Integrating security from code to cloud

“Open source is critical,” says David Harmon, director of software engineering for AMD. “It provides an environment of collaboration and technical advancements. Savvy users can look at the code themselves; they can evaluate it; they can review it and know that the code that they’re getting is legit and functional for what they’re trying to do.”

But OSS can also compromise an organization’s security posture by introducing hidden vulnerabilities that fall under the radar of busy IT teams, especially as cyberattacks targeting open source are on the rise. OSS may contain weaknesses, for example, that can be exploited to gain unauthorized access to confidential systems or networks. Bad actors can even intentionally introduce into OSS a space for exploits—“backdoors”—that can compromise an organization’s security posture. 

“Open source is an enabler to productivity and collaboration, but it also presents security challenges,” says Vlad Korsunsky, corporate vice president of cloud and enterprise security for Microsoft. Part of the problem is that open source introduces into the organization code that can be hard to verify and difficult to trace. Organizations often don’t know who made changes to open-source code or the intent of those changes, factors that can increase a company’s attack surface.

Complicating matters is that OSS’s increasing popularity coincides with the rise of cloud and its own set of security challenges. Cloud-native applications that run on OSS, such as Linux, deliver significant benefits, including greater flexibility, faster release of new software features, effortless infrastructure management, and increased resiliency. But they also can create blind spots in an organization’s security posture, or worse, burden busy development and security teams with constant threat signals and never-ending to-do lists of security improvements.

“When you move into the cloud, a lot of the threat models completely change,” says Harmon. “The performance aspects of things are still relevant, but the security aspects are way more relevant. No CTO wants to be in the headlines associated with breaches.”

Staying out of the news, however, is becoming increasingly more difficult: According to cloud company Flexera’s State of the Cloud 2024 survey, 89% of enterprises use multi-cloud environments. Cloud spend and security top respondents’ lists of cloud challenges. Security firm Tenable’s 2024 Cloud Security Outlook reported that 95% of its surveyed organizations suffered a cloud breach during the 18 months before their survey.

Code-to-cloud security

Until now, organizations have relied on security testing and analysis to examine an application’s output and identify security issues in need of repair. But these days, addressing a security threat requires more than simply seeing how it is configured in runtime. Rather, organizations must get to the root cause of the problem.

It’s a tall order that presents a balancing act for IT security teams, according to Korsunsky. “Even if you can establish that code-to-cloud connection, a security team may be reluctant to deploy a fix if they’re unsure of its potential impact on the business. For example, a fix could improve security but also derail some functionality of the application itself and negatively impact employee productivity,” he says.