The 2020 SANS DevSecOps survey, Extending DevSecOps Security Controls into the Cloud, sponsored by CloudPassage, examines how cloud adoption and DevOps impact security and compliance. With input from 211 security professionals from global organizations of all sizes, the survey report offers vital insights into the challenges security teams face today, and the best-practice DevSecOps approaches they’re using to secure their public and hybrid cloud environments.
Cloud Security Is More than a Lift-and-Shift Exercise
As organizations adopt cloud infrastructure to build and operate applications, they offload many of the responsibilities and risks to the IaaS provider. In doing so, they adopt the shared responsibility model and fundamentally alter how they manage security and compliance for application stacks. But that doesn’t make the cloud inherently secure—there is still the cloud-user part of the equation that has to be handled.
The changes to how application stacks can and should be protected are only part of the change. Another major departure is the speed and frequency of change driven by the enterprise adoption of DevOps models. These highly automated, autonomous models render obsolete the traditional approaches to change control and risk management that compliance has come to depend on.
Legacy security approaches tend to fail dramatically, both in terms of coverage and velocity, when adopting cloud infrastructure and DevOps. The more distributed and diverse the cloud implementation, the more complex is the task of architecting a secure solution. That means understanding cloud platforms, working with—and not as a bottleneck to—DevOps, and identifying and filling any security gaps.
DevSecOps aims to assign or embed security specialists within DevOps teams to improve buy-in on security priorities and compliance requirements, train developers in secure coding, and automate security with tools and workflows that fit naturally into the DevOps model. The effort goes beyond merely moving security into the cloud. It requires a concentrated engineering and operations effort, and it starts with unwavering management commitment and a culture shift that stands to make DevOps a force multiplier for security.
The SANS DevSecOps Survey Shines a Light on the Culture Gap
According to the data gathered for the 2020 SANS Survey, cloud platform usage is steadily gaining on on-premises application hosting platforms. Yet, security professionals are lagging in their approach to security and compliance. Most organizations work with multiple cloud providers, meaning a broad range of security and compliance risks. And with agile and DevOps methodologies ramping up application delivery speed, traditional security teams are struggling to keep up. Even the push to “shift left” is proving difficult for many organizations.
- 92% of organizations use at least one public cloud provider, and the average organization has workloads running on 2.33 public clouds.
- 36% of security professionals spend less than 25% of their time modernizing for cloud provider platforms.
- Feature delivery speed has increased 14% over the past four years, yet only half of organizations rely on automated security testing, and 27% are not doing any security testing at all.
- Only 40% of organizations include security assessments in the early planning and design stages of application and feature development.
While cloud security does demand tools and technologies made for the cloud, the survey found that the roadblocks to DevSecOps were not viewed as a technology problem. As organizations try to shift security left into the DevOps pipeline, survey respondents cited the factors holding them back, including:
- Lack of resources
- Lack of management and developer buy-in
- Poor communication across silos
- Poor prioritization
Having the right tools and a best-practices DevSecOps approach can make or break security integration with DevOps. With a little insight into the SANS DevSecOps survey report findings, and the right tools and approaches, your organization can overcome these challenges and improve cloud security posture.
Keeping Up with the Move to Cloud
The SANS DevSecOps survey results show that software is being delivered faster and more often than ever. In previous years, the majority of releases happened monthly or quarterly. This year’s survey dramatically shifted the commonality of weekly, and even daily or continuous releases, many indicating multiple releases per day.
Add to this rapid-delivery reality the fact that 60% of organizations are using three or more public clouds, and security challenges all boil down to one central need: speed. Keeping up with DevOps means creating a security foundation that’s agile, adaptable, and fast.
Automation is Key, According to the SANS DevSecOps Survey Results
Security teams need to start thinking like DevOps. Legacy security tools and processes aren’t up to the challenge of securing cloud deployments. And using outdated solutions makes security a bottleneck to the rapid pace of DevOps delivery. You can’t rely on quarterly security reports when your DevOps teams are changing the production environment multiple times per day.
The goal of DevSecOps is frictionless security automation that accelerates feedback and makes security testing a natural part of the CI/CD pipeline. Automated security is shown as the key to DevSecOps success because it paves the road for developers and operations engineers to create secure code from the start.
DevSecOps Makes DevOps a Force Multiplier for Security
Security organizations can help build a seamless working experience with their DevOps teams by supplying streamlined, easy-to-use API-based cloud security posture management (CSPM) tools and cloud workload protection platform (CWPP), and container security tools with microagents that automate security into the build process and across the CI/CD pipeline. But that’s not enough. Security teams must also extend DevOps teams the trust and authority to integrate those tools in a way that makes sense for their workflows and processes.
With automated, integrated cloud security, DevOps can:
- Leverage secure-by-default frameworks for building out new application stacks
- Test against a benchmark of cloud configuration standards, security policies, and rules without additional effort
- Get immediate feedback during the development cycle, along with remediation advice
And that all happens without handing off cumbersome communications or reports between developers and security teams.
Organizations that have made security testing a frictionless part of the development process can break-down silos, reduce bureaucracy, improve management and developer buy-in, and most importantly—accelerate security implementation, enforcement, and remediation to the speed of cloud delivery. With a successful DevSecOps strategy and tools, DevOps becomes a force multiplier for security across the cloud.
Get More Insight into the 2020 SANS DevSecOps Survey
The 2020 SANS DevSecOps Survey offers many insights and actionable practices beyond those discussed here, and we have three ways you can explore the survey findings:
2020 SANS DevSecOps Survey Report
The SANS DevSecOps survey report includes key findings, insightful analysis, and best practices to improve your cloud security posture. Download this paper to learn:
- How increased cloud adoption affects security
- Cloud provider usage, environments, and risks
- The impact on security from accelerating delivery velocity
- What a successful DevSecOps program looks like
- The fundamental changes needed to make secure DevOps a reality
2020 SANS DevSecOps Survey Results Webinar
In this one-hour webinar, the report authors dig into the survey results and statistics to explore and discuss how the cloud and DevOps landscape will shape security moving forward. Watch this on-demand webinar for more information on:
- The cloud and DevSecOps landscape
- How cloud adoption and DevOps will shape security moving forward
- Shifting security practices into DevOps
- Best practices for DevSecOps
Panel Discussion of the 2020 SANS Survey
The survey sponsors, including our CEO, explore five critical concerns around DevSecOps for today’s cloud-based environments. You’ll get their insights into shifting left, the security implications of using multiple cloud providers, and more, including:
- The implications of shifting left and how organizations can alleviate security issues right now
- The security implications of using multiple cloud providers
- How moving to cloud-hosted platforms affects security and compliance
- The tools available for continuous monitoring of cloud runtime environments
- MTTR expectations in the cloud
Halo Powers Security at Cloud Velocity
CloudPassage Halo helps you close the culture gaps and accelerate DevSecOps adoption. With comprehensive, automated security that’s built for the cloud, Halo is a non-invasive, frictionless, cloud security platform provided as Software-as-a-Service (SaaS) that you can have up and running in a matter of minutes. Halo helps you automatically discover cloud assets, reduce your attack surface, and respond to critical risks other tools miss.
Learn more about the Halo cloud computing security platform
Get started at no cost with the Halo free edition cloud security posture management service. It will get you going quickly, and it comes with the Halo API, so you can start automating security into your DevOps pipeline now. Why wait?