Most notably, the inaugural State of Cloud Native Application Security Report found that:
More than half of companies surveyed experienced a security incident due to misconfiguration or a known vulnerability in their cloud native applications;
Developers are three times more likely to view security as their responsibility versus their security peers; and,
Deploying automation makes it 17 times more likely that security tests run daily or more frequently.
“We’re at a pivot point in terms of the evolution of both the developer’s role as well as a transformation within the security industry as a whole,” said Guy Podjarny, Co-founder and President, Snyk. “As this latest research demonstrates, enterprises that choose to empower their development teams with the right security tools will ship their applications faster and safer than their competition, best positioning them to lead their industries in the coming decade.”
More Than Half (56%) Experience Misconfiguration or Known Vulnerability Incidents
Cloud native adoption changes the way organizations defend against cloud threats, with misconfigurations and known vulnerabilities distinctly emerging as primary concerns.
Key findings show:
60% of respondents have increased security concerns since adopting cloud native.
Misconfigurations were noted as the biggest area of increased concern (over half of respondents stated it’s now a bigger problem since moving to a cloud native platform).
Known unpatched vulnerabilities (38%) are responsible for the greatest number of security incidents in their cloud native environments.
Developers Three Times More Likely to View Security as Their Responsibility
Developers today require solutions that enable them to build security into the whole application – from code and open source to containers and cloud infrastructure, and they now have the opportunity to take on a pivotal security leadership position within their organizations as their role evolves to take on greater authority and autonomy.
Significant findings indicate greater security ownership is now being embraced by development teams faster than security teams are willing to let go of their own historic role in the traditional process.
For example:
Respondents in security roles were almost three times more likely to attribute security ownership to their team versus their development team counterparts.
More than one-third (36%) of developers admit they feel responsible for the security of their cloud native environments.
At the same time, less than 10% of respondents in security roles believed any security responsibility lay with developers.
“Each one of the over two million developers building applications securely with Snyk today are proof positive that development teams are both ready and willing to take on greater security ownership, resulting in safer enterprises globally,” added Podjarny. “It’s now up to security organizations to also embrace this shift, supporting their developer colleagues and in turn evolving their own traditional roles and responsibilities.”
Deploying Automation Makes It 17 Times More Likely Security Tests Run Daily
Adopting a broader and deeper approach to cybersecurity by embedding security tools and best practices throughout the software development lifecycle is the make or break factor in achieving cloud native application security success.
Report findings demonstrate that companies with high levels of cloud native automation also have greater adoption of security testing. Companies who automate were also twice as likely to implement security testing and twice as likely to adopt static application security testing (SAST) and Software Composition Analysis (SCA) tooling into their development lifecycles.
Automation also makes it easier to conduct more frequent testing, allowing for vulnerabilities to be identified and fixed quicker:
Nearly 70% of respondents with high levels of deployment automation were able to test their security daily (17 times more than respondents who had no deployment automation, with 60% of those only testing their security monthly).
More than 72% of respondents with high levels of automation have an average time to fix vulnerabilities of less than one week, with over a third (36%) having an average of one day or less.
Automated testing is also a key enabler of visibility into security issues, with more than a quarter (28%) of organizations with low levels of automation acknowledging they don’t currently know how long it takes them to fix issues.
"It's no surprise that automation continues to be a force multiplier,” said Andrew Krug, Security Evangelist, Datadog. “This first of its kind report now also demonstrates a strong correlation between automation and teams having the time and energy to add security controls."