Are We There Yet? The State of Cloud-Native Security

In this session from DevOps Connect: RSAC 2021, Matt Jarvis and Simon Maple from Snyk discuss new, insightful and surprising findings on cloud-native application security from a recent industry survey. Learn about the changes in the threat landscape, the most common types of incidents, new ‘shift left’ trends and more. The video is below, followed by a transcript of the conversation.

Simon Maple: Hello and welcome to this session, Are We There Yet? The State of Cloud Native Application Security. This is part of the DevOps Connect Virtual Summit. So let’s get started into this session. Now speakers today, myself, field CTO at Snyk, and joining me today as my co speaker, Matt Jarvis, senior developer, advocate at Snyk. Hey, Matt. How’s it going?

Matt Jarvis: I’m very good, thank you.

Maple: So Matt, what is this thing called Snyk? What is this all about?

Jarvis: So Snyk are a developer-first security company producing security tools aimed at developers and aimed at solving some of the problems around cloud native security.

Maple: Awesome. And earlier this year you and I sat down and we created this cloud native AppSec survey, which is designed to really ask a number of questions to understand how people are dealing with security. And you’ll see through this session this will go through a number of the key takeaways from that report, pulling out some of the data that we got from those questions. So 30 questions that were written by the two of us. We launched it for around six to eight weeks in February to March of this year. We tried to share it as widely as possible with very independent communities, security communities, DevSecOps communities, DevOps communities, many user groups, our partners who shared it with us as well, very much on social, Twitter, LinkedIn, those kind of things, our own mailing list as well as DevSecCon, one of the premiere DevSecOps conferences and user groups as well.

So we shared it very, very widely and we analyzed the data that we got back in March and April 2021. We launched the report just a few days ago, at the time of recording, May 4th. May the 4th be with you, 2021. And just to give you a little bit of understanding about the responses, we had around 600 total survey responses, and the split is largely across the larger companies, larger enterprise companies, although there was a good broad split across all company sizes. Roles again very broad, about a quarter developers, just under a fifth security and around 12 percent DevOps.

And geographically, yes, there was a fair amount with around a third in the US, but also lots of other places in Europe, the UK, and in APJ with India and other places as well. So there’s a really nice broad split of responses that we got. So Matt, why don’t you kick it off and jump into the first piece of the report?

Jarvis: Yeah, absolutely. So I guess the obvious place to start is looking at how companies are adopting cloud native, and we asked a number of questions here about what kinds of technologies people were using and what the split was in their production applications, because what we’re really interested in this report is things that are in production, so not particularly a dev environment. Things that are actually doing real world work. And I think there’s some pretty great statistics here in terms of adoption of cloud native.

We still see this very big dominance for containerized applications, just under 60 percent overall throughout the survey. And what was also interesting to see is quite a significant proportion of production applications were using serverless technology, so that’s things like Lambda from AWS. And we’ve definitely seen over the last few years a move towards those kind of serverless type applications where you’re consuming compute in a kind of different way without managing any of that stuff yourself, and I think we’ll see over the next few years of running this survey further growth in that area of serverless. I think for me, having been involved in the cloud native space across the last five to ten years, clearly this is pretty big market penetration here.

I think when we looked at the statistics across different company sizes, they were broadly similar as well, which I think is somewhat different to how technology penetration cycles have happened in the past where we might have expected, for example, larger enterprises to be a much slower moving longer tail. And yet we’re really seeing in the cloud native space adoption happening at a relatively fast pace even within larger enterprises. What did you find interesting in this data, Simon?

Maple: Yeah, I agree with your point there and I think that actually shows a good side of maturity in terms of how mature it is at the enterprises that are so far in there. I was really pleasantly surprised with this to see, because it’s always when you see surveys that are asking the question of do you use serverless, do you use containers, it’s hard to actually gauge to the depths of which people are adopting those technologies. So to see that 60 percent of production environments are using containers, I think that is not just showing that people are trying the technologies but really, truly adopting them across all of their environments. And of course, when you think about the number of legacy systems that people tend not to want to touch, it goes to show how much more this could actually be even more significant than that given that there’s a proportion of production that people tend not to want to touch, and yet almost 60 percent is in containers.

