Why Shift-Left Security Isn’t Enough for the Cloud

  • All Posts
  • 5 months ago
  • 4 min read
shift left security not enough

In the last few years, a rapid industry-wide swing toward automation and virtualization of application infrastructure in cloud and containerized environments has exposed a need to expand the DevOps processes to include security operations in the cyclic workflows of the CI/CD pipeline. In many organizations, responding to this need has taken the form of a new conceptual approach to development. This discipline – dubbed DevSecOps – integrates security into shared responsibility and shifts many security operations earlier – or left – in the development lifecycle to stay ahead of the vulnerability bottlenecks that increasingly decentralized environments introduce.

The shift-left approach of DevSecOps reorients security operations from a reactive posture – responding to threats only after potential attacks have occurred – to an ongoing proactive practice of building security into software design and anticipating vulnerabilities before they are exploited. In addition to traditional security perimeter tools, the DevSecOps toolkit includes multiple continuously applied technologies such as:

  • Runtime Application Self-Protection (RASP)
  • Web Application Firewalls (WAFs)
  • Container Image Scanning Tools

The desired combined effect of these practices is to monitor applications in real-time for anomalies and to configure cloud architecture components such as containers against known vulnerabilities and attack vectors. 

Limitations of Shift-Left Security in Multi-Cloud Containerized Environments

Shift-left security has significantly improved upon outdated perimeter-based reactive approaches. Nevertheless, current data on the lag of effective cloud management and design behind fast-growing cloud use suggests that even a hard left shift leaves organizations unprepared for certain inevitabilities of multi-cloud environments.  

1. Proliferating Cloud Vulnerabilities

Successfully mitigating vulnerabilities in cloud services – by scanning container images and configuring WAFs – depends largely on the security industry’s ability to maintain an edge on the exposure of new vulnerabilities. However, current trends indicate a broadening gap. In the last five years, known cloud vulnerabilities have increased 150%, with year-over growth rising every year. 

2. Misconfigurations

With 89% of organizations employing multi-cloud strategies – 80% of which involve hybrids of public and private clouds – secure configuration in cloud environments has become an ever steeper slope to climb. Presently, 80% of data breaches trace back to manual misconfigurations and oversights in cloud setups and – based on current trajectories – human error will continue to account for 99% of cloud environment failures through 2025.

3. Insider Threats

While anticipating all vulnerabilities and misconfigurations in advance may be an unrealistic goal in practice, the constraints on doing so are merely time and resources. In contrast, even theoretically optimal proactive measures cannot account for risks introduced by human activity. With a booming market for cloud credentials – remote desktop protocols (RDPs) in particular – now thriving on the dark web, 60% of successful cloud attacks now originate with malicious insider action, a variable no amount of built-in security can constrain.

4. Supply Chain attacks

5. Zero-Day Attacks

We all remember the Log4j Zero-day. Each year there seems to be a large zero-day vulnerability that must be immediately addressed, with countless others impacting both commercial and open source components. As the name implies, zero-day attacks are immune to vulnerability scanning until the vulnerability is disclosed and a patch becomes available. 

Runtime Security Throughout the SDLC With Spyderbat

When advanced measures fail, the only conceivable alternative for securing environments at runtime is intercepting attacks live as they happen. While traditional security tools lack the capacity for the system-wide visibility – even in undistributed environments – that live intervention would require, Spyderbat offers DevSecOps unprecedented granular monitoring of all system activities within and across cloud workloads, regardless of architectural complexity. As it is comprehensive – using eBPF technology to record activities at the Linux kernel level – Spyderbat’s ability to secure runtime environments does not depend on code changes, advanced configurations or interpretation of esoteric log messages. Rather, Spyderbat enables analysts to interpret suspicious activities as they unfold, mitigating unpredictable threats such as unknown vulnerabilities and insider threats.

To experience right-shifted runtime security, start a free trial of Spyderbat today.

Write a comment

Inline Feedbacks
View all comments


Use cases