The 2020 SANS DevSecOps survey, Extending DevSecOps Security Controls into the Cloud, sponsored by CloudPassage, examines how cloud adoption and DevOps impact security and compliance. With input from 211 security professionals from global organizations of all sizes, the survey report offers vital insights into the challenges security teams face today, and the best-practice DevSecOps approaches they’re using to secure their public and hybrid cloud environments.
As organizations adopt cloud infrastructure to build and operate applications, they offload many of the responsibilities and risks to the IaaS provider. In doing so, they adopt the shared responsibility model and fundamentally alter how they manage security and compliance for application stacks. But that doesn’t make the cloud inherently secure—there is still the cloud-user part of the equation that has to be handled.
The changes to how application stacks can and should be protected are only part of the change. Another major departure is the speed and frequency of change driven by the enterprise adoption of DevOps models. These highly automated, autonomous models render obsolete the traditional approaches to change control and risk management that compliance has come to depend on.
Legacy security approaches tend to fail dramatically, both in terms of coverage and velocity, when adopting cloud infrastructure and DevOps. The more distributed and diverse the cloud implementation, the more complex is the task of architecting a secure solution. That means understanding cloud platforms, working with—and not as a bottleneck to—DevOps, and identifying and filling any security gaps.
DevSecOps aims to assign or embed security specialists within DevOps teams to improve buy-in on security priorities and compliance requirements, train developers in secure coding, and automate security with tools and workflows that fit naturally into the DevOps model. The effort goes beyond merely moving security into the cloud. It requires a concentrated engineering and operations effort, and it starts with unwavering management commitment and a culture shift that stands to make DevOps a force multiplier for security.
According to the data gathered for the 2020 SANS Survey, cloud platform usage is steadily gaining on on-premises application hosting platforms. Yet, security professionals are lagging in their approach to security and compliance. Most organizations work with multiple cloud providers, meaning a broad range of security and compliance risks. And with agile and DevOps methodologies ramping up application delivery speed, traditional security teams are struggling to keep up. Even the push to “shift left” is proving difficult for many organizations.
While cloud security does demand tools and technologies made for the cloud, the survey found that the roadblocks to DevSecOps were not viewed as a technology problem. As organizations try to shift security left into the DevOps pipeline, survey respondents cited the factors holding them back, including:
Having the right tools and a best-practices DevSecOps approach can make or break security integration with DevOps. With a little insight into the SANS DevSecOps survey report findings, and the right tools and approaches, your organization can overcome these challenges and improve cloud security posture.
The SANS DevSecOps survey results show that software is being delivered faster and more often than ever. In previous years, the majority of releases happened monthly or quarterly. This year’s survey dramatically shifted the commonality of weekly, and even daily or continuous releases, many indicating multiple releases per day.
Add to this rapid-delivery reality the fact that 60% of organizations are using three or more public clouds, and security challenges all boil down to one central need: speed. Keeping up with DevOps means creating a security foundation that’s agile, adaptable, and fast.
Security teams need to start thinking like DevOps. Legacy security tools and processes aren’t up to the challenge of securing cloud deployments. And using outdated solutions makes security a bottleneck to the rapid pace of DevOps delivery. You can’t rely on quarterly security reports when your DevOps teams are changing the production environment multiple times per day.
The goal of DevSecOps is frictionless security automation that accelerates feedback and makes security testing a natural part of the CI/CD pipeline. Automated security is shown as the key to DevSecOps success because it paves the road for developers and operations engineers to create secure code from the start.
Security organizations can help build a seamless working experience with their DevOps teams by supplying streamlined, easy-to-use API-based cloud security posture management (CSPM) tools and cloud workload protection platform (CWPP), and container security tools with microagents that automate security into the build process and across the CI/CD pipeline. But that’s not enough. Security teams must also extend DevOps teams the trust and authority to integrate those tools in a way that makes sense for their workflows and processes.
With automated, integrated cloud security, DevOps can:
And that all happens without handing off cumbersome communications or reports between developers and security teams.
Organizations that have made security testing a frictionless part of the development process can break-down silos, reduce bureaucracy, improve management and developer buy-in, and most importantly—accelerate security implementation, enforcement, and remediation to the speed of cloud delivery. With a successful DevSecOps strategy and tools, DevOps becomes a force multiplier for security across the cloud.
The 2020 SANS DevSecOps Survey offers many insights and actionable practices beyond those discussed here, and we have three ways you can explore the survey findings:
The SANS DevSecOps survey report includes key findings, insightful analysis, and best practices to improve your cloud security posture. Download this paper to learn:
In this one-hour webinar, the report authors dig into the survey results and statistics to explore and discuss how the cloud and DevOps landscape will shape security moving forward. Watch this on-demand webinar for more information on:
The survey sponsors, including our CEO, explore five critical concerns around DevSecOps for today’s cloud-based environments. You’ll get their insights into shifting left, the security implications of using multiple cloud providers, and more, including:
CloudPassage Halo helps you close the culture gaps and accelerate DevSecOps adoption. With comprehensive, automated security that’s built for the cloud, Halo is a non-invasive, frictionless, cloud security platform provided as Software-as-a-Service (SaaS) that you can have up and running in a matter of minutes. Halo helps you automatically discover cloud assets, reduce your attack surface, and respond to critical risks other tools miss.
Learn more about the Halo cloud computing security platform
Get started at no cost with the Halo free edition cloud security posture management service. It will get you going quickly, and it comes with the Halo API, so you can start automating security into your DevOps pipeline now. Why wait?