Serverless as well. I’m looking forward to see how that trend is going forward as well with future versions of this to see how that grows as well. But yeah, very, very interesting stats.

Jarvis: I think we’re seeing the difference between – when we had that move into virtualization, what we saw was a lot of lift and shift of legacy-type environments. I think what we’re seeing now in this big digital transformations is really greenfield things. People are saying let’s put a line under that and deploy new things because we know the demands on a computing infrastructure are going to be very different. These legacy applications, legacy environments aren’t going to be able to service into the future, and I think that’s what’s being reflected here really is that even in large enterprises people are really embracing this digital transformation and creating new applications, new kinds of services from scratch, and that’s when you really get to be able to leverage these new technologies. Clearly, infrastructure-as-code here has got a big penetration as well if you just stay on that slide for one second, and this really encompasses a control of cloud platforms would be one of the primary use cases here.

For example, at automation you might be building around AWS or around Google or Azure, but also the growth in platforms like Kubernetes. So this is kind of all part of the same thing there.

Maple: And this growth and adoption, actually we’ll come back to that a little bit later on when we talk about where some of the concerns and incidents can exist. This is quite telling as well. This was an interesting one for me as well.

Jarvis: Yeah, indeed. I think we see that it’s not surprising really that security isn’t the number one driver for why people would move applications into containers, and the kind of deployment velocity, the time it can take you to get new applications into production is clearly the key thing here along with the management of new styles of container platforms like Kubernetes. I think the 36 percent is a big number. I can remember a few years back where we would see surveys like this where security wouldn’t even be a consideration in terms of people making decisions about particular technology choices, but it’s nice to see that that’s a fairly big figure there.

Maple: Yeah. I think it’s surprising that it’s not one of the key drivers.

Jarvis: No.

Maple: It’s not necessarily a reason you would lift and shift your application technology stack across, but it’s not to say of course that it’s not important, right?

Jarvis: Yeah. This was again – it’s a great number, right? 99 percent of people considered it very important or somewhat important to the cloud native strategy. And again, when we look at historical surveys around the technology space over the last few years I think you would quite often see 30, 40 percent of people wouldn’t consider security particularly important in terms of technology strategy. So I think people are clearly aware of the importance of security in cloud native and in these digital transformations as more and more companies effectively become software companies, which is really what this whole move is about.

It’s about every company becoming a software company in order to survive in this new world. And if you become a software company you have to care about software security. It just goes with the territory.

Maple: So let’s jump into this in more depth then and go into the incidents and concerns, so the security issues that people are most worried about, the incidents that people most often have, and from the incidents we can see where their concerns are well placed. For people who have moved into a cloud native space or moving into this new environment style, organizations, we asked whether their concern has increased or decreased as a result of moving into cloud native, and it’s interesting that four times the number of people chose that their security posture has been more concerning or that has increased since moving. So I think there’s a number of reasons for this and it’s not necessarily the technology. There’s a whole ton of big changes that need to happen in the background, including education and different roles and responsibilities people have.

But this is an interesting one, and if we go one step further and have a look at where are people are concerned about what we’ve done is here we’ve split between high adopters and low adopters. So high adopters are the upper quartile of people who are the biggest users based on the previous percentage of usage and production that Matt was talking about, and the lower adoptions are the lower quartile. So Matt, you can see here actually that there’s not a huge difference between high adopters and low adopters in the majority of the areas of concern here. The biggest areas of concern, misconfiguration is one of the big ones in terms of the potential link with the IAC as we were talking about previously.

So I guess two questions based on that. Are you surprised there’s no big difference really between high adopters and low adopters? And let’s talk about misconfiguration deeper. Why do you think that’s such a big concern?

Jarvis: I don’t think it’s a particularly big surprise that there is a massive difference between folks who are just starting out on that journey and folks who are further along it. Moving to a sort of cloud native model involves pretty significant changes. We’re not just talking about technology as you pointed out. We’re talking about big process changes as well, high levels of automation being the end goal, and lots and lots of systems being integrated together to deliver software faster.

