The State of Application Security in Cloud Modernization
Cloud migration and modernization continues to be on the rise. Organizations are turning to the cloud with the primary goal of making their technology and application operations more efficient and to increase performance. But based on the results of the survey powering this report, there’s still a gap between their anticipated cloud outcomes and reality. The lack of DevSecOps practices is one of the major barriers.
Tl;dr - DevSecOps, or the lack thereof, can make or break cloud modernization success
Nearly 60% of organizations say they have yet to fully realize their cloud expectations, and yet cloud migration and modernization plans continue apace. Indicators point to a lack of evolution in security approach and DevSecOps as key components that are slowing organizations down. Most organizations are still reliant on post-deployment detection and response security tools, instead of pre-deployment developer security and automated security in their pipelines. Perhaps that’s because only 41% of organizations have implemented DevOps practices or tools which go along with DevOps practices like automated CI/CDwhich ultimately slows them down, a side effect made exponential by the complexity and pace of the cloud. Not to mention, legacy tooling leaves organizations open to misconfiguration exploits at a 2x rate.
Part One
Cloud modernization is still growing in 2023
Most orgs are planning continued cloud migration
In the face of economic uncertainty, plans for migration and modernization to the cloud continue to expand. We’ve seen steady cloud growth over the past few years as businesses work towards better scalability, agility, and operational efficiency. This trajectory will continue in 2023, with over half of organizations planning to migrate most of their apps to the cloud. To reach their full potential, these cloud migration efforts must include updates to people, processes, and tools, specifically the adoption of DevSecOps practices and the tools to support them. For applications in the cloud today, these practices need to encompass the entirety of the application: code, configuration, pipelines, and cloud infrastructure to unlock new levels of speed and innovation.
Nearly 60% of organizations plan to migrate at least half of their apps to the cloud
The majority of today’s orgs see the cloud as a worthwhile investment in 2023. It’s significantly more cost-effective to use cloud services than to pay for the hardware and service costs of on-prem infrastructure, especially for applications that need to scale up and down or where specialized infrastructure or application and data service are required. Beyond cost savings, the benefits of cloud are well understood at this point: resiliency, flexible capacity, a wealth of ready-to-use cloud and application services. And so the rate of migration to the cloud continues to grow.
Volume of applications that organizations plan to migrate to the cloud
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
> 75%
50% - 75%
25% - 50%
< 25%
Not Sure
> 75%
50% - 75%
25% - 50%
< 25%
Not Sure
Most orgs plan to re-factor or re-platform at least 25% of their apps in 2023
Businesses plan re-factoring or re-platforming efforts to improve the design and implementation of their applications without changing functionality. These initiatives go hand-in-hand with other cloud migration and modernization efforts.
Percentage of applications targeted for replatforming or refactoring
80%
60%
40%
20%
0%
0%
20%
40%
60%
80%
Significant refactoring plans (>25% of applications)
Little to no refactoring plans
Significant refactoring plans (>25% of applications)
Little to no refactoring plans
Migrating apps to the cloud creates opportunities to modernize
87% of respondents reported plans to stand up new virtual machines, 38% plan to use containers, and 31% plan to use Infrastructure as Code (IaC) in 2023. Additionally, 24% of businesses will start using a serverless development model — relying on services like AWS Lambda, Microsoft Azure Functions, or Google Cloud Functions to manage their servers.
Infrastructure modernization rates this year
Virtual machines
Containers
Infrastructure as Code
Serverless
0%
25%
50%
75%
100%
Part Two
DevSecOps can make or break cloud migration success
Security & automation are essential to cloud realization
Why do some cloud modernization initiatives work and others don’t? Our research uncovered that the presence or lack of DevSecOps practices is often the difference between cloud migration success or failure. Organizations that move to the cloud but don’t evolve methodologies like shift left security and automation can’t fully realize their cloud expectations. This is why prioritizing a modern approach to DevSecOps — practices like security testing at every stage and automation — pays off.
59% of organizations have not realized their cloud expectations
We found that operational efficiency is the #1 business case for moving to the cloud. But, most orgs aren’t achieving this goal. It’s often because organizations jump into cloud modernization without evolving their approach to security. Failing to implement DevSecOps strategies, tools, and workflows impedes cloud success in the long run.
Cloud migration goal achievement
60%
40%
20%
0%
0%
20%
40%
60%
Fully realized expectations
Expectations not met
Fully realized expectations
Expectations not met
64% of respondents have low DevOps automation in the cloud
A manual approach might have worked in the days of on-prem infrastructure. But, the cloud introduces new opportunities to deploy faster but also more complexity. To achieve operational efficiency goals and remain safe, automation is the key. Deployments that are repeatable, auditable, and able to scale up and down quickly require new thinking from traditional data centers. IaC continues to grow in usage to meet this need: GitHub reported that HCL (Terraform language) is the fastest-growing language in their ecosystem.
