Skip to main content

The State of Application Security in Cloud Modernization

Cloud migration and modernization continues to be on the rise. Organizations are turning to the cloud with the primary goal of making their technology and application operations more efficient and to increase performance. But based on the results of the survey powering this report, there’s still a gap between their anticipated cloud outcomes and reality. The lack of DevSecOps practices is one of the major barriers. 

Tl;dr - DevSecOps, or the lack thereof, can make or break cloud modernization success

Nearly 60% of organizations say they have yet to fully realize their cloud expectations, and yet cloud migration and modernization plans continue apace. Indicators point to a lack of evolution in security approach and DevSecOps as key components that are slowing organizations down. Most organizations are still reliant on post-deployment detection and response security tools, instead of pre-deployment developer security and automated security in their pipelines. Perhaps that’s because only 41% of organizations have implemented DevOps practices or tools which go along with DevOps practices like automated CI/CDwhich ultimately slows them down, a side effect made exponential by the complexity and pace of the cloud. Not to mention, legacy tooling leaves organizations open to misconfiguration exploits at a 2x rate.

Part One

Cloud modernization is still growing in 2023

Most orgs are planning continued cloud migration

In the face of economic uncertainty, plans for migration and modernization to the cloud continue to expand. We’ve seen steady cloud growth over the past few years as businesses work towards better scalability, agility, and operational efficiency. This trajectory will continue in 2023, with over half of organizations planning to migrate most of their apps to the cloud. To reach their full potential, these cloud migration efforts must include updates to people, processes, and tools, specifically the adoption of DevSecOps practices and the tools to support them. For applications in the cloud today, these practices need to encompass the entirety of the application: code, configuration, pipelines, and cloud infrastructure to unlock new levels of speed and innovation. 


Nearly 60% of organizations plan to migrate at least half of their apps to the cloud

The majority of today’s orgs see the cloud as a worthwhile investment in 2023. It’s significantly more cost-effective to use cloud services than to pay for the hardware and service costs of on-prem infrastructure, especially for applications that need to scale up and down or where specialized infrastructure or application and data service are required. Beyond cost savings, the benefits of cloud are well understood at this point: resiliency, flexible capacity, a wealth of ready-to-use cloud and application services. And so the rate of migration to the cloud continues to grow. 

Volume of applications that organizations plan to migrate to the cloud

40%

30%

20%

10%

0%

0%

10%

20%

30%

40%

> 75%

50% - 75%

25% - 50%

< 25%

Not Sure

> 75%

50% - 75%

25% - 50%

< 25%

Not Sure

Most orgs plan to re-factor or re-platform at least 25% of their apps in 2023

Businesses plan re-factoring or re-platforming efforts to improve the design and implementation of their applications without changing functionality. These initiatives go hand-in-hand with other cloud migration and modernization efforts.

Percentage of applications targeted for replatforming or refactoring

80%

60%

40%

20%

0%

0%

20%

40%

60%

80%

Significant refactoring plans (>25% of applications)

Little to no refactoring plans

Significant refactoring plans (>25% of applications)

Little to no refactoring plans

Migrating apps to the cloud creates opportunities to modernize

87% of respondents reported plans to stand up new virtual machines, 38% plan to use containers, and 31% plan to use Infrastructure as Code (IaC) in 2023. Additionally, 24% of businesses will start using a serverless development model — relying on services like AWS Lambda, Microsoft Azure Functions, or Google Cloud Functions to manage their servers.

Infrastructure modernization rates this year

Virtual machines

Containers

Infrastructure as Code

Serverless

0%

25%

50%

75%

100%

Part Two

DevSecOps can make or break cloud migration success

Security & automation are essential to cloud realization

Why do some cloud modernization initiatives work and others don’t? Our research uncovered that the presence or lack of DevSecOps practices is often the difference between cloud migration success or failure. Organizations that move to the cloud but don’t evolve methodologies like shift left security and automation can’t fully realize their cloud expectations. This is why prioritizing a modern approach to DevSecOps — practices like security testing at every stage and automation — pays off.

59% of organizations have not realized their cloud expectations

We found that operational efficiency is the #1 business case for moving to the cloud. But, most orgs aren’t achieving this goal. It’s often because organizations jump into cloud modernization without evolving their approach to security. Failing to implement DevSecOps strategies, tools, and workflows impedes cloud success in the long run.

Cloud migration goal achievement

60%

40%

20%

0%

0%

20%

40%

60%

Fully realized expectations

Expectations not met

Fully realized expectations

Expectations not met

64% of respondents have low DevOps automation in the cloud

A manual approach might have worked in the days of on-prem infrastructure. But, the cloud introduces new opportunities to deploy faster but also more complexity. To achieve operational efficiency goals and remain safe, automation is the key. Deployments that are repeatable, auditable, and able to scale up and down quickly require new thinking from traditional data centers. IaC continues to grow in usage to meet this need: GitHub reported that HCL (Terraform language) is the fastest-growing language in their ecosystem. 

