Meeting the security needs of cloud native

A person at a laptop with a secure lock symbol floating in a cloud above it.
(Image credit: Shutterstock / laymanzoom)

New opportunities always come with new challenges. As organizations of every size increasingly move operations to the cloud and benefit from faster code deployment and improved application management, they are being faced with a fresh set of security issues. From malware and misconfiguration to known unpatched vulnerabilities and secret leaks, there are a whole range of cybersecurity challenges to consider.

About the author

Guy Podjarny is Founder at Snyk.

Who considers these challenges is a question that not only individual teams but the wider tech community are asking themselves. While cloud protection has historically been viewed as an issue for security teams, we’re currently witnessing a pivotal shift whereby developers are seen to play a vital role in securing cloud native applications. This evolution of developer responsibility makes perfect sense: why wait for security checks to flag issues once code has been deployed, when you can build in rigorous security measures and checks from the very start.

Cloud native security

Although the role of the developer has never been so vast, with an increased workload and the broadening of expertise requirements, it’s a myth that the developer community is resistant to this change. Developers care deeply about the quality of their code and security is a key part of this. Indeed, according to Snyk’s 2021 State of Cloud Native Application Security report, 68% of the developers surveyed said it was either developers or DevOps/DevSecOps teams who were primarily responsible for the security of their cloud native environment and applications. Developers are also keenly aware of the cloud security challenges they face, with six in ten stating that switching to cloud native technologies had increased their security exposure concerns.

However, not all security concerns are created equal. It’s misconfiguration and known unpatched vulnerabilities that pose the biggest threat to organizations, with 45% of respondents stating they had experienced a misconfiguration incident in production and 38% reporting a known unpatched vulnerability issue. These findings suggest that it’s infrastructure-based responsibilities where developers need more support if they’re to fully own their role in cloud security.

Key role of automation

Fortunately, support is available and automation plays a key part in this. While building fully automated deployment pipelines is a challenge in itself, once automation and processes are in place they create a virtuous cycle that provides multiple integration points to enable further automation and regular, strict security testing. In fact, Snyk’s report found that companies with high levels of deployment automation were more than twice as likely to have adopted security testing at all points throughout the software development lifecycle, in comparison to organizations with no automation.

Not only does automation enable security testing at every stage of the development lifecycle, it allows for greater testing frequency, so vulnerabilities can be identified earlier. Again, Snyk found that organizations with high levels of deployment automation were much better equipped for testing: almost 70% of respondents with high levels of deployment automation were able to test their security daily, or even more frequently — a percentage 17 times higher than respondents with no deployment automation. And faster finding translates to faster fixing, with organizations with full automation more than four times more likely to fix security issues in a single day and more than twice as likely to fix them within a week.

However, for the strongest cloud security, developers need a way to not only identify vulnerabilities throughout the development lifecycle, but also a means to determine the optimal order in which they should be addressed. Vulnerabilities carry very different risks, determined by the severity of the vulnerability, the maturity of any attacks and the visibility to attackers. If a vulnerability is potentially severe, but is only accessible if attackers manage to get through multiple layers of security, then its priority should be lowered. On the flip side, if 100 vulnerabilities can be fixed by a single base image update, then this task should rise to the top of a developer’s to-do list.

Developer-first security tools

It’s crucial that the security tools an organization chooses are able to provide this level of context to their team. Although the security landscape is changing and developers are owning their rightful role within it, it’s not reasonable to expect every developer to instantly become a security expert. Instead, organizations need to be adopting developer-first security tools that will act as a trusted security expert and that sit in every developer’s toolbox. Expanding the role of developers isn’t about heaping new pressures on them but empowering them to help keep cloud applications and infrastructure safe.

The way we view security responsibilities is changing — and that’s crucial in meeting the ever-expanding challenge of cloud native security. Developers are integral to building secure cloud environments and research shows they know this. However, awareness and action are two very different things. If developers are to fully grow into their security role then they need to be supported by infrastructure that enables frequent testing, throughout the development lifecycle, and tools that help them know which tasks to prioritize. It’s through these steps that developers can strengthen their security posture and protect against the threats that come with embracing the cloud.

At TechRadar, we've featured the best sites for hiring developers.

Guy Podjarny is Founder at Snyk.