From nation-state attacks to the “largest and most sophisticated attack” ever, so far, 2021 has definitely given us goosebumps. But as breaches become costlier than ever, is it possible that they’re also becoming more preventable than ever? Security misconfigurations can be mitigated by shifting security left and embracing DevSecOps, yet they remain the most common risk affecting web applications and are becoming a leading cause of data breaches.
We’ll share six spooky statistics that show why you need to embrace DevSecOps. And fear not, we’ll also provide six tips on how you can avoid these scary situations.
- Over 280 million people have been affected by a data breach in 2021. The Identity Theft Research Center reports that the number of data breaches so far this year has already surpassed the total number in 2020 by 17%. If things keep going this way, it could mean a record-breaking year for data compromises. 😱
- 78% of developers report that securing the cloud is a top concern. According to a recent survey from the analyst firm Forrester, 78% of respondents note that trying to secure the cloud is a top challenge. Add to the mix the rise of containers and microservices, and the situation can become quite spooky. 👻
- A reactive security strategy is still prevalent in more than 50% of organizations. Reactive practices, such as using tools on deployed applications and manually reviewing code for vulnerabilities, were the top two practices associated with coding securely in more than half of all organizations, according to the most recent Secure Code Warrior report. Luckily, the same research shows that an industry-wide shift is happening away from reaction towards prevention as organizations evolve beyond traditional practices in favor of DevOps and Secure DevOps. 🦇
- 63% of third-party code templates used in building cloud infrastructure contained insecure configurations. According to Unit 42’s most recent Cloud Threat Report, unvetted third-party code can introduce significant security flaws and give attackers access to sensitive data in cloud environments. The report emphasizes that cloud-native applications have a long chain of dependencies, making it critical to shift security left and evaluate risk at every stage of the dependency chain. 🕷
- 70% of organizations say their digital transformation efforts are taking longer than expected. According to recent research from Anitian, lifting and shifting all of your applications from bare metal to the cloud can be a nightmare. Especially if security is an afterthought, which creates bottlenecks and vulnerabilities later down the line. To make digital transformation a little less scary, companies have realized that security needs to be woven into the DevOps approach, which has caused the rapid adoption of DevSecOps across industries. 🧟♂️
- Unreliable companies are two times more likely to avoid DevSecOps. Reliability and security go hand in hand. According to the DORA 2021 Accelerate State of DevOps report, security can no longer be an afterthought. Elite performers who exceeded their reliability targets were twice as likely to have implemented security practices earlier in the software development life cycle. 🧛♂️
- Foster a culture of security. All other security efforts will fail if security is not a priority for engineering and operations teams. Having executive-level buy-in ensures that moving fast still includes security. Tight collaboration between teams brings security in as influencers and trusted advisors, rather than scary undead gatekeepers.
- Train developers to secure their own code. The earlier in the life cycle a scary bug is caught, the more likely it is to be squashed. Developers are the first line of defense, and training them to secure their own code is far more scalable than security doing it alone in the dark. Train them to tackle their top concern of securing the cloud.
- Automate and embed security in DevOps tools. Developers and security don’t need to fight these monsters alone. Bring in the bots to proactively take on the dirty tasks of finding cobweb-covered misconfigurations in dark corners that were missed. Do this in existing developer tools, so developers can stay secure at home, rather than in the spooky mansion of security tools. This will free up those teams to accelerate the move to the safe haven of the cloud.
- Minimize the attack surface area. Finding and fixing common misconfigurations and vulnerabilities, as well as minimizing access to the least privilege necessary, minimizes the blast radius of an attack. A good security posture will stop those basic attacks from stealing your data in the night.
- Add guardrails to prevent misconfigurations. Putting your faith in knocking off misconfigurations is a scary prospect. Add in guardrails in your CI/CD pipeline using tools like Checkov that block misconfigured code from ever coming to life.
- Use runtime protection for slippery attacks. Even with the best shift-left strategy, legacy deployments and zero-days will haunt your runtime environments. For applications and infrastructure that weren’t deployed using a secure pipeline, find and squash those bugs in production with runtime protection. And to protect against those pesky unknown threats, apply runtime protection that can stop spooky threats in their tracks.
With this advice, those scary stats should be slightly less frightful. Now you can go to sleep soundly knowing that you have found those issues that would normally go bump in the night.
This post is adapted from its original posting on The New Stack.