At the Cloud Native Security Summit, Enterprise Strategy Group (ESG) today revealed the results of a survey of 600 senior IT leaders that finds organizations are looking at DevSecOps as a way to address the complexities of managing and securing cloud-native applications.

According to the survey results, 43% of respondents said their biggest challenge with cloud-native applications is maintaining consistency across disparate infrastructures. As a result, the same number of respondents said DevSecOps automation as their highest cloud security priority.

Commissioned by Capsule8, Obsidian and Signal Sciences, the survey also finds 90% of respondents are concerned about not having visibility into misconfigured cloud services, server workloads, network security or privileged accounts. Another 83% are worried about the misuse of privileged accounts by insiders.

Two-thirds (66%) say IT is more complex than it was two years ago, with more than a third (35%) citing the need to manage multiple cybersecurity controls as a major source of that complexity.

Doug Cahill, a senior analyst and group director at ESG, said it’s clear that as organizations embrace best DevOps practices to build and deploy cloud-native applications, those processes now are being extended to include security controls as part of the quality assurance process. Rather than bolting on security, Cahill said, more organizations are building cybersecurity controls into their software from the ground up.

Capsule8 CEO John Viega noted much of that shift is being driven by necessity. When applications were deployed mainly in on-premises IT environments, it was easier to secure the environment by deploying appliances. Now organizations need to secure applications on infrastructure they don’t control as part of a shared responsibility model that often spans multiple cloud service providers. The cloud may be more agile and less expensive, but Viega noted it’s not uncommon for hundreds of cloud accounts to have been set up by individuals in the same organization, each with very different levels of cybersecurity expertise.

Obsidian Security CTO Ben Johnson added the rate at which cloud-native applications are being deployed and updated is overwhelming the ability of cybersecurity teams to keep pace. In fact, many organizations are still underestimating the scope of the cloud-native cybersecurity challenge they face.

Finally, Hala Al-Adwan, vice president of technology for Signal Sciences, observed as organizations embrace DevSecOps, cybersecurity professionals still will play a key role in terms of their consulting expertise. However, responsibility for implementing cybersecurity will continue to shift left toward DevOps teams. The challenge those teams will face is the need to replace legacy cybersecurity infrastructure designed for cybersecurity administrators with programmable tools that fit neatly within a continuous integration/continuous deployment environment, said Al-Adwan.

It’s not clear precisely when a desire to embrace DevSecOps will result in more secure applications. In theory, cloud-native applications should be a lot more secure than legacy monolithic applications. However, the degree to which higher levels of security will motivate organizations to replace monolithic applications remains to be seen.

In the meantime, cultural issues associated with embracing DevSecOps will abound. There are simply not enough cybersecurity professionals available to participate in every application development scrum session. The real issue now is finding a way to embed that knowledge into an application development process operating at industrial scale.

— Mike Vizard