ESG reveals developer security priorities in new study

As more organizations move to a cloud-native model, developer security has never been more relevant. According to ESG Research: Walking the Line: GitOps and Shift Left Security sponsored by Lacework, 100% of organizations will make at least a moderate investment in security tools that integrate into cloud-native software development processes — with 69% expecting to make significant investments. We partnered with ESG on a new study to understand the top developer security challenges and priorities for 350 cybersecurity, IT, and application development professionals.

Let’s dig into some of the top themes uncovered in the report.

Organizations want to shift more security responsibilities to developers

Are vendors exaggerating the silos between security and development teams? Quite possibly. 

Survey says: Despite differences in organizational dynamics, 68% of respondents agreed that shifting some security responsibilities to developers is a high priority, as is the adoption of developer-focused security solutions. According to the survey, 83% of organizations expressed confidence that their developers would be either mostly or completely comfortable with taking on security responsibilities, such as security testing or code remediation. 

So when do developers not feel comfortable? Understandably, organizations felt that the top impediment to developers managing security responsibilities is the potential for security tasks to disrupt the development process. The second most cited reason by respondents is a developer belief that the security team should do the security work.

There was, however, inconsistency in how companies divide security and development responsibilities. Forty-five percent of respondents indicated development teams are primarily responsible for handling infrastructure as code (IaC) template misconfigurations and scanning production environments. While 41% indicated these tasks were handled by the security team. When it comes to scanning of container images, 43% of respondents indicated developers are responsible for these tasks while 44% indicated these tasks are primarily handled by the security team. 

Lacework says: 

Our leadership agrees on the need to put security capabilities in the hands of developers.

“Developers play an integral role in solving cloud security problems. With Soluble and the new developer-focused features of our platform, we’re helping our customers remove the friction between security and development teams. Fixing security issues earlier coupled with making cloud security insights more accessible across the organization allows developers to ship faster and safer.” 

– Jay Parikh, Co-CEO at Lacework.

Notably, customers are using the Lacework platform not only to shift left successfully, but ultimately to make security data more accessible to all. Take the case of Hypergiant, a customer that shares our mission of baking security into the development process.  

“One of the major outcomes that I didn’t anticipate, but am definitely thrilled to see, is how we’re able to democratize access to the security event data. And with Lacework to help educate developers, Hypergiant can easily integrate security into the development process, which is right in line with their company values. We’re trying to make security an integral part of our culture. Not only should security be everybody’s job, but everybody should feel comfortable doing it.” 

– Bren Briggs, Vice President of DevOps and Cybersecurity, Hypergiant

Faster development cycles of CI/CD is a top challenge for security teams 

The continuous integration/continuous delivery (CI/CD) process has brought undeniable efficiency gains to cloud-native application development. Yet these innovations have also created new stressors for organizations. Many security teams simply don’t have visibility into how many repositories their developers are using and which teams are using those repos. 

And this lack of visibility can lead to conflict — not to mention complications, given the explosion of development languages, IaC platforms, and frameworks that proliferate throughout different parts of the organization. It’s a lot to keep tabs on.

Survey says: Organizations reported that faster development cycles of CI/CD have resulted in new challenges. The top three challenges cited were: the release of software without going through proper security checks or testing, a lack of visibility into and control of the development process for security teams, and a lack of consistent security processes across different development teams. 

In addition, the usage of open source software invariably increases every year. Although critical to the speed of cloud-native application development, it also ushers in new waves of software supply chain attacks. Unsurprisingly, organizations are doubling down on protecting open source code in light of Log4j, SolarWinds, Kaseya, and other attacks. The survey found that 73% of organizations have significantly increased their efforts to secure open source software, container images, and third-party software components, with 100% of organizations making at least a slight increase in efforts.

Lacework says: 

Our security research team has been keeping a sharp eye on developments with software supply chain attacks, and believes the speed and scope of these attacks will only increase. 

According to Lacework Labs, 31% of confirmed malware infections used Log4j as the initial infection vector. – Volume 3, 2022 Cloud Threat Report

Lacework Labs shares the following recommendations to keep supply chain attacks at bay:

• Implement controls on your CI/CD pipeline to keep from deploying known vulnerabilities to production.
• While the exposure itself is essential to comprehend, find, and patch, it’s equally important to focus on improving your ability to detect post-exploitation activity, regardless of the initial access vector.
• Consider using a software bill of materials (SBOM) to inventory and track software usage in your environment.
• Plan ahead for the next RCE by picking a popular application or library in your environment and performing a tabletop simulation where a new zero-day is released.
• Enable two-factor authentication for revision control software to prevent brute force attacks against user accounts.
• Consider enforcing signed commits in revision control software.

Learn more about developer security priorities by checking out the full ESG Research Developer Security report here.