Nearly two-thirds of respondents to the “2022 Technology Spending Intentions Survey” from Enterprise Strategy Group (ESG), a division of TechTarget, plan to increase spending on cloud application security in the next year.
Matching those enterprise spending plans, some of the vendors in the market space — including Snyk, Orca Security, Wiz, Contrast Security and Lacework — have scored record-setting funding rounds and valuations. Others, such as Palo Alto Networks, Synopsys Inc. and Rapid7 Inc., have made acquisitions and integrations to secure the full lifecycle of cloud applications.
Why all the activity and plans for increased spending? Let’s explore the challenges of cloud application security and why organizations need to find the right approach to scaling security to meet the demands of modern software development.
Market changes up need for cloud app security
Organizations have embraced digital transformation to gain a competitive advantage and help them deliver products and services efficiently to customers. The COVID-19 pandemic also accelerated pressure on companies’ digital transformations. Together, the increase of remote work and the ability to move to online transactions have been crucial for business survival over the past two years.
Modern software development processes using cloud services have given businesses the agility to quickly adapt. Each year, the Cloud Native Computing Foundation releases survey results showing faster release cycles and greater adoption of continuous integration/continuous delivery (CI/CD) pipelines. CI/CD brings rapid innovation with faster product releases and updates, and products can be delivered and sold online more easily.
Increases in cloud-based software development make security more important than ever because the ability to adapt can make or break a company, just as releasing a product that exposes customer or company data or causes an outage can ruin it.
Well-run product development teams should include security in product development processes, but it’s difficult to incorporate security in ways that won’t disrupt CI/CD pipelines.
As development teams grow and scale with rapid product releases, it is difficult to ensure secure development processes are in place. Higher chances for mistakes — even simple mistakes, such as an Amazon Simple Storage Service cloud storage bucket misconfiguration or not implementing storage encryption at rest — can result in costly breaches and data loss.
DevSecOps tools and resources — many free and open source — are available for developers to test for security issues or misconfigurations. Developers have varying expertise using such tools, however, and often don’t want to depart from their normal workflows and tool sets to use new or different security tools. Rather, they want to focus on their jobs as developers, with most of their time spent coding for product features, not trying out new security tools.
With the cybersecurity skills shortage, security teams are typically understaffed and overworked. While security tools that monitor applications running in the cloud are helpful, many of the problems or breaches are due to misconfigurations that could have been prevented if code was tested before deployment. Alerts for problems piling up is another issue that creates more work for both security teams to triage and for developers to fix outside their normal development process.
Security teams don’t want to disrupt development or create friction in the app development process. They look for ways to help developers secure their own code because it’s the only way for security to scale with modern software development. This shift-left testing concept empowers developers to start the testing process earlier to discover and correct problems earlier in the development cycle.
What app developers need to increase security
So, how can testing shift left when developers don’t want to learn about security? Security vendors can provide products and services that automate key security processes throughout the software development lifecycle — from build time to runtime — helping developers release secure, reliable code, with the ability to rapidly or automatically fix security issues as they are discovered.
Security vendors are tackling these challenges, which aren’t easy problems to fix. Organizations don’t want to just keep adding more tools or have more alerts pop up. They want the simplest solution that can make the biggest impact on reducing security risk. The goal is to fix preventable application security mistakes in development before they can be deployed and reduce mean time to remediation for issues found in runtime.
The idea that developers don’t care about security is a misconception. They want to improve code quality and be confident they are releasing reliable, secure code. They also want to be more self-sufficient because having to file a ticket or wait for help from the security team slows application development down.
They don’t want to have to become security experts, use separate security tools and constantly be interrupted by alerts.
If automated processes are in place, such as policy guardrails and automated testing, that raise issues that need to be addressed, developers have the fixes they need — the ability to easily secure their own code. This enables them to be more self-sufficient so they don’t have to wait if they need help from another team, as well as avoid later rework if problems arise.
For security purposes, app developers need to set up processes for development, along with visibility across the application lifecycle, to know that security processes are in place and are working efficiently. The security team can set policy rules to set security and compliance guardrails for developers. Security can also set up automated code scanning early in development, including software composition analysis and infrastructure-as-code scanning, to catch misconfigurations that are often copied-and-pasted open source templates.
Scanning tools are widely available, but their value is in automating the testing process to deliver accurate information about coding defects and how to fix them to the developers so they can easily remediate security issues immediately with the shortest feedback loops. Testing results need to be delivered in the developer CI/CD workflow with no context switching so they don’t disrupt development processes or waste their time with false positives.
Vendors that have built well-instrumented tools that can fully assess applications, their components and behavior are key, especially those that can stitch the data together to automate key security processes across the entire application lifecycle. This way, developers can gain confidence in efficiently securing their own code, while reducing work and risk for the security team.