DevSecOps Automation in the cloud

Low Automation

64%

Somewhat Automated

31%

High Automation

5%

Many orgs still rely on legacy tools that can’t enable DevSecOps

In addition to relying on manual approaches, many orgs also use legacy tools originally designed for traditional, on-prem environments. These tools can’t work alongside the complexities of the cloud (think containers, K8s, and IaC). More specifically, legacy security tooling becomes a bottleneck to agile development processes, ultimately hindering cloud modernization.

Security tools most reliant on

40%

30%

20%

10%

0%

0%

10%

20%

30%

40%

EDR / XDR

CNAPP

SAST

IaC

DAST

IAST

SCA

EDR / XDR

CNAPP

SAST

IaC

DAST

IAST

SCA

Part Three

DevSecOps is still just a pipe(line) dream for some

Cloud migration is outpacing DevSecOps realization.

Overall, DevSecOps adoption is not keeping up with cloud migration and app modernization. This discrepancy slows down progress and leaves organizations exposed to security risks in the cloud. And it’s preventing teams from meeting their cloud expectations, as a DevSecOps approach is crucial to success after migration.

Only 41% of cloud organizations have adopted CI/CD tools or DevOps practices

Without proper DevSecOps practices, businesses cannot work in a fast-paced cloud environment. A lack of proper automation and shift left security causes bottlenecks and security risks that can hamper DevOps adoption. These issues only get worse once an org introduces the complexity and speed of the cloud. 

Percentage of deployments adoption DevOps practices or CI/CD tooling

> 75%

19%

50 % - 75%

22%

25% - 50%

13%

< 25%

11%

Not sure

24%

35% or less of organizations run security testing before deployment

One of these missing DevSecOps practices is continuous security testing. Testing too late in the SDLC ultimately negates cloud modernization initiatives. If developers and cloud/platform teams can only detect cloud issues one step before deployment, they have to backtrack in order to fix them.

Security testing stage

Production

37%

Deployment

48%

Local development (IDEs, CL/CI too;s, etc)

35%

CI Systems

24%

Source Code repositories

31%

Less than half of developers are responsible for their own security testing

Shared responsibility is one of the foundational principles of DevSecOps. Organizations must foster a unified, collaborative approach to building and securing software to succeed in their cloud migration efforts. To do so, security testing needs to shift left into developer workflows. This shift eliminates rework, leading to increased speed and efficiency.

Developers responsibility for security testing

Test proactively as a part of the build process

47%

Wait for a ticket from security

34%

Not responsible for security testing

19%

Part Four

Cloud migrations can create risk

The cloud makes infrastructure easier, not security

When an org migrates to the cloud, the number of tools, users, and processes grows exponentially. So, they need to take a different approach to security than it once took to secure traditional data center infrastructure. Organizations that haven’t modernized their security toolset are more exposed to risk in both pipelines and production.

Nearly a third of respondents saw increased risk since migrating to the cloud

Migration to the cloud means no traditional perimeter and a far larger attack surface. It also means that security teams can't keep up without automation or collaboration from other departments. Our respondents saw this rise in risk, as about 30% of organizations reported more risk in the cloud. By comparison, only 8% saw a decrease in risk.

Concern of threats since migrating to the cloud

80%

60%

40%

20%

0%

0%

20%

40%

60%

80%

Decreased

About the same

Increased

Decreased

About the same

Increased

Most security issues in the cloud take more than 24 hours to find

Because security testing happens so late in the SDLC for many orgs, cloud vulnerabilities can take a while to remediate. In the meantime, teams scramble to fix the problem (or ignore it altogether). And during this time, the org is at a much higher risk of exploitation.

Ability to spot security issues in cloud environments

40%

30%

20%

10%

0%

0%

10%

20%

30%

40%

Within a few hours

Within 24 hours

Within a week

Within a month or more

No fix workflows

Within a few hours

Within 24 hours

Within a week

Within a month or more

No fix workflows

Organizations using legacy tooling are 2x more likely to experience misconfiguration exploits

Cloud misconfigurations always happen because of human error. Examples include accidentally exposed cloud storage, dangling DNS entries, and identification and authentication failure. When left unresolved, these misconfigurations open the organization to risks like a data breach, subdomain takeover, or lateral movement.

Type of tooling organizations are using

Legacy Tooling

31%

Modern Tooling

10%

Conclusion

DevSecOps and cloud migration: Better together

Cloud migration success depends on DevSecOps adoption

If your organization is gearing up for cloud modernization, it’s best to have DevSecOps best practices in place, such as cross-team collaboration, automation, and security. Otherwise, you’ll just introduce more risk and more slowdowns. But when cloud migration happens alongside DevSecOps processes, you’ll see all the perks of the cloud — faster innovation, higher-quality products, and operational efficiency — all while developing securely.

About this report

This report is based on a survey of more than 300 infrastructure and security practitioners and leaders across various organization types and industries. The survey was conducted in the first quarter of 2023 by ViB.