DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • Leadership Suite
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Blogs » Why DevSecOps Should Be Top Priority

DevSecOps AppSec Cortex materialized view SIEM

Why DevSecOps Should Be Top Priority

By: Amol Kulkarni on May 26, 2022 Leave a Comment

DevOps culture and process are integral to maintaining the pace of cloud-native software development for organizations, especially when code deployments might take place many times a day. The ability to instantly create, populate and scale cloud applications and infrastructure, often automated through code, allows enormous agility and incredible speed. But moving this quickly means security is often left in the dust.

The reality is many organizations still haven’t come to grips with how to properly secure the cloud. A lack of cloud security experience, coupled with legacy security policies that don’t encompass the cloud and a shortage of cybersecurity expertise relevant to cloud environments, presents a challenge. And cybercriminals are moving quickly to exploit these gaps: a 2021 report showed that almost half of the more than 2,500 disclosed cloud-related vulnerabilities recorded were disclosed in the last 18 months. 

DevOps Connect:DevSecOps @ RSAC 2022

Due to the agile nature of cloud technologies, security must be integrated at every stage of the DevOps life cycle—also known as DevSecOps. A DevSecOps mindset is an absolute necessity for any organization that is leveraging the cloud, and requires new security guidelines, policies, practices and tools.

The Cloud is Vulnerable

Data breaches are among the most urgent concerns of any organization today. A 2021 report revealed that data breach costs rose from $3.86 million USD in 2020 to $4.24 million USD in 2021. The techniques that adversaries used to infiltrate the cloud differ from on-premises environments. Malware attacks are far less prevalent; instead, attackers exploit misconfigurations and other vulnerabilities.

Another major concern is that organizations are usually using multi-cloud, which can cause a visibility issue. It can result in cloud workloads and traffic that are not properly monitored, leaving security gaps to be exploited by attackers. Also, DevOps teams tend to provide employees with far more privileges and permissions than needed to perform their job, which increases identity-based threats. According to research, nearly 80% of cyberattacks leveraged identity-based attacks to compromise legitimate credentials. 

Threat actors will also deploy a variety of attack methods to compromise an organization’s cloud environment. Lateral movement is a common technique that involves threat actors going from the point of entry to the rest of the network (for example, infiltrating an end user or system hosted on-premises and then shifting their access to the cloud). Research showed that adversaries move quickly—in just 98 minutes they can move laterally from a compromised instance to another instance within the victim environment. 

Alternatively, another way for attackers to profit from cloud vulnerabilities is by installing cryptominers onto a company’s system. Cryptocurrency mining is an activity that requires large amounts of computing power. Threat actors will use compromised cloud accounts to carry out this process and extract as much profit as possible, while simultaneously using up the company’s resources. 

Shifting Security Left

Protecting the cloud means securing an increasingly large attack surface that ranges from cloud workloads to virtual servers and other technologies that underpin the cloud environment. Attackers are always looking for soft spots they can exploit, particularly vulnerable cloud applications. With organizations moving to the cloud now more than ever to meet the needs of a remote workforce, opportunities to exploit cloud apps have increased. 

Traditionally, code is subjected to security as the last phase before release. When vulnerabilities are exposed, either the release is delayed or the development team has to scramble to correct each security issue while the security team has to scramble to check the revisions. For DevOps teams, shifting security left ensures vulnerable code is identified as it is developed rather than in the testing phase, which reduces costs and results in secure cloud apps.

The concept of shift left security is an essential part of the software development life cycle, and getting it right must be a top priority. By embedding security into the earliest phases of the development process, organizations can achieve DevSecOps and significantly reduce the security concerns around cloud-native software and application development. 

Effective Cloud Security can Enable DevSecOps 

Organizations that use DevSecOps tools and practices can build a powerful and secure cloud foundation. Unifying the visibility of multi-cloud environments and continuous intelligent monitoring of all cloud resources are essential in cloud security. That unified visibility must be able to detect misconfigurations, vulnerabilities and security threats while providing actionable insights and automated remediation for developers and DevOps teams. 

Additionally, it’s essential to have the right security policies in place that enforce cloud security standards to meet (or exceed) industry and government regulations across the entire infrastructure. This includes everything from multi-factor authentication to general security best practices for all employees and robust incident response that ensures the company is prepared for an attack.

However, the core of any effective cloud security strategy should always be up-to-date threat intelligence. Adversaries are constantly finding new ways to target the cloud and search for any weaknesses they can exploit. Having the latest data about threat actors and their tactics, and then applying it to breach detection is an absolute must. Threat intelligence enables security teams to anticipate threats and prioritize defense, mitigation and remediation effectively to preempt them. Delivering all this functionality from the cloud and for the cloud through DevSecOps provides organizations with the prevention, detection, visibility and response capabilities they need to beat attackers.

Related Posts
  • Why DevSecOps Should Be Top Priority
  • Orca Security Adds CLI to Improve Cloud Security
  • Why is Security Still in the Way? A Look at DevSecOps Right Now
    Related Categories
  • Blogs
  • Business of DevOps
  • DevOps Culture
  • DevOps Practice
  • DevSecOps
    Related Topics
  • Cloud Security
  • devsecops
  • identity access management
  • Multi-cloud
Show more
Show less

Filed Under: Blogs, Business of DevOps, DevOps Culture, DevOps Practice, DevSecOps Tagged With: Cloud Security, devsecops, identity access management, Multi-cloud

Sponsored Content
Featured eBook
The 101 of Continuous Software Delivery

The 101 of Continuous Software Delivery

Now, more than ever, companies who rapidly react to changing market conditions and customer behavior will have a competitive edge.  Innovation-driven response is successful not only when a company has new ideas, but also when the software needed to implement them is delivered quickly. Companies who have weathered recent events ... Read More
« Microsoft Adds Raft of Tools and Azure Cloud Extensions
JFrog Integrates with ServiceNow to Improve Software Security Vulnerability Response Times with “ServiceOps” »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Deploying Microservices With Pulumi & AWS Lambda
Tuesday, June 28, 2022 - 3:00 pm EDT
Boost Your Java/JavaScript Skills With a Multi-Experience Platform
Wednesday, June 29, 2022 - 3:30 pm EDT
Closing the Gap: Reducing Enterprise AppSec Risks Without Disrupting Deadlines
Thursday, June 30, 2022 - 11:00 am EDT

Latest from DevOps.com

Chip-to-Cloud IoT: A Step Toward Web3
June 28, 2022 | Nahla Davies
DevOps Connect: DevSecOps — Building a Modern Cybersecurity Practice
June 27, 2022 | Veronica Haggar
What Is User Acceptance Testing and Why Is it so Important?
June 27, 2022 | Ron Stefanski
Developer’s Guide to Web Application Security
June 24, 2022 | Anas Baig
Cloudflare Outage Outrage | Yet More FAA 5G Stupidity
June 23, 2022 | Richi Jennings

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

The State of the CI/CD/ARA Market: Convergence
https://library.devops.com/the-state-of-the-ci/cd/ara-market

Most Read on DevOps.com

Four Steps to Avoiding a Cloud Cost Incident
June 22, 2022 | Asim Razzaq
The Age of Software Supply Chain Disruption
June 23, 2022 | Bill Doerrfeld
At Some Point, We’ve Shifted Too Far Left
June 22, 2022 | Don Macvittie
Cloudflare Outage Outrage | Yet More FAA 5G Stupidity
June 23, 2022 | Richi Jennings
Developer’s Guide to Web Application Security
June 24, 2022 | Anas Baig

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.