Gartner Report
Discover why the world’s most innovative organizations are choosing Snyk, a Visionary in application security testing.
How cloud native adoption transforms the way organizations defend against security threats.
Success in the cloud native era is defined by an organization’s ability to deliver new versions of software faster and more efficiently, which is reinforced by our survey results. Being able to deploy code to production faster and more easily manage those applications were the primary reasons for moving towards containerized infrastructure. However, as companies embrace cloud native technologies as part of their digital transformation, security is seen as a key factor to building successful platforms. While only 36% of respondents stated that security was one of the main reasons for moving their production applications into containers,99% of respondents recognized security as an important element in their cloud native strategy. In addition, over 80% stated security is very important to them.
Very important
83%
Somewhat important
16%
Not important
1%
80%
70%
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Deployment velocity
Ease of management
Reduce costs
Improved security
Attracting talent
Deployment velocity
Ease of management
Reduce costs
Improved security
Attracting talent
In total,over 78% of production workloads are deployed as containers or serverless applications. Containers continue to be the dominant mechanism for cloud native application deployment, withnearly 60% of production workloads deployed in containers. Penetration of serverless technologies is now significant across all company sizes, and makes up more than a fifth (mean average) of all production workloads. Usage of cloud native technologies is strong across all company sizes, indicating that adoption is becoming mainstream. Withover 50% of respondent’s workloads also being deployed with some form of Infrastructure as Code, use of software-driven infrastructure has increased alongside the container and serverless growth trends. Usage of these core technologies is one of the key indicators of cloud native transformation in general, and so we use these metrics throughout this report as indicative of the level of adoption within an organization.
All Sizes
Small
Medium
Enterprise
80%
70%
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Containers
Serverless
IaC
Discover why the world’s most innovative organizations are choosing Snyk, a Visionary in application security testing.
Deployment automation is one of the key tenets of cloud native practices, enabling development velocity. Our survey showed thatover 95% of respondents were using some level of automation with almost a third having an entirely automated deployment pipeline. By comparing the upper and lower quartiles of cloud native production usage (high levels of adoption vs low levels of adoption), we can see thatorganizations that show high levels of cloud native adoption are over twice as likely to have an entirely automated deployment process than organizations with low cloud native adoption.
All
High CN
Low CN
Small
Medium
Enterprise
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Not automated
Entirely automated
Partially automated
Download Snyk’s Infrastructure as Code Security Insights report for the trends on how companies are using and securing IaC today and common roadblocks to its widespread use.
In contrast to where organizations are most concerned, we also asked about previous incidents that occured in production. The top two incident types by a distance were misconfiguration and known unpatched vulnerabilities, at 45% and 38% respectively.Over 56% experienced a misconfiguration or known unpatched vulnerability incident involving their cloud native applications.
Data leaks by insiders were more than twice as likely to have occurred in organizations with high levels of cloud native adoption, reinforcing that adopting zero trust principles becomes increasingly important in fully automated cloud based environments.
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
Malware
Misconfiguration
Known unpatched vulnerabilities
Failed audit
Secret leaks
Data leaks by insider
Haven’t experienced any security incidents
Prefer not to answer
Malware
Misconfiguration
Known unpatched vulnerabilities
Failed audit
Secret leaks
Data leaks by insider
Haven’t experienced any security incidents
Prefer not to answer
Adoption of cloud native technologies will undoubtedly change the security posture of your overall application. While the core security principles remain constant, as with all emerging ecosystems the best practices are still being defined, driving fresh concern as teams navigate through unfamiliar landscapes. Our survey shows organizations are nearly 4x more likely to have increased rather than decreased concerns over their security posture since adopting cloud native.
Decreased
15%
Hasn’t changed
20%
Don’t know
7%
Increased
58%
Cloud native platforms utilizing automated tooling rely on credentials such as secrets and API tokens in order to operate, necessitating a more decentralized approach to managing such access. The need for effective management of these kinds of artifacts is a key differentiator from the more centralized pre-cloud era, and a major area of concern for operations teams transforming their infrastructure.Our survey showed that misconfigurations were the biggest area of increased concern, with over half of respondents stating it’s a bigger problem for them since moving to a cloud native platform. Despite secret leaks and data leaks not showing up highly in the actual incidents data, they feature strongly as areas of increased worry particularly among high adopters of cloud native technologies.
70%
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
70%
Malware
Known unpatched vulnerabilities
Data leaks by insider
Secret leaks
Insecure APIs
Misconfiguration
Ownership to handle/fix
Impact of security on deployment velocity
Ability to respond quickly to risks
Malware
Known unpatched vulnerabilities
Data leaks by insider
Secret leaks
Insecure APIs
Misconfiguration
Ownership to handle/fix
Impact of security on deployment velocity
Ability to respond quickly to risks
While building fully automated deployment pipelines can be challenging, once automation and processes are in place, they create a virtuous cycle providing multiple integration points to enable further automation. This is a key enabler for security testing.Companies with high levels of deployment automation were more than twice as likely to have adopted security testing at all points throughout the software development lifecycle, when compared to organizations with no automation. While companies of all sizes showed a clear preference to test in CI and earlier, enterprises were more likely to also be testing during later deployment and production stages. Despite testing in local development environments, such as an IDE, being a developer driven task, more automated organizations were nearly twice as likely to see their development teams adopt security early on in their workflows.
