Applications are developed today at light speed across cloud-native, multi-cloud, and hybrid environments, driving digital transformation. Today more than three-fourths of organizations deploy new or updated code to production weekly, and nearly half are committing new code daily.
While this rapid development encourages innovation, it also presents a challenge for security teams when it comes to keeping up, especially with the staggering ratio of developer to security professionals: 10 to 1. On the developer side, frustrations often arise when security teams consistently slow down the process to inspect and reconfigure vulnerable code.
The constant tension between teams over the years has given rise to new tools and approaches that let developers quickly build and deploy their applications with the confidence that vulnerabilities won’t reach production environments. The security industry realized they needed to “shift left” and bring security to the developers as eliminating risk from the start of the application life cycle represents the most effective way to ensure applications are secure by the time they reach production. To help bring both teams together without slowing down production or compromising security, here are three practical cloud security approaches every enterprise should adopt:
- Visibility does not equal security: Organizations typically start their cloud security journey with visibility tools that offer a complete view of the cloud environment and alert security teams of known vulnerabilities and misconfigurations. While it’s a great starting point, organizations that use 50 or more applications across multiple clouds can generate hundreds of alerts per application. Relying on visibility tools alone not only doesn’t help in remediating risk, but also creates more work for developers to go back and fix their code. Additionally, many visibility tools don’t offer precise location data of risks or prioritize them causing even more work for developers. This ultimately takes developers away from their number one goal: building apps. They need to adopt tools that have holistic visibility, but also have risk prioritization and prevention capabilities built-in. This offers better overall protection of the organization and saves developers countless hours of essentially searching for a needle in a haystack.
- Understand the evolving attack surface: Supply chain attacks have the potential to cause a disaster, as seen by incidents such as SolarWinds and Log4j. We are witnessing a paradigm shift in recent years, as organizations increase their reliance on software engineering to accelerate business outcomes. However, this has reshaped the attack surface and created numerous new opportunities for adversaries, who realize that the engineering ecosystem shapes up as the new “path of least resistance.” It’s imperative for security teams to stay involved in even more pieces of the application development process so attackers can’t exploit valuable code. We need a layered method to address security gaps and protect every corner of the attack surface. Think of it as a “swiss cheese” approach. Each layer of the application acts like a slice of swiss cheese, and it has holes. The more layers added, the chances of multiple holes aligning diminishes. This reduces the chance of a disaster, or of attackers penetrating through all layers.
- Engage a platform approach: Organizations can support their security teams and close the gap by consolidating security into a multifunction platform that’s simple for teams to use and embedded in every phase of the application development cycle, from code to cloud. The platform approach addresses a broad set of interconnected needs spanning traditionally disparate teams. We can ensure security gets prioritized without impeding on development by using a unified platform approach that unites cloud builders and cloud defenders on a common framework. Security professionals can help make this a frictionless experience by keeping up with an understanding of a developer’s environment and the pace of innovation, so they can integrate into existing processes. This way, organizations can rest assured that they are protected while their teams continue developing.
Developer teams are helping drive innovation to create tomorrow’s technology, but security should complement as opposed to hold back this modernization. Organizations have the ability to foster an environment where developers and security teams work together to create a secure, cohesive approach to application development to reduce the risk of threats.
Ankur Shah, SVP & GM, Prisma Cloud, Palo Alto Networks