DevSecOps Automation in the cloud
Low Automation
64%
Somewhat Automated
31%
High Automation
5%
Many orgs still rely on legacy tools that can’t enable DevSecOps
In addition to relying on manual approaches, many orgs also use legacy tools originally designed for traditional, on-prem environments. These tools can’t work alongside the complexities of the cloud (think containers, K8s, and IaC). More specifically, legacy security tooling becomes a bottleneck to agile development processes, ultimately hindering cloud modernization.
Security tools most reliant on
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
EDR / XDR
CNAPP
SAST
IaC
DAST
IAST
SCA
EDR / XDR
CNAPP
SAST
IaC
DAST
IAST
SCA
Part Three
DevSecOps is still just a pipe(line) dream for some
Cloud migration is outpacing DevSecOps realization.
Overall, DevSecOps adoption is not keeping up with cloud migration and app modernization. This discrepancy slows down progress and leaves organizations exposed to security risks in the cloud. And it’s preventing teams from meeting their cloud expectations, as a DevSecOps approach is crucial to success after migration.
Only 41% of cloud organizations have adopted CI/CD tools or DevOps practices
Without proper DevSecOps practices, businesses cannot work in a fast-paced cloud environment. A lack of proper automation and shift left security causes bottlenecks and security risks that can hamper DevOps adoption. These issues only get worse once an org introduces the complexity and speed of the cloud.
Percentage of deployments adoption DevOps practices or CI/CD tooling
> 75%
19%
50 % - 75%
22%
25% - 50%
13%
< 25%
11%
Not sure
24%
35% or less of organizations run security testing before deployment
One of these missing DevSecOps practices is continuous security testing. Testing too late in the SDLC ultimately negates cloud modernization initiatives. If developers and cloud/platform teams can only detect cloud issues one step before deployment, they have to backtrack in order to fix them.
Security testing stage
Production
37%
Deployment
48%
Local development (IDEs, CL/CI too;s, etc)
35%
CI Systems
24%
Source Code repositories
31%
Less than half of developers are responsible for their own security testing
Shared responsibility is one of the foundational principles of DevSecOps. Organizations must foster a unified, collaborative approach to building and securing software to succeed in their cloud migration efforts. To do so, security testing needs to shift left into developer workflows. This shift eliminates rework, leading to increased speed and efficiency.
Developers responsibility for security testing
Test proactively as a part of the build process
47%
Wait for a ticket from security
34%
Not responsible for security testing
19%
Part Four
Cloud migrations can create risk
The cloud makes infrastructure easier, not security
When an org migrates to the cloud, the number of tools, users, and processes grows exponentially. So, they need to take a different approach to security than it once took to secure traditional data center infrastructure. Organizations that haven’t modernized their security toolset are more exposed to risk in both pipelines and production.
Nearly a third of respondents saw increased risk since migrating to the cloud
Migration to the cloud means no traditional perimeter and a far larger attack surface. It also means that security teams can't keep up without automation or collaboration from other departments. Our respondents saw this rise in risk, as about 30% of organizations reported more risk in the cloud. By comparison, only 8% saw a decrease in risk.
Concern of threats since migrating to the cloud
80%
60%
40%
20%
0%
0%
20%
40%
60%
80%
Decreased
About the same
Increased
Decreased
About the same
Increased
Most security issues in the cloud take more than 24 hours to find
Because security testing happens so late in the SDLC for many orgs, cloud vulnerabilities can take a while to remediate. In the meantime, teams scramble to fix the problem (or ignore it altogether). And during this time, the org is at a much higher risk of exploitation.
Ability to spot security issues in cloud environments
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
Within a few hours
Within 24 hours
Within a week
Within a month or more
No fix workflows
Within a few hours
Within 24 hours
Within a week
Within a month or more
No fix workflows
Organizations using legacy tooling are 2x more likely to experience misconfiguration exploits
Cloud misconfigurations always happen because of human error. Examples include accidentally exposed cloud storage, dangling DNS entries, and identification and authentication failure. When left unresolved, these misconfigurations open the organization to risks like a data breach, subdomain takeover, or lateral movement.
Type of tooling organizations are using
Legacy Tooling
31%
Modern Tooling
10%
Conclusion
DevSecOps and cloud migration: Better together
Cloud migration success depends on DevSecOps adoption
If your organization is gearing up for cloud modernization, it’s best to have DevSecOps best practices in place, such as cross-team collaboration, automation, and security. Otherwise, you’ll just introduce more risk and more slowdowns. But when cloud migration happens alongside DevSecOps processes, you’ll see all the perks of the cloud — faster innovation, higher-quality products, and operational efficiency — all while developing securely.
About this report
This report is based on a survey of more than 300 infrastructure and security practitioners and leaders across various organization types and industries. The survey was conducted in the first quarter of 2023 by ViB.
Learn more about how DevSecOps is just the beginning
Dive into Snyk’s playbook that walks your through the current inequities between development and security, why modern security teams must shift their role and approach to security integration and how to accomplish this transformation.