Security vulnerabilities in AI-generated code is the most common cloud security concern for 2024 as 100% of survey respondents report their organization uses AI to assist coding, according to Palo Alto Networks’ 2024 State of Cloud-Native Security report published Wednesday.
Click for more special coverage
AI fears, conflict between developers and security teams, rushed cloud migration and fragmentation across multiple cloud tools were key focuses of the report, while AI, API and access management risks were among the top concerns reported by respondents.
The report also reveals that security incidents such as data breaches, compliance violations and incidents involving advanced persistent threats (APTs) are on the rise, pointing to a need for greater identity and secrets management. The report concludes with recommendations to improve cloud-native security.
GenAI top-of-mind for developers and cloud security pros
The survey, which included responses from 2,800 executives and practitioners from development, information security and information technology departments across the globe, yielded the first-ever unanimous response in the history of the State of Cloud-Native Security Report, with 100% of respondents reporting their organization is embracing AI-assisted coding in their development operations.
At the same time, AI risks made up two of the three most common cloud security fears, with 44% of respondents expressing concern about vulnerabilities in code generated by AI, and 38% saying AI-powered attacks posed a threat.
At the same time, “organizations aren’t throwing caution to the wind,” the report stated. Ninety-nine percent of respondents said their organization plans to create AI safety policies and ensure proper “need-to-know” access management for AI models. Additionally, 98% of responses indicated their organizations plan to fully inventory their AI models and GenAI-assisted applications.
Overall, 100% of organizations plan to prioritize visibility into the full lifecycle of AI deployments, the survey found.
API, identity risks common cloud security woes
The second most common security fear for survey respondents was API-associated risks, cited by 43% of respondents.
“Apprehension among organizations centers on unmanaged and unsecured APIs, third-party API risks, and the lack of oversight in API integrations,” the report stated.
Thirty-five percent of respondents were also concerned about inadequate access management in the cloud. The introduction of the cloud created identity management challenges, including the fragmentation of identities across multiple services.
The report’s section on incident response reflected the need for greater API security and access control, with 64% of respondents reporting an increase in data breaches over the past year, 48% reporting an increase in significant compliance violations, and 45% citing an increase in incidents involving insecure APIs.
An increase in downtime caused by misconfigurations was also reported by 45% of respondents, APT-related incidents by 45%, secrets exposure by 43% and identities with overly permissive access by 42%. The top two “data security foes” indicated in the survey were the complexity and fragmentation of cloud environments (54%) and lenient incident and access management practices (50%), emphasizing the role of identity in preventing cloud-native data security incidents.
Time-to-market crunch undermining security, causing stress to staff
Another problem highlighted in Palo Alto’s State of Cloud-Native Security report is the clash of priorities between developers and security teams, with DevOp teams under pressure to deliver fast and seeing requests from SecOps colleagues as a burden.
A whopping 92% of organizations said conflicts between DevOps and SecOps leads to inefficient application development and deployment, and 84% said security processes lead to delays in project timelines. Meanwhile, 71% of respondents said rushed timelines have resulted in security vulnerabilities upon deployment.
These conflicts not only harm security, but also cause significant workplace stress among DevOps and SecOps staff. More than half (52%) of respondents said conflict between DevOps and SecOps teams was a source of workplace stress.
The time crunch is also felt when it comes to cloud migration, with half of surveyed professionals saying they wish they had spent more time refactoring applications for the cloud rather than taking a “lift and shift” approach.
Recommendations for securing the cloud in 2024
Palo Alto Networks makes five recommendations to improve cloud security given the current challenges. Firstly, organizations should look to consolidate their cloud security tools, as the survey found that organizations use an average of 16 cloud security tools across an average of 12 cloud service providers (CSPs), with 98% of respondents saying reducing this number was important.
“A strategic way to prepare for new cloud security requirements is to start with a platform vendor that can expand into your future use cases, encompassing both application and operations security,” the report stated.
The second recommendation focused on secure AI adoption, with clear policies in place for AI usage and access. The report also recommended automating discovery of sensitive data to keep sensitive details out of model training and noted the importance of awareness when it comes to the use of AI-generated code in third-party software supply chains.
Thirdly, given the uptick in cloud data breaches, intelligent data security solutions and regular reviews of data security strategies should be implemented. Access control and employee training are also key to protecting data in the cloud.
The fourth recommendation tackled the tug-of-war between speed and security, urging organizations to measure how often security is a gating factor in production timelines and adapt their workflow to maximize both efficiency and security. Adoption of a secure-by-design approach can also assist in this area.
Lastly, being proactive in implementing security measures for app development can help harmonize the relationship between DevOps and SecOps and get both departments on the same page.
“If you don’t deliberately, strategically, 100% commit to building a DevSecOps culture, your business outcomes are at risk,” the report concluded.
