solution must drive efficiency by incorporating security into development processes while enabling security teams to effectively manage risk. Source: Enterprise Strategy Group Research Report, Walking the Line: GitOps and Shift Left Security, November 2022. Source: Enterprise Strategy Group Research, Cloud Entitlements and Posture Management Trends. © 2023 TechTarget, Inc. All Rights Reserved. Organizations are concerned about hackers increasingly targeting OSS due to its wide usage. They need effective tools to better understand OSS usage risks so they can quickly respond when vulnerabilities are found. » Open source software challenges and concerns » Organizations have also faced a variety of security incidents and related consequences with their internally developed cloud-native applications in the last year, with only 3% not experiencing incidents. » Top three impacts of misconfigured IaC 27+ 23 + 50 + Q 20+ 30 + 50 + Q 20+ 30 + 50 + Q 20+ 30 + 50 + Q 21+ 29 + 50 + Q 20+ 30 + 50 + Q 19+ 31 + 50 + Q Organizations are prioritizing developer-focused security strategies, including shifting some security responsibilities to developers because it’s the only way for security teams to scale to support the increased speed and volume of releases. Organizations are increasingly looking for consolidated approaches, or cloud-native application protection platforms (CNAPPs), to efficiently mitigate security risk as development scales. These platforms tie security in development processes to improving security posture, helping security teams effectively manage risk for cloud-native applications. » Priority level for adopting a developer-focused security strategy Incorporating Security into Development Scaling with a Platform Approach » Usage of open source software (OSS) organizations use open source software in programming cloud-native applications. 8in10 46% Unauthorized access to applications and data 43% Introduction of crypto-jacking malware to mine cryptocurrency 41% Remediation steps impacted service level agreements (SLAs) 3% 42% 49% 6% < 25% 25% to 50% 51% to 75% > 75% » Percentage of code composition that is OSS 96% 83% of organizations are using or plan to use IaC. of respondents say they are experiencing an increase in IaC template misconfigurations. 960+40= 830+170= » Infrastructure-as-code (IaC) Adoption While utilizing IaC templates empowers developers to provision their own infrastructure instead of waiting for IT or operations teams to set it up for them, it also increases security risk. 46+54+S 41+59+S 43+57+S 15% Slightly comfortable 49% Mostly comfortable 36% Completely comfortable 15+49+36+S » Security teams’ comfort level adopting a developer-focused security strategy » Organizations are also investing in solutions that integrate security processes into developer workflows to more efficiently mitigate risk and reduce security incidents. 69% We expect to make significant investments 31% We expect to make moderate investments 100% 0% 68% 31% It’s a high priority (i.e., it will have a significant impact on our security program) It’s important, but not a high priority (i.e., we have higher security and/or AppDev priorities) 680+320= 310+690= » Top 10 priorities for securing cloud-native software development process 1. Improving application security testing 5. Discovering and inspecting APIs in source code 3. Applying runtime API security controls 7. Scanning open source code components and third-party libraries 9. Scanning production environments for misconfigurations 2. Detecting secrets that have been committed and stored in source code repositories 6. Remediating malware before deployment to production 4. Identifying software vulnerabilities before deployment to production 8. Remediating software vulnerabilities before deployment to production 10. Identifying malware before deployment to production 1. Addressing the sheer number of assets that are cloud-resident 3. Meeting prescribed best practices for the configuration of cloud-resident workloads and the use of cloud APIs 4. Meeting demands from the organization's customers/partners/supply chain 5. Automating security controls via integration with existing DevOps tools 2. Preparing for security incidents our organization may experience in the future » Top 5 business drivers for cloud security posture management » Most organizations believe that a platform approach will drive efficiency to enable security to scale with cloud-native development. 85% of organizations said a CNAPP will give them a consolidated approach for more efficient cloud security risk mitigation. 87% of organizations said a CNAPP helps drive efficiency in connecting application security processes to security posture management. 85+15+S 87+13+S About Cisco As a global industry leader in enterprise security solutions, Cisco Systems provides leading edge security solutions that protect corporate data from hackers. Modern solutions to managing mixed private and public cloud environments require management of the entire stack of technologies. Cisco Full Stack Observability solution innovatively dovetails with other Cisco stack solutions including Cisco’s CNAPP Cloud-Native Application Security solutions. Collectively, this solution provides an intelligent, comprehensive view of the total IT technology stack, providing high-resolution insights and metrics that allow businesses to run at their full potential. To see how Cisco can address your cloud-native application security needs from code to cloud, please see link below. learn more Having a high percentage of application code that is open source Identifying vulnerabilities in the code Applying an issued patch quickly once released Quickly remediating a vulnerability Understanding code composition and producing a software bill of materials Being victims of hackers targeting popular/commonly used open source software Trusting the source of the code 54% 39% 39% 38% 39% 41% 40% 3% 26% 27% 28% 31% 33% 34% 35% 37% 38% We haven’t experienced one of these incidents in the last 12 months Compromised privileged user credentials “Zero day” exploit(s) that took advantage of new and previously unknown vulnerabilities in internally developed code “Zero day” exploit(s) that took advantage of new and previously unknown vulnerabilities in open source software Secrets stolen from a source code repository Exploit of a misconfigured cloud service Exploit(s) that took advantage of known vulnerabilities in open source software Compromised services account credentials Exploit(s) that took advantage of known vulnerabilities in internally developed code Attacks that resulted in the loss of data due to the insecure use of APIs