15 Top Cloud and Code Security Challenges Revealed by CTOs

We’ve consulted with 15 SaaS CTOs about their cloud and code security challenges and concerns. Why?

• SaaS CTOs all face challenges in securing their product. We wanted to find those trends and discover their needs and worries.
• Customer research is essential for any startup’s success, and Aikido is no different! In fact, we love finding out what customers have to say.
• From the start, we’ve been focused on designing and evolving our security tools based on what’s most important for our customers.

Here at Aikido, we believe in open knowledge sharing, so now it’s time to pass on what our consultations have discovered and uncovered.

About our cloud and code security consultation

The CTOs we consulted are from cloud-native software startups with between 51-500 employees. We focused on these cloud and code security topics:

• the priority that preventing threat may receive
• blockers to preventing threats
• their satisfaction levels with current solutions
• what other solutions they’ve used and their flaws
• challenges they face
• their requirements and desired outcomes
• features they value, and
• what they want to accomplish in the future.

How important is preventing cloud and code security threats to you?

Let’s start with the level of priority the CTOs give to preventing security threats. Our evidence shows that CTOs give a high level of priority to threat prevention. The average rating is 8.27 (out of 10). 93% of CTOs ranked threat prevention importance 7 or higher. 8 was the most popular response, and 10 was the second-highest choice.

What gets in the way of preventing cloud and code security threats effectively?

As much as CTOs would like to prevent cloud and code security threats, some blockers create obstacles to success. The top three blockers were competing priorities, budget, and complexity.

Competing priorities

The top response: competing priorities (40%). What does this mean regarding security challenges? Although the CTOs view security as a high priority, there are other equally or potentially even more important concerns within a company. For example, the race to bring out new features vs. the security issues around those is the cybersecurity balancing act.

‘Since security is often a good long-term investment but has less impact during the day-to-day, it is easy to deprioritize the work.’

Budget constraints

The second blocker was budgeting constraints (33%). The main challenge lies in proving the ROI that security measures bring to the business. Or, as one CTO puts it, ‘Making the business case for investing in cloud security.’ This can also relate to the day-to-day deprioritization mentioned above.

Complexity

Complexity takes the bronze (27%). The issue here is that there are so many potential threats. Prioritizing them becomes burdensome and challenging. This can be overwhelming and consequently, it’s easy to lose sight of the biggest threats.

How satisfied are you with your current solutions to prevent code and cloud security threats?

Grade D. The average rating is 6.4 and a third of the CTOs ranked their satisfaction with current solutions at 5 or under. Only 20% were highly satisfied with an 8 or 9 while 0% reported a perfect 10. The key here is to compare this to the much higher level of priority they give to threat prevention. We find a noticeable and worrying gap between importance and satisfaction.

Which other security solutions do you use and what are their flaws?

Current security solutions include a wide range of what’s available on the market. CTOs mentioned 11 products; SonarQube was the most widely used (33%). Beyond that, not more than 13% of CTOs were using the same products at the time of our survey.

Pricing and pricing models

40% of CTOs indicated that the biggest flaw concerns high pricing and pricing models. One CTO reports an astronomically high price tag, ‘paying for software today in the order of six figures.’ Another one questions the long-term viability of pricing by line: ‘Pricing models that follow the number of code lines is a cause of concern for the future.’

False positives

33% flagged up false positives - alerts that erroneously identify a vulnerability or malicious activity. We can all relate to the frustrations here: alert fatigue and wasted resources that come out of false positives.

Further flaws with current solutions

Other flaws include challenges around assessing risk, complex setup and maintenance, no tech stack fit, and limited protection.

One CTO pinpoints the frustrations around the need to employ multiple security solutions:

‘I don't know of any solution that covers multiple scenarios, meaning that my expectation as a CTO would be that the SaaS we currently use for automated security scans of our codebase is surely not going to be the same as a solution that assures compliance with one of our cloud providers.’

What do we learn from what CTOs think about current flaws in security software?

Here’s the main takeaway. CTOs are looking for a one-stop shop for cloud and code security software, featuring:

• reasonable pricing
• a lack of false positives
• a straightforward setup, and
• hassle-free maintenance.

What are the biggest challenges with securing code and cloud?

Current top challenges for SaaS CTOs are opposition within the company, too much information to deal with, evolving threats, and the complexity of having full coverage.

