A recent study shows a narrowing gap between enterprises' application development skills and the likelihood of a vast data breach. Credit: Guirong Hao / Getty Images If there is anything that keeps cloud development leaders up at night, it’s the fact that the risk of an impending security breach is scarily high. If I go around the room at any enterprise development meeting, devops engineers, cloud developers, and cloud architects all see a company-debilitating breach as inevitable. Enterprise Strategy Group recently completed a cloud threat detection and response research project with interesting results. First, what we already understand: 80% of organizations have adopted a devops model, and 75% push new software builds to production at least once a week. The top challenges include not having enough visibility and control within the development process, software released without security checks, and inconsistent security processes across development teams. I would add supply chain concerns as well. Now, the scary part. The survey found that in the past year, 99% of organizations experienced cyberattacks related to cloud-hosted applications and infrastructure. Most of you are thinking that you haven’t heard about a breach within your own enterprise, but they are often kept secret, even within the company. The primary attack vectors are misconfigurations (something is just not configured correctly), general software vulnerabilities, and misuse of privileged accounts. These seem like easy problems to fix. However, for some reason, they have become more systemic. This report notes this, and I see it often. What should be done? What strikes me most is that we understand how to fix these vulnerabilities but have not taken steps to do so. Most of the CISOs I talk to offer the following excuses. First, they are not given the budget to plug up these vulnerabilities. In some instances, this is true. Cloud and development security are often underfunded. However, in most cases, the funding is good or great relative to their peers, and the problems still exist. Second, they can’t find the talent they need. For the most part, this is also legit. I figure that there are 10 security and development security positions that are chasing a single qualified candidate. As I talked about in my last post, we need to solve this. Despite the forces pushing against you, there are some recommended courses of action. CISOs should be able to capture metrics demonstrating risks and communicate them to executives and the board. Those are hard conversations but necessary if you’re looking to take on these issues as an executive team and reduce the impact on you and the development teams when stuff hits the fan. In many instances, the C-levels and the boards consider this a ploy to get more budget—that needs to be dealt with as well. Actions that can remove some of this risk include continuous security training for software development teams. This is your first line of defense. Then you can establish realistic security milestones and a security road map. Also, it’s OK to be creative, such as offering financial incentives for security improvement. Most CISOs can’t tell you what the plan is for maturing their security posture, and that becomes a core weakness. I understand that it’s hard to plan, and hopefully something will come to you during the next cloud conference, but this needs to be urgent, proactive, and specific to your needs. If you follow the trends here, you’ll fail, period. It’s all about automation Efforts should focus on accelerating devsecops. Everyone needs to be speaking the same language, creating a unified culture, and pushing for automation and tools integration. Automation is really key to creating repeatable security risk mitigation processes, from checking source code supply chains, to examining code for vulnerabilities, to verifying configurations that are about to go into products. You know, devsecops 101. To carry out this automation, we need to first understand that security should be part of the development process from the planning stage onward. It’s systemic to everything, including architecture, application design, development, testing, and deployment. The fundamental mistake that gets us in trouble is thinking of security as something bolted on at the end of the development and deployment process. Finally, nothing should be pushed to production without passing very specific security tests driven by automation. Security should be drop-dead simple because we’ve automated all security development features and checks before code is released to deployment. Humans should be automated right out of the mix, especially since we have few qualified people around and they seem to be missing some steps. We can fix this one. Related content analysis Generative AI won’t fix cloud migration You’ve probably heard how generative AI will solve all cloud migration problems. It’s not that simple. Generative AI could actually make it harder and more costly. By David Linthicum Jul 12, 2024 5 mins Generative AI Artificial Intelligence Cloud Computing analysis All the brilliance of AI on minimalist platforms Buy all the processing and storage you can or go with a minimum viable platform? AI developers and designers are dividing into two camps. By David Linthicum Jul 09, 2024 5 mins Generative AI Cloud Architecture Artificial Intelligence analysis The next 10 years for cloud computing Despite AI's explosive growth, the industry still needs to face facts that customers are unhappy about costs and vendor lock-in. By David Linthicum Jul 05, 2024 5 mins Amazon Web Services Google Cloud Platform Microsoft Azure analysis Serverless cloud technology fades away Serverless was a big deal for a hot minute, but now it seems old-fashioned, even though its basic elements, agility and scalability, are still relevant. By David Linthicum Jul 02, 2024 4 mins Serverless Computing Cloud Computing Software Development Resources Videos