And so I think no matter where you are on that journey you’re going to be concerned about things around the same kinds of things. Clearly more levers to pull the more systems we have and the more that we treat our infrastructure as code the more opportunities there are for things to go wrong. And these platforms and systems are by their very nature quite complex, so it’s unsurprising really that folks are concerned about the potential misconfiguration, and I think we see it in the real world. Almost all big exploits over the last couple of years have been combinations of application of vulnerabilities with misconfigurations in the infrastructure allowing that blast radius to expand and to become something much more serious than it potentially was to start with.

I think for me the interesting thing here is the differences in these stacks around secret leaks and data leaks by insiders. I think that when people do start to get kind of mature in their model around cloud native software there’s a growing realization that there are lots of places where there is the potential for secrets or credentials to leak and that can be a really big tipping point. You’re talking about lots of things integrating together. You’re going to have tokens, you’re going to have service accounts, these kind of machine-to-machine communication. And so kind of guarding all those secrets and certificates and all the rest of it becomes a much bigger area of concern for you.

Maple: Yeah, very interesting. And here we can see 57 percent is the highest figure, which is misconfigurations. And it’s interesting that misconfigurations is the low adopters, 5 percent higher than those who are high adopters, and I think to some extent that’s also if you’re only testing the water a little bit you’re not going to be as apt, as proficient as understanding all the rules you need to follow for writing these configurations and things like that, whereas the high adopters are likely to be more proficient, wider across the development org.

Jarvis: Staff have a better understanding of the distance. Like I say, there’s lots of levers that you can pull. You look at AWS or Kubernetes, there’s so many different places where you can – because they’re intended to be highly flexible and highly general purpose. So by the nature of the platform that means they’re highly configurable. And this is where people start to have concerns.

Maple: Yeah. So let’s compare this and contrast this to where people are actually having incidents. And knowing unpatched vulnerabilities was also fairly high, one of the highest in the previous concerns as well, and we can see here misconfigurations known on patch vulnerabilities are the two top areas of incidents that people are having. In fact, if we combine those together, not just cumulate but across all of our respondents and do it all across those too, it’s actually 56 percent of the respondents had either a misconfiguration or a known unpatched vulnerability.

And I think if you were to look at also the number of people who prefer not to answer, if you take that almost 20 percent out, you’re looking at 56 percent of the 80ish, which is kind of closer to 70 percent of people having one of those two incident types actually in their production environment. So I guess comparing and contrasting this to the concerns, a lot of their concerns, particularly in these two are very well placed because this is where people are actually having incidents. Quickly Matt, how do you feel like you see people’s – given the incidents that are existing here, and of course we’ve seen incidents in the news about S3 buckets, IAM roles being misconfigured – how do you see people reacting to this significant threat these days? How do you see the next year, two years panning out in terms of changes?

Jarvis: I think particularly in the field of infrastructure-as-code security we’re certainly seeing across the industry adoption of technologies which are going to allow you to scan that code before it goes into production to identify potential vulnerabilities. Snyk clearly does that. And if we go back a couple of years I don’t think people were even really taking that threat particularly seriously in terms of adopting security practices when you’re developing that kind of code. I think patch vulnerabilities is a similar space.

This goes back to the idea that most of our applications now, when we’re using open source software we might be developing in Java or in Go, and we pull in a lot of the party packages in order to build those applications. And so we’ve got a pretty wide attack surface in terms of things that could potentially be vulnerable. And so I definitely think there’s a move towards people taking the security threats more seriously, and that goes along with the adoption curve really. The more we put our platforms out there on the internet, the more we consider ourselves to be digital businesses, then the more we start to think about what the threats are. And the threats are getting more sophisticated, right?

There’s clearly things that we’ve known about for a long time, but there’s lots and lots of emerging threats happening all the time, and I definitely think that’s moving the industry more generally towards taking security seriously.

Maple: Absolutely. So we have about six minutes left, Matt, so why don’t we cover our last two topics? So the first one is let’s jump into automation, which had a very strong correlation with cloud native adoption, as we can kind of see here. So take us through some of the automation stats.

