According to a report recently released by cloud security vendor Accurics, 96 percent of cloud security issues reported during production are not being addressed. This information comes from the May 2020 edition of the State of DevSecOps report, which was conducted using a combination of proprietary data from Accurics as well as
publicly available sources.
The vendor’s research determined that only four percent of cloud security issues discovered during production are ever addressed. Accurics called these results “not surprising” considering that cloud configurations needs to be traced back to a developer in order to fix the configuration. This requires redeployment of the cloud, which is often an expensive proposition — and apparently, not worth it for many organizations.
Accurics also found that cloud developers were shifting towards provisioning cloud infrastructure through code. The researchers discovered that 24 percent of cloud configuration changes are made via code, which Accurics called “significant adoption” given how recent infrastructure as code technologies have been developed.
In the report, Accurics Chief Technology Officer Piyush Sharrma stated: “Cloud infrastructure is becoming increasingly “immutable”: it is never modified after it is deployed. If something needs to be changed, new infrastructure has to be provisioned through code. While this approach enables agility and reliability, current security practices are becoming untenable for protecting transient cloud infrastructure. […] Cloud service providers continue to bolster capabilities that enable organizations to implement tighter controls, and many organizations have invested in one or more cloud security tools. The crux of the issues lies in the fact that as the cloud native stacks become more complex, point cloud security solutions become inadequate and gaps in coverage start to emerge.”
Download your copy of the State of DevSecOps report here.