Security often gets pushed to "later" in cloud native development as teams rush to ship features, optimize costs, or scale faster. However, incidents like Log4j (an OSS program behind the 34% increase in vulnerability exploitation between 2020 and 2021) have shown that “later” usually means crisis mode, late-night calls, patching under pressure, and scrambling to contain the damage.
The truth is that cloud native security is as much about how teams think, collaborate, and prioritize it as it is about tools or compliance checklists. And here lies the real challenge: security is still seen as someone else’s problem. Due to this, 50% of organizations now have critical security debt, with high-severity issues left open for more than one year, according to ITPO. Developers focus on shipping, product managers focus on revenue, and platform engineers juggle complexity, while security risks quietly pile up.
At KubeCon + CloudNativeCon India 2025, I, Sonali Srivastava, brought together a panel of cloud native experts. Ram Iyengar, Bhavani Indukuri, Anusha Hegde, and I took this challenge head-on to spread awareness about prioritizing security. Our message was clear: to build truly resilient systems, security must be everyone’s responsibility, baked into the culture from day one, not bolted on at the end.
In this blog post, we explore how security spans differently across roles and why understanding these perspectives is essential for building a security-first organization. From spotting new-age threats like QR phishing to shifting security left in the SDLC and building a culture where accountability replaces blame.
Wake-up Call: New Threats and Everyday Risks
Security threats today evolve faster than awareness. Attack vectors are no longer limited to traditional phishing or endpoint breaches. They are dynamic, social, and increasingly AI-driven.
Emerging Threats Include
Quishing (QR phishing)
Users are tricked into scanning malicious QR codes during daily activities such as payments, restaurant menus, or opening URLs, leading to compromised devices or accounts.Prompt injection attacks
Attacks targeting LLM-integrated applications that manipulate AI systems into revealing sensitive data.Jailbreaks
Techniques used to bypass model restrictions or gain elevated access in sandboxed environments.Dependency confusion attacks
Exploits of package naming conventions to inject malicious code into software supply chains.Configuration drift exploits
Unsupervised or AI-generated cloud infrastructure changes that introduce unintended vulnerabilities.
The threat landscape is expanding faster than organizational readiness. Security awareness, tooling, and culture must evolve just as quickly, starting with the foundation.
Security Through Different Lenses
Developers’ Lens: Simplicity and Early Detection
Developers are often caught between the pressure to deliver fast and the need to maintain secure practices. Every dependency added, every library imported, and every base image chosen introduces potential risk.
What developers can focus on:
Simplify the stack
Fewer dependencies mean fewer unknowns and a lower vulnerability risk. Question every third-party library.Use simple base images
Complex images add unnecessary packages that expand the attack surface.Integrate SBOMs early
Software Bill of Materials (SBOM) generation should be part of the build process, not an afterthought.Enforce security at the PR stage
Use security linters in IDEs and make vulnerability checks part of standard code reviews.
“You should think of having less dependencies when you are trying to choose your base images. That’s where SBOMs are really important.”
— Bhavani Indukuri
A developer’s role is to make choices that minimize the blast radius of failures.
Security Engineers’ Lens: Discipline Over Band-Aids
Security engineers are often perceived as the people who slow things down, but their focus is on preventing recurring issues instead of applying temporary fixes.
What security engineers can focus on:
Treat governance as discipline, not bureaucracy
Standards like Pod Security Standards (PSS) and regulations such as GDPR act as guardrails, not blockers.Build resilience through prevention
The goal is not just passing audits, but making insecure configurations difficult to deploy.Establish security gates
Automated checks that block vulnerable code from reaching production must be mandatory.
“There are governances and compliances in place for a reason; it’s like when you used to go to school, you stood in a straight line.”
— Sonali Srivastava
Security engineers create systems where secure behavior is the default.
Product Managers’ Lens: Security as Strategic Investment
Product managers often face pressure to trade security for speed, treating security as tech debt. This framing is flawed. The average time to fix security flaws has increased 47% in five years, from 171 to 252 days, according to ITPO.
What product managers can focus on:
Reframe security as a product feature
Security directly impacts trust, reliability, and brand reputation.Prioritize security alongside features
Security requirements must be part of feature specs from day one.-
Understand different risk types
- Vulnerabilities: Known CVEs in dependencies
- Misconfigurations: Policy violations and access control issues
-
Use the right tools for visibility
- VEX for vulnerability management
- Policy engines like Kyverno for misconfigurations
“You have vulnerabilities which are a whole big class of problems. The other class of problems is misconfigurations.”
— Anusha Hegde
When PMs factor security into roadmaps, it becomes a competitive advantage instead of a scramble.
DevOps and Platform Engineers’ Lens: Infrastructure as the Security Boundary
Platform engineers sit between development velocity and operational stability. Their infrastructure decisions directly shape security posture.
What platform engineers can focus on:
Enforce security through automation
Policies should not rely on manual checks.Maintain least-privilege access
Regularly audit permissions and rotate credentials.Manage configuration drift
Use infrastructure-as-code and policy enforcement to prevent unsupervised changes.Build observability into security
Integrate security metrics into daily dashboards and workflows.
Platform engineers either make security scalable or create gaps attackers exploit.
Leadership’s Lens: Culture and Accountability
Leadership determines whether security is a real priority or a checkbox exercise.
What leaders can focus on:
Allocate time for security
Dedicate sprint capacity to security improvements.Tie security to customer trust
Security incidents impact users, retention, and revenue.Celebrate proactive security
Reward teams who prevent issues early.Make security visible
Review security metrics alongside business metrics.Foster psychological safety
Encourage reporting issues without blame.
Leadership creates the conditions where security can thrive.
Building a Security-first Culture
Understanding individual perspectives is only the beginning. The real work is weaving them into a shared culture.
Educate and empower
Make security training part of onboarding and continuous learning.Normalize ownership
Encourage every role to think like a security advocate.Create feedback loops
Use post-incident reviews as learning tools, not blame sessions.Make security visible
Integrate security metrics into everyday workflows.Focus on adaptability
Treat security culture as a strategic asset that evolves with new threats.
A multi-layered defense complements this culture, protecting applications, infrastructure, and organizational boundaries.
Next Step: The Cultural Transformation
The threat landscape continues to evolve. AI-driven attacks, supply chain vulnerabilities, and configuration exploits are becoming more sophisticated. Organizations can only keep up through cultural transformation.
Security must be embedded into daily workflows and maintained through transparency. When security becomes a shared conversation rather than a compliance checkbox, true organizational maturity begins.
Each issue becomes an opportunity to strengthen systems and prevent recurrence. This mindset builds stronger systems and more resilient organizations.
At Improving, trust is at the core of everything we do. Keeping software secure is essential to maintaining that trust. Our consistent focus on security and privacy is why enterprises continue to trust us as one of the leading software consulting providers.
Top comments (0)