Findings from our annual State of the Software Supply Chain Report, which looks at the use of open source software development, told us two main things:
- The breakneck pace of growth around open source software (OSS), to the tune of 1.5 trillion components downloaded in 2020, is only increasing.
- Those components are being attacked at record pace with a 430% year-over-year growth in next-generation attacks.
These trends, which we'll be expanding on even further in our 2021 report out this fall, also reminded us these phenomenon are affecting the entire software industry, not just open source. Particularly, enterprises are struggling to react to the greater scale and complexity as they move to the cloud. Whether from hybrid environments with both cloud and on-premise infrastructure, or 100% cloud-native development, the industry is finding growing risk goes hand in hand with increased innovation. Today, we take a closer look at the state of cloud security for ourselves and our customers.
Partnering with the research team at Fugue, a leading cloud security provider, we surveyed over 300 professionals including cloud engineers, security engineers, DevOps, and cloud architects. The result is our State of Cloud Security 2021 Report.
What’s happening in cloud security?
We know that misconfigurations are the #1 reason for cloud data breaches, but our survey uncovered just how prevalent these misconfigurations are:
- At least one serious cloud security leak or breach happened in the past year for 36% of respondents.
- More than eight in ten are worried that their organization is vulnerable to a cloud misconfiguration-related breach.
- Half of those surveyed are experiencing 50 or more misconfiguration events per day, and just 10% are remediating them faster than hackers using automation can find them.
We also know that, as Infrastructure as Code (IaC) tools like Terraform become more mainstream, cloud security teams need to address the entire software development lifecycle. Shifting left in this space means catching vulnerabilities in cloud development before they are deployed to production. Yet our survey found that one in five cloud engineers are not using any sort of scanning tools to check IaC pre-deployment. Among those that are, half of those say their teams are investing 50 or more engineering hours per week on IaC security, with cloud runtime security seeing a similar level of effort.
So what are some of the other common challenges to cloud adoption? What do cloud professionals say they need to better secure their environment? Most importantly, what can your team do to ensure your cloud architecture is safe and secure, along with the data and applications that are running on it?
Download your copy of the State of Cloud Security 2021 report (PDF format) to learn more.