PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 1

Does your organization have an individual or group of individuals designated as “cloud security architects/engineers”? (please check one)

Yes, and this position has been in place for at least a year
Yes, and this position was recently established (i.e., within the last 12 months)
No, but we are actively hiring for this position
No, but we plan to establish this position in the next 12 months
No, but we are evaluating this role
No, and we have no plans or interest in doing so in the future
Don’t know
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 2

How often does your organization’s CISO (or other security team representative) brief business executives on the security controls, KPIs, and threat activities observed affecting your organization’s cloud-native applications? (please check one)

Weekly
Monthly
Quarterly
Annually
This never happens
This happens only as requested
Don’t know
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 3

In which of the following stages of the software delivery lifecycle do security stakeholders and development teams actively collaborate? (please check all that apply)

Requirements and design
Code development
Build and integration
Testing and quality assurance (including preparing for an audit and after a penetration test)
Deployment and production
After a cybersecurity incident in production
When cybersecurity funding is requested/required
None of the above
Don’t know
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 4

To what extent does your organization use or plan to use DevSecOps approaches? (please check one)

We have not yet discussed how security fits with DevOps processes
We are evaluating DevSecOps
We plan to leverage DevSecOps within the next 12 months
We leverage DevSecOps in a limited fashion
We leverage DevSecOps extensively
Don’t know/too soon to tell
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 5

Approximately what percent of your organization’s internally-developed cloud-native applications are secured via DevSecOps automation? (please check one)

Less than 10% of apps
10% to 25% of apps
26% to 50% of apps
51% to 75% of apps
76% to 90% of apps
More than 90% of apps
Don’t know
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
For the purposes of this survey, “security-as-code” is defined as an approach in which security and DevOps teams move away from manual security practices and leverage code to automate security practices at different stages of the application lifecycle (i.e., development, integration, test, delivery, runtime).
Question 6

Please rate your level of agreement: My cybersecurity team has a critical mass of security analysts equipped to implement “security-as-code.” (please check one)

Strongly disagree
Disagree
Neutral
Agree
Strongly agree
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 7

Which of the following security practices has your organization automated via integration with development and delivery tools and processes? (please check all that apply) 

Identification and remediation of configuration and software vulnerabilities before deployment to production
Composition analysis to create a “bill of materials” for a source code branch
Static (SAST) and/or dynamic (DAST) analysis to identify inadvertently introduced organic vulnerabilities
Logging of all changes for compliance audits (i.e., compliance-as-code)
Identification and remediation of malware before deployment to production
Discovery and inspection of APIs in source code
Application of runtime API security controls
Application of runtime threat prevention controls (e.g., anti-malware, application control, virtual patching, intrusion prevention)
Application of controls that can detect anomalous activity (i.e., intrusion detection)
Application of access controls to segment inter-workload/container communication access controls (e.g., micro-segmentation)
Application of controls that capture system activity for incident response, forensics, and threat hunting
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 8

Which of the following best describes the types of controls currently employed to secure your organization’s cloud-native applications? (please check one) 

We only use security controls native to the cloud service provider’s platform
We only use third-party security controls
We use a combination of third-party security controls and those that are native to the cloud service provider’s platform
Other (please specify)
Don’t know
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 9

Which best describes your organization’s use of or interest in an integrated platform to protect cloud-native applications and infrastructure? (please check one)

We have already consolidated to an integrated platform
We plan to consolidate to an integrated platform in the next 12 months
We are evaluating consolidating to an integrated platform
We are not interested in a platform-based approach
PEOPLE / COLLABORATION
QUESTIONS 1 - 3
AUTOMATION
QUESTIONS 4 - 7
CONTROLS
QUESTIONS 8 - 10
Question 10

Which of the following controls does your organization currently use when it comes to securing its internally developed cloud-native applications and infrastructure? (please check all that apply)

Cloud security posture management (CSPM)
Cloud workload protection platform (CWPP)
Container security
Application security testing (AST)
API security
Cloud infrastructure entitlement management (CIEM)
Micro-segmentation
Web application firewalls (WAF) and/or web app and API protection (WAAP)
Endpoint detection and response (EDR) for cloud-resident server workloads and containers (i.e., cloud detection and response
Data loss prevention (DLP) controls for object stores
ESG, a division of TechTarget, is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.
© 2021 TECHTARGET, INC. ESG, A DIVISION OF TECHTARGET, SUITE 1-150, 275 GROVE STREET, NEWTON, MA 02466 | 508.482.0188