A cloud security report released this week by Check Point Software Technologies found that only 16% of respondents have comprehensive DevSecOps in place, while some 37% are starting to incorporate some aspect of DevSecOps within their organizations.
The survey also found that misconfigurations were the No. 1 cause of cloud security incidents in 2021.
Despite these challenges, organizations are continuing to adopt the cloud, with more than 25% reporting 50% of their workloads in the cloud.
“It is clear from this survey that security teams are finding the increased reliance on the cloud a bit of a challenge,” said TJ Gonen, vice president of cloud security at Check Point. “Faced with the skills shortage, organizations need to do everything they can to simplify their cloud security management.”
The Check Point report found that most companies are struggling with the lack of expertise that bridges security and DevOps with only 16% having comprehensive DevSecOps in place, said Stephanie Simpson, vice president of product management at Scythe.
“A lot of companies focus their DevSecOps on using technologies, forgetting that people and processes need to be included as well,” Simpson said. “Supply chain vulnerabilities from using open source code, like we’ve seen with Log4j, are difficult to detect. Threat modeling that brings together OWASP and the MITRE AT&CK model is one way to help DevOps become DevSecOps.”
Aaron Turner, vice president of SaaS posture at Vectra, said in research that Siriux (acquired by Vectra) conducted in 2021, they found that less than 20% of enterprise security teams had the skills and resources to detect cloud security incidents. Turner said the Siriux research combined with the recent Check Point research indicates that cloud security incidents are most likely going undetected.
“If we take a look at the large-scale incidents reported by DHS and NSA alerts, the broad scale applicability of the cloud attack tools makes it very easy to find vulnerable cloud environments and rapidly exploit weak default configuration settings,” Turner said. “In the SaaS space, our team has been working with Microsoft to better manage M365 vulnerabilities. As attacks evolve to become cloud-first campaigns, security teams need the skills and resources to properly manage these risks.”