Internal opposition

40% said the main challenge is internal: lack of awareness or other priorities means limited resources. This verifies their top two threat prevention blockers mentioned earlier (priorities and budget).

‘The biggest challenge is turning the organizational mindset around and getting them to understand that security is a feature and that we must continuously invest in it.’

Change management is notoriously difficult. And raising awareness to make meaningful changes to attitude and strategy can be even more of an uphill challenge.

Too much noise

Information overload is a real thing. 27% of CTOs report that triaging between the noise is the next biggest challenge. It’s not easy to understand which threats to prioritize or explore, nor how to deal with them. Again, if false positives are in the mix, there may be some dead ends, inefficiencies, and misguided labor.

‘There seems to be unlimited data in the logs, but no way to manage what they all mean and by who and how they should be addressed.’

Threat evolution, coverage, and complexity

Threat evolution, coverage, and complexity were ranked as lower-level challenges. However, they still confirm some of the blockers and flaws identified earlier in the survey.

Security threats are not stagnant - they evolve and tend to stay a step ahead of security solutions. This means your vulnerabilities are also evolving, and it may feel a bit like a game of whack-a-mole at times.

‘Attackers are becoming more sophisticated in their methods, and new vulnerabilities are discovered on a regular basis.’

CTOs further pointed out challenges confirming some of the flaws identified with their current solutions. They report receiving incomplete coverage, which creates a false sense of security. And in the security business, that’s just not good enough!

‘While they try to provide a sense of safety, I'm concerned that they are not actually protecting us against the majority of threats.’

Incomplete coverage is linked to the need, or perception of need, for a patchwork of various solutions:

‘There are too many moving parts. From actual initial development systems and software, CICD process to application infrastructure and data repositories, … they do not fit into a holistic security posture solution approach.’

What are CTOs’ desired business outcomes? What matters most to CTOs about cloud and code security?

We asked these two questions to find out what their strategic objectives were and what matters most to achieve those.

Desired outcomes

CTOs ranked the top three strategic outcomes like this:

1. Protecting brand reputation and customer trust (47%)
2. Sensitive data is protected meaning no data breaches (33%)
3. Being covered for compliance (20%)

What matters most?

And, to implement these desired outcomes, what mattered most to CTOs were these (allowed to choose more than one for this question):

1. Low maintenance (53%)
2. Reliability / No false positives (40%)
3. Clear and effective reporting (33%)

Do you notice what we notice? These are similar takeaways to what we learned from the question about current security solution flaws.

But what about pricing?

However, clear and effective reporting replaces reasonable pricing in the list above compared to the flaws learnings. So, contradicting the comments and choices about price and budget earlier in the survey, only 7% prioritized pricing in this question. What could that mean?

Let’s unpack the pricing perplexity. We interpret this to mean that price is a challenge and blocker when the security software does not deliver to expectation. But, if the security solution is accurate, easy to maintain, demystifies complexity with straightforward reporting, and in turn helps achieve the higher objectives of protecting brand reputation, creating customer trust, and keeping data safe while meeting compliance standards, pricing becomes less of a blocker and easier to justify.

The most important features when choosing cloud and code security software

We also asked the SaaS CTOs about which technical features are most important to them. They ranked five statements as follows (scores out of 4):

1. Cloud Misconfiguration Detection - 3.67 (33% ranked this first)
2. Open Source Vulnerability Scanning - 3.53 (33% ranked this first)
3. Secrets Detection (API keys, passwords, certificates, etc.)- 3.53 (over 53% ranked this second)
4. Static Code Analysis via CI/CD platforms - 2.93
5. Open Source License Scanning - 1.33 (80% ranked this last)

Which of these security features are the most important for you? Are there others you’d like to see in your security solution?

Want a product that solves your cloud and code security challenges?

Above all, when asked what they’d like to accomplish moving forward, CTOs ranked the following statement the highest:

‘I want to feel completely secure from cloud and code security threats.’

This is music to our ears. Willem, our CTO, struggled with exactly that at his previous companies. That pain point put him on a mission to create the right solution. So that’s precisely what we’re building with Aikido.

Our solution brings together the best-of-breed open-source software security tools. This enables you to cover all the relevant areas. Aikido also shows you which issues and vulnerabilities really matter and which ones you should actually solve. No false positives here!

See for yourself how Aikido can relieve a CTO’s cloud and code security challenges. Take Aikido for a free test drive or get in touch with us.