App security is changing with cloud-native architectures, DevOps, and agile methodology use. App-oriented Traditional approaches to app security have fallen by the wayside
According to a global poll of 700 CISOs conducted by software intelligence firm Dynatrace, this is what the majority of CISOs believe.
In recent years, companies have moved more and more responsibility “left” to developers, with the aim of fostering innovation. This strategy, however, can lead to increased complexity within IT ecosystems and make it more difficult to meet deadlines because it creates blind spots and forces teams to manually sort through countless alerts, which often represent false positives resulting from libraries that are not being used in production. With respect to multi-cloud setups, it has been proposed that an approach that incorporates Kubernetes and DevSecOps is more efficient.
According to the research, 89% of CISOs think microservices, containers, and Kubernetes have produced a lack of visibility into application security.
This real-time visibility into runtime vulnerabilities in containerized production settings is rare in the 97% of organisations.
According to 63% of CISOs, DevOps and rapid development have increased the complexity of managing software vulnerabilities.
Vulnerability scanners no longer fit today’s cloud-native world, according to 74% of CISOs.
Furthermore, over 71% of CISOs concede that they are not certain code is devoid of vulnerabilities prior to its being deployed in a live environment.
Bernd Greifeneder, founder and CTO at Dynatrace, explained: “Traditional approaches to application security have been fundamentally undermined by the rising use of cloud-native architectures.”
In other words, we have long predicted that manual vulnerability scans and impact assessments, which are too slow to keep up with the changes and innovation taking place in today’s dynamic cloud environments, are becoming obsolete.
Since the rise of complex runtime dynamics, continuous delivery, and polyglot software development, risk assessment has become near impossible due to the emergence of both internal and external service dependencies, continuous deployments, third-party technologies, and runtime dynamics. The increased risk associated with stretched teams forces them to choose between the benefits of increased speed and security.
With respect to finding security vulnerabilities, it was shown that organisations, on average, must deal with 2,169 new application security warnings each month.
Overall, over 75% of CISOs report that false positives in security warnings and vulnerabilities do not require follow-up, as they are not true vulnerabilities.
CISOs said that when they are presented with a large amount of warnings, prioritising vulnerabilities based on risk and effect becomes tough.
About two-thirds of CISOs think that modern cloud-native application environments require automated ways for deployment, setup, and maintenance in order to maintain pace with security.
An additional statement reads, “Organizations that adopt DevSecOps should give their teams ongoing risk and impact analysis across both pre-production and production environments, and not dependent on point-in-time snapshots.”
Source: Dynatrace Report