All
Not Automated
Automated
Small
Medium
Enterprise
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Local IDE’s and CLI tools
Source code repositories
CI system
Deployment time
Production
Once the use of security tooling is integrated throughout the software development lifecycle, this dramatically expands the possibilities for more regular security testing.Nearly 70% of respondents with high levels of deployment automation were able to test their security daily or more frequently. This was 17x more than respondents who had no deployment automation, and60% of those only tested their security monthly or less frequently. This was 3x more than respondents who had full deployment automation.
All
Not Automated
Automated
Small
Medium
Enterprise
80%
70%
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Continuously or daily
Weekly
Monthly or less frequently
Testing faster leads to fixing faster.Over 72% of respondents with high levels of automation had an average time to fix vulnerabilities of less than one week, with 36% having an average of one day or less. Those with full automation were over 4x more likely to fix security issues in a day and over twice as likely to fix within a week. Automated testing is also a key enabler of visibility, as you can’t fix what you can’t see. This was reinforced by the 28% of organizations with low levels of automation who responded that they didn’t know how long it takes them to fix issues.
All
Not Automated
Automated
Small
Medium
Enterprise
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
1 day or less
1 week
2 weeks
1 month
Longer than 1 month
Don’t know
Adopting a broad and deep approach to security practices throughout the software development life cycle is key to a successful Cloud Native Application Security program. Our survey shows that companies with higher levels of cloud native automation have a greater adoption of security testing techniques. They tend to focus more on Static Application Security Testing (SAST), scanning for vulnerabilities in application dependencies with Software Composition Analysis (SCA), container image testing, and scanning infrastructure as code which are all techniques which fit well into the paradigm of automation. Organizations with fully automated deployment pipelines are twice as likely to adopt SAST and SCA tooling into their SDLC, and almost 3x as likely to add Dynamic Application Security Testing (DAST), although in general, dynamic testing isn’t as well adopted when compared with static testing. Policy compliance testing is still an emerging field, with only 23% of respondents having adopted it.
Yes
23%
No
77%
Watch this on-demand webinar to learn tips for implementing security automation into modern development environments.
Larger companies and enterprises are, of course, more likely to have the resources to run dedicated security teams so it shouldn’t come as a surprise to see enterprises having the support to adopt formal Cloud Native Application Security practices. While in smaller organizations the security function may be wholly owned by another team, such as the engineering teams, our survey shows that they are still able to keep up, particularly in the static testing space with over half of small organizations adopting SAST, SCA and container image scanning.
Not automated
Entirely automated
Small
Medium
Enterprise
80%
70%
60%
50%
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Static code analysis (SAST)
Code scanning for package dependency vulnerabilities (SCA)
Dynamic Application Security Testing (DAST)
Interactive Application Security Testing (IAST)
Scanning infrastructure as code (Terraform, Kubernetes)
Container image scanning
Policy compliance tools (Open Policy Agent/Gatekeeper)
The move towards the concept of DevSecOps has accelerated in conjunction with adoption of cloud native technologies, as security shifts left in the software development lifecycle. Developers now have a pivotal role in ensuring that cloud native applications and infrastructure are secure since they increasingly contribute to the application, the infrastructure code, and workload deployment technologies. With this in mind, perception of security ownership provided interesting results in our survey set. While less than 10% of respondents in security roles believed developers were responsible for the security of their cloud native environment and applications, over 36% of developers stated that they were responsible.
Traditionally, in a more siloed organization, the ownership of security would have sat firmly with the security team. Respondents in security roles are almost 3x more likely to attribute security ownership to the IT security team than respondents in development teams are. These indicators suggest that this ownership is being accepted by the development teams faster than the security teams are willing to let go of it. Security teams are still adjusting to the shifting responsibilities which transitioning to cloud native brings, and development teams are increasingly aware of their growing role in Cloud Native Application Security.
DevOps/DevSecOps
31%
Application security team
14%
No-one
3%
Developers
13%
IT security team
37%
DevOps/DevSecOps
33%
Application security team
23%
No-one
2%
Developers
10%
IT security team
31%
The increased awareness of security in development teams was also reinforced by the survey results around security exposure concerns. Both developers and security professionals alike shared that switching to cloud native technologies had increased their security concerns. Developers were just as likely to be invested in good security outcomes as the security team — good news for the adoption of DevSecOps principles which relies on shared security goals across the organization.
Increased
61%
Decreased
13%
Hasn’t Changed
18%
Increased
58%
Decreased
13%
Hasn’t Changed
21%
Learn how Twilio’s Head of Product Security scaled through dev-first security and devsecops in a cloud native environment.
Snyk is a developer-first platform for building software securely. Learn more about how Snyk can help you secure cloud native applications across your IDEs, repos, containers, and pipelines.
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.
Product
Resources
Company