SSupported by cloud hosting provider DigitalOcean – Try DigitalOcean now and receive a $200 when you create a new account!

Industry Study From Analyst Firm ESG Shows API Vulnerabilities Are Top Threat Concern For Cloud Security Professionals

Listen to this article

Below is our recent interview with Doug Dooley, COO of Data Theorem:

Q: It has been a while since we have spoken. What has Data Theorem been up to since we last connected?

A: Since we last spoke in October 2018, we’ve experienced incredible growth across our customer base, revenue, and product capabilities. Our API Discover and API Inspect products in particular have won several industry awards and were recognized in four separate Gartner reports for unique innovations in cloud-based API Security, AppSec, DevSecOps, and IT Automation. Lastly, we just announced our new offering helping customers secure their modern web applications called SPA (Single Page Apps) using GraphQL (a new API standard).

Q: Enterprise Strategy Group (ESG), an industry analyst firm, published results last week from a recently conducted independent study. What does the study cover and where can readers access a copy of the results for themselves?

A: Doug Cahill of Enterprise Strategy Group embarked on this study to learn about organizations’ composition of cloud-native applications, the challenges they face, and their future priorities for securing cloud-native applications. Respondents in the study were from organizations that are mature cloud users in their use of public cloud services and/or container usage. Participants were from a wide range of industries, with financial services being the largest vertical.

Those interested in accessing the report can find it here.

Recommended: An Interview With Dmitriy Peregudov, The Founder & CEO Of

Q: Why is this study’s data important to learn about?

A: It is important to discover what organizations are doing to secure their cloud-native apps, especially with the benefits DevSecOps has to offer. This is especially timely these days because fundamental changes to application architectures and the infrastructure platforms hosting them are not served by existing cybersecurity technologies and traditional approaches to securing business-critical workloads.

Q: What especially interested you about ESG’s findings and why?

A: The ESG report revealed that growth of new APIs and applications is exploding in the public cloud, and mainstream traction is accelerating. We were especially interested to learn about the breadth and depth of enterprise adoption of cloud-native features found in public cloud only.

Q: What did ESG publish that you feel is most important?

A: The most important data points coming out of this study were how participants responded to questions on API security, serverless adoption, and the state of security automation for DevOps. For example, more than half of respondents stated their organization’s developers are already using serverless functions, with another 44 percent either evaluating or planning to start using serverless by 2021.

Q: What are some of the biggest headlines that ESG uncovered in this study?

A: The real headline here is the growing adoption of serverless applications. Enterprise DevOps teams are building globally scalable apps cheaper and simpler, but securing them has become an issue. Security automation for DevOps or DevSecOps is another area that has shown an ability to help, but only 8 percent of organizations are using it to secure the majority of their cloud-native applications. The security industry will need to tackle this lack of security automation as more companies build API services and apps natively in the cloud.

Q: Anything particularly surprising in the results?

A: We were most surprised to see that API security was the highest ranked category for current or projected incremental spend. We hear a lot more about many other areas of security, for example malware prevention, data encryption, CSPM, CWPP, and container security. But it is API security that is the clear #1 area where enterprises are focusing their energy and investments due to the enormity of data passing through APIs in the public cloud.

Q: How do the ESG study findings align with what you are doing at Data Theorem?

A: Well, customers and prospects have been telling us for a few years now that API-driven microservices, serverless applications, modern web (SPA), and mobile applications are the majority of their cloud-native application development growth. These areas are where Data Theorem has been investing in building our differentiated AppSec product portfolio to align with our customers’ strategic cloud direction. The ESG report validates that we are closely aligned with our enterprise customers, and it gives us an additional sense of urgency because so many organizations will need our help over the coming years.

Q: There is a lot of data here. How would you summarize for our readers?

A: There are a few headlines to summarize around, particularly: (1) Cloud API security, (2) automation for DevSecOps, and (3) adoption of serverless. API security is seen as the #1 area of incremental investment for DevOps to best protect their data. While automation is a common practice that enables DevOps speed and scale, security teams need to take advantage of similar automation techniques to keep up with application teams using CI/CD and DevOps practices. Serverless adoption is growing faster than most would have expected, even us. The majority of companies are already using it, and it will grow significantly over the next two years. The serverless application architecture is so innovative and new that most traditional security tools do not interoperate due to lack of operating system or container access. A new approach is needed to conduct security analysis and provide protection for serverless apps.

Recommended: Bryan Baeumler & The Original CleanBoot: Doing Their Part To Work Safe & Clean

Q: Looking ahead, what can we expect to see from Data Theorem this quarter and into next?

A: We are working on several significant partnerships with cloud providers and have already begun expanding in the Asia Pacific markets, specifically Japan and Singapore. We expect to have more to report next year on all these fronts.

Q: Thank you for your time. Is there anything else you would like to add as we close our interview?

A: It’s obvious from this study that no single cloud provider can deliver the breadth of security controls necessary for most DevOps teams. Further complicating things, most DevOps teams have two or more public cloud providers for their business-critical apps. The industry needs to work closely with the top cloud providers to build better application security controls that function across multi-cloud environments. Most organizations are struggling to secure the application layer of their cloud-native apps. And APIs are the most critical attack vector leading to significant data breaches. We need to do better as an industry.

Activate Social Media: