DevSecOps and the Cloud: How Leaning on Your Cloud Provider Can Help You Shift Left

Over the past several years, an increasing amount of organizations have been moving their applications from on-premises to cloud-hosted platforms. And with the current pandemic forcing most businesses to adopt a fully remote work environment, the cloud is even more appealing. Gartner reported that cloud spend rose by double digits in 2020, and it’s expected to continue to grow by 18.4 percent in 2021. But as organizations move their applications to the cloud, are they managing security and compliance risk?
In a recent Veracode-sponsored survey, SANS Institute examined a subset of organizations to get a better understanding of DevSecOps in the cloud. The organizations – comprised of government, banking and finance, technology, and cybersecurity – were asked a series of questions including how successful they’ve been at shifting security into development.
The survey found that most organizations are implementing DevOps in the cloud, but not enough have made the transition to DevSecOps. In fact, only 40 percent of the assessed organizations reported that they have fully adopted a DevSecOps methodology.
But with the current speed of deployments, in order for organizations to keep up, they need to have efficient processes in place. The survey shows that around 74 percent of organizations are deploying software changes more than once per month. This represents an increase in velocity of nearly 14 percent over the past four years.

If security assessments aren’t conducted early in the software delivery lifecycle (SDLC), they have to be conducted right before production – if at all. When security assessments are conducted before production, if flaws are detected, it can be time-consuming and costly to make changes. When flaws are detected early in the development phase, it’s faster and more cost-efficient.
Why are organizations struggling to adopt DevSecOps?
Over 60 percent cited organizational problems as their barrier to shifting security left. The top challenges listed include lack of resources, lack of buy-in, bureaucracy, or poor communication between the security and development teams.

The beauty of moving to the cloud is that organizations can take advantage of the cloud provider’s scale, resources, and agility to compensate for internal weaknesses or gaps. This gives security and development resources time to focus on other priorities, like secure code training or getting executive buy-in for maturing their AppSec program.
By leaning on the cloud provider, organizations should have an easier time shifting left. But remember, shifting left shouldn’t be all on the developers. The whole organization needs to support the effort in order for it to be successful. As respondents cited, the more buy-in your organization has for DevSecOps, the better the chances of it being a long-term success.

For additional insights regarding DevSecOps in the cloud, check out the SANS survey report, Extending DevSecOps Security Controls into the Cloud.