Jarvis: Yeah, so this is a really interesting section for me, is that cloud native isn’t really just about whether I’m using containers or whether I’m using Kubernetes. It’s about the process by which we deliver software very quickly, and automation is one of the key things of that. And we see this very strong correlation between high levels of adoption and cloud native technologies in terms of production environments and containers, and that correlates very closely with folks who are doing more and more continuous integration, continuous delivery of their applications. I think the things that follow on from that is that we found a very strong correlation between high levels of deployment automation and high levels of security testing.

When you build automation into your software development lifecycle it just gives you the ability to add other things into that automation. You could begin to be able to treat it like an API where it’s much easier to plug things in. We can see in this graph that we actually get across the board high levels of security testing throughout the software development lifecycle when folks are entirely automated, which is one of the interesting things even at the local development point which clearly is a manual task at that point. But I think that shows that those organizations are thinking about these things more and they have that kind of security hygiene built into their workflows.

Maple: Yeah, and you can see the all stat here as well, which includes people who are partially automated. So it really is good to see how people who are partially automated, how much value they also get from that even though they’re not entirely. And of course the next slide is about how often people test. Significant thing to hear right now.

Jarvis: Yeah. Absolutely. This is really great data here, because what this is showing is that there’s a correlation between deployment, automation enabling, automated security testing and automated security testing enabling you to test much more quickly. When we look at those stats of how often people are able to do security testing when they have these high levels of automation 70 percent are able to test their security daily or more frequently. And I think what we see there in the breakdown of that is actually a large percentage of that 70 percent would actually be testing on every commit, on every change, and that’s really where you start to get up to very effective levels of security in cloud native process.

Maple: And of course this isn’t the end game, right? Testing is great, it gives you amazing visibility, but unless you do something about it it’s not actually affecting your security footprint. So this is what I see as one of the core.

Jarvis: Yeah, this is the killer stat that proves the point really, isn’t it? 73 percent are have an average time to fix vulnerabilities in less than a week, and of those 36 percent also having an average time to fix of less than a day. So clearly testing faster means fixing faster, right? And so it proves the point both of security testing being an effective way of making sure that you start to fix those things, but also that building these kinds of cloud native automation have a direct impact, if done properly, on your security posture. I mean for me the other interesting statistic here is for the folks at the other end of the spectrum who have low or no levels of automation, that nearly 30 percent of them didn’t even know how long it took them to fix vulnerabilities, which is a kind of worrying statistic if that was my organization, right?

Maple: That lack of visibility really in understanding where –

Jarvis: Exactly. Yeah.

Maple: Yeah. Absolutely. So let’s jump forward in the last couple of minutes about ownership. Who owns this? And the questions that we asked were very pointed towards primary owners, and this gives us – of course there isn’t someone who is wholly responsible and no one else is responsible. There’s a shared responsibility to some extent, but this gives us a really good indication of where people’s heads are at in terms of the majority of that ownership. Now here we’ve split it up into developer responses and security responses.

So purple here is developer, orange is security responses. And the key thing is here developers largely think the development organizations are responsible, security, the same with security responses. So you can see 37 percent of developers think they are responsible; conversely, 10 percent of security people think developers are responsible. So those two stats are really core in point. And finally here, this is another important stat, back to that concern question.

If we split based on the role we can see that developers are [laughs] a tiny bit more – have an increased concern, but really what we’re saying here is developers care, developers are concerned about security in the organization just as much as security folks. This really does show that care and that trust that can be spread between developers and security folks.

Jarvis: Absolutely.

Maple: So that brings us pretty much to the end of this session bang on time, Matt. So thanks everyone for listen. Thanks, Matt, for the session as well.

Jarvis: Thank you.

Maple: And for those of you who want to go into more depth on that, you can download the report on the site at the URL below. Thanks everyone for listening, and enjoy the rest of the conference.

Alan Shimel

As Editor-in-chief of and Container Journal, Alan Shimel is attuned to the world of technology. Alan has founded and helped several technology ventures, including StillSecure, where he guided the company in bringing innovative and effective networking and security solutions to the marketplace. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events. In addition to his writing on and Network World, his commentary about the state of technology is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" ( Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.

Alan Shimel has 55 posts and counting. See all posts by Alan Shimel