One of the core issues with cloud security that nobody wants to admit is how many issues stem from a simple lack of trust between application developers and internal cybersecurity teams. Developers have historically been much more concerned about how quickly they can build and deploy applications than they are about security of the IT environment in which they are being deployed. The simple truth is that the developers that provision cloud infrastructure today don’t have a lot of cybersecurity expertise, so it should not come as a surprise to discover just how rife cloud computing environments are with misconfigurations that cybercriminals can easily exploit.
Cybersecurity teams are, of course, supposed to discover and remediate these misconfigurations but the pace at which cloud applications are being built and deployed exceeds their ability to keep up. Most cybersecurity teams are chronically understaffed, so an application might be running for a while before an issue is discovered. In addition, the number of individuals on a cybersecurity team that have dedicated cloud expertise tends to be few.
Low adoption of a DevSecOps culture creates obstacles
In theory, the rise of DevSecOps (Development, Security, and Operations) best practices is supposed to reduce the current level of distrust between developers and cybersecurity teams. However, a global survey of 1,300 CIOs and DevOps managers working for organizations with more than 1,000 employees, conducted by the market research firm Coleman Parkes on behalf of Dynatrace, a provider of an observability platform, suggests not a lot of progress is being made. Only 27 percent of respondents claimed to fully adhere to a DevSecOps culture today.
The biggest obstacles to achieving that goal are that security teams don’t trust developers (55 percent), developers perceive security teams to be blockers of innovation (49 percent) and the silos that exist between teams (36 percent), the survey finds.
MSPs can narrow the divide between developers and security teams
Managed service providers (MSPs) can play a crucial role by helping to narrow that divide first by monitoring what workloads are being deployed on cloud platforms and then scanning them for vulnerabilities.
No developer deliberately sets out to build and deploy an insecure application. They just need the tools to allow them to address critical vulnerabilities as quickly as possible. What they resent is being presented with a long list of vulnerabilities that lack any context.
Internal cybersecurity teams tend to create spreadsheets that list vulnerabilities that are then shared with development teams. However, when developers investigate those vulnerabilities, they often discover either the code that might be affected is not externally facing anywhere outside the organization, or that the vulnerability in question requires a level of skill and resources that make any chance it might be exploited a remote possibility.
Given the pressure developers are under to rapidly deliver new features and capabilities for organizations that are increasingly dependent on software to drive revenue, it’s easy to see how cybersecurity teams are viewed as obstacles to be circumvented, rather than partners. The problem is that at a time when organizations are looking to better secure software supply chains the tolerance for this level of dysfunction within organizations is dropping by the day.
As is usually the case in any dispute, both parties make valid points. An MSP that establishes a level of trust between both parties can help resolve these issues in a way that developers and cybersecurity teams can appreciate and understand. In effect, the MSP acts like a therapist that beyond offering advice is also capable of resolving issues to the satisfaction of all concerned. Establishing that level of trust may not be easy but once created it’s nothing less than invaluable to all concerned. The challenge and the opportunity is not only to find a way to establish it, but also make sure it is not easily lost given the long history of acrimony between developers and cybersecurity professionals that are still too quick to blame one another for each of their shortcomings.
Photo: Lightspring / Shutterstock