Earlier this year, The Linux Foundation surveyed 200 organizations to understand how they’re tackling security in cloud native application development.
At a time when security breaches are increasing in frequency and in impact – the average breach now costs $4.88 million according to IBM’s 2024 Cost of a Data Breach Report – it’s instructive to see how cloud native practitioners feel they’re handling the often sisyphean task of security. After all, security concerns are so widespread there’s now a list of 35 statistics to lose sleep over in 2024. And even the US government issued a stark warning in its 2024 Report on the Cybersecurity Posture of the United States: “It is now clear that a reactive posture cannot keep pace with fast-evolving cyber threats and a dynamic technology landscape.”
Security will also be top of mind during KubeCon + CloudNativeCon NorthAmerica 2024 in Salt Lake City, Utah, in November, with 25 sessions devoted to the topic (but more on that below).
It starts with cloud native
To start on a positive note, 84% of organizations report their cloud native apps are more secure than they were two years ago, and 76% said “much” or “nearly all” of their application development was cloud native. Companies acknowledging “nearly all” cloud native techniques were also the most likely (54%) to report their applications were significantly more secure.
Why are those organizations saying they’re so much more secure? They are certainly doing more testing. These much more secure organizations are far more likely to be running static application security tests (SAST) – 69% vs. 55% reported by companies that said their security posture was largely unchanged from two years ago. The significantly more secure group is also 22% more likely to be doing software composition analysis than the unchanged group (67% vs. 45%), and 25% more likely to be running web application scans (WAS), 63% vs. 38%.
These significantly more secure organizations are also doing more of what every organization should be doing: they’re checking all the security assessment “must do” boxes.
- 80% are doing code review vs. 59% of the unchanged security status
- 69% manage configuration vs. 52%
- 81% oversee CI and deployment security vs. 48%
- 65% handle secrets management vs. 45%
- 63% update dependencies vs. 45%
- 82% do automated security testing vs. 42%
- 75% scan for vulnerabilities/handle remediations vs. 34%
- 66% check compliance vs. 27%
What are the challenges?
Almost half of cloud native-forward organizations (49%) reported their biggest security challenge was keeping up with emerging threats, data which certainly tracks with the broader trends. Other problems included complexity of software and infrastructure (37%), time constraints and secure deployment and operations, both 35%.
Where have companies experienced breaches? A majority of respondents (40%) said cloud infrastructure and services, followed by configuration and secrets management (25%), application runtime environment (23%), and data storage/management and user access/identity management, both 22%.
Read the report in full.
Time to tune up your org’s security practices?
If this has you thinking, KubeCon + CloudNativeCon North America 2024 has 25 in-depth sessions focused solely on security, meaning you can soak in all the advice, and then get even more good ideas networking in the hallways between sessions. Here’s a taste of what you can expect:
Preventing privilege escalation in GitOps
How to leverage WASM to secure cloud native apps
“Why perfect compliance is the enemy of real security”
Don’t wait – register today for KubeCon + CloudNativeCon North America 2024