Visitors walk by a cloud sign at a technology trade fair on March 21, 2017, in Hanover, Germany. S3 buckets have become a security time bomb, said one expert. (Alexander Koerner/Getty Images)

Coalfire on Thursday released a report developed by its Cloud Advisory Board that defines best practices for securing cloud application development and management.

The report takes into consideration how competition, COVID-19, and the rapid adoption of cloud technologies have driven organizations to build software and bring digital products to market with novel technologies and new management styles.

"In the cloud, code is embedded every step of the way from the data center to the edge of networks, across expanding attack surfaces," said Mark Carney, chief operating officer at Coalfire. "Code is more vulnerable now, and the development process is endlessly exposed to new threats from inception to the end of every product lifecycle.”

The report outlines how companies can establish a secure development process and culture by taking the following steps:

  • Embed software techniques. Embed security into the software development life cycle from the start through several techniques, including threat modeling before writing code, using application security testing gates, and implementing secure coding standards.
  • Expand automation use cases. The report highlights more than 20 automation opportunities across the DevSecOps lifecycle, from real-time alerting when security and functional inspections fail to collecting governance artifacts and automating traceability.
  • Identify AppSec champions. Target and develop experts who can deliver support and scale DevSecOps efforts.
  • Build a security culture from the ground-up. Rely on the cultural triad: partnership, cooperation, and collaboration.

It’s clear that if any organization can make real inroads into security in the workplace, security teams must integrate security in every aspect of business operations from the board level down to software engineering, said John Bambenek, principal threat hunter at Netenrich.

“If security is simply just the responsibility of the security team, the best they’ll likely do is incident response when bad things happen,” Bambenek said. “DevSecOps actually needs to integrate security and not merely be automated provisioning of credentials. Every major software or business application effort should include threat models early in the process so the team can build protection and controls into the operation.”