Findings from our annual State of the Software Supply Chain report, which looks at the use of open source software development, told us two main things:
-
The breakneck pace of growth around open source software (OSS), to the tune of 1.5 trillion components downloaded in 2020, is only increasing.
-
Those components are being attacked at a record pace, with a 430% year-over-year growth in next-generation attacks.
These trends, which we'll expand on in our 2021 report this fall, also reminded us that these phenomena affect the entire software industry, not just open source. Particularly, enterprises struggle to react to the greater scale and complexity as they move to the cloud. Whether from hybrid environments with both cloud and on-premise infrastructure, or 100% cloud-native development, the industry finds that growing risk goes hand-in-hand with increased innovation. Today, we look at the state of cloud security for ourselves and our customers.
Partnering with the research team at Fugue, a leading cloud security provider, we surveyed over 300 professionals, including cloud engineers, security engineers, DevOps, and cloud architects. The result is our State of Cloud Security 2021 report.
What's Happening in Cloud Security?
We know that misconfigurations are the #1 reason for cloud data breaches, but our survey uncovered how prevalent these misconfigurations are:
-
At least one serious cloud security leak or breach happened in the past year for 36% of respondents.
-
More than eight in ten are worried their organization is vulnerable to a cloud misconfiguration-related breach.
-
Half of those surveyed experience 50 or more misconfiguration events per day, and just 10% are remediating them faster than hackers using automation can find them.
We also know that as Infrastructure as Code (IaC) tools like Terraform become more mainstream, cloud security teams need to address the entire software development life cycle (SDLC).
Shifting left in this space means catching vulnerabilities in cloud development before they are deployed to production. Yet our survey found that one in five cloud engineers are not using scanning tools to check IaC pre-deployment. Among those, half say their teams are investing 50 or more engineering hours per week on IaC security, with cloud runtime security seeing a similar level of effort.
So what are some other common challenges to cloud adoption? What do cloud professionals say they need to better secure their environment? Most importantly, what can your team do to ensure your cloud architecture is safe and secure, along with the data and applications running on it?
Download your copy of the State of Cloud Security 2021 report (PDF format) to learn more.
Kevin Miller is a Product Marketing Manager at Sonatype where he works to empower the development community to shift component choice and security left. He believes that putting the right tools and options in the hands of developers will help accelerate software innovation and minimize open source ...
Explore All Posts by Kevin MillerTags
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.