4 Key Priorities for Automating Application Security
A few months ago, my colleague wrote an article highlighting some of the reasons traditional application security was overdue for an upgrade. The challenges detailed in that article remain top-of-mind for organizations around the world. Today’s cloud native applications are so complex and dynamic that traditional approaches to application security and vulnerability management just can’t keep up. This gap is increasingly putting organizations at a security risk. Now, new research highlights just how much more challenging this situation has become for DevSecOps teams.
Traditional Application Security Tools a Poor Fit Today
As microservices, containers, Kubernetes, open source software and Agile development have become integral to organizations’ technology stacks and production pipelines, CISOs say these technologies and practices have created new blind spots in application security. Existing security tools weren’t designed for modern cloud environments, which are significantly more complex and dynamic than traditional compute environments. Consequently, it has become more difficult to detect and manage software vulnerabilities – so much so that 71% of CISOs surveyed in the new research say that when they move code into production, they aren’t confident the code is free of vulnerabilities. That’s not surprising when you consider that just 3% of the CISOs said they have real-time visibility into runtime vulnerabilities. The vast majority simply don’t know the extent of potential vulnerabilities in the code their teams put into production.
Because traditional application security tests and risk assessments can’t keep up with the pace of modern cloud environments and the rapid innovation cycles of DevOps teams, precise risk assessment has grown virtually impossible. This is due to a combination of factors that are becoming even more prevalent:
- Rapid software release cycles.
- Use of open source software, which frequently contains security vulnerabilities.
- Use of containers, which spin up and down rapidly and are relatively opaque to traditional runtime security controls.
- Use of microservices, which involve many dependencies and communication paths, often spanning multiple cloud boundaries.
Teams are Drowning in Vulnerability Alerts and False Positives
The research also highlights the degree to which DevSecOps teams are forced to manually triage a blizzard of security alerts, many of which are false positives — vulnerabilities that are present in the source code, but not actually used in production.
On average, organizations receive 2,169 new security vulnerability alerts per month, with 77% of CISOs identifying most of these alerts as false positives that don’t require action and aren’t actual vulnerabilities. Sorting through these false positives consumes the precious time and attention of security teams. Even worse, more than two-thirds of CISOs told us that it is hard to prioritize vulnerabilities based on their potential risk and impact. So not only are teams forced to deal with a high volume of alerts, they don’t even know which ones are the most pressing to tackle and which are unimportant.
Because manual tools and workflows are too slow, developers are asked to make a frustrating choice between speed and security. Business needs often drive teams to prioritize speed, but this choice exposes both the organization and its customers to unnecessary risk. When 28% of CISOs say their app developers are sometimes bypassing vulnerability scans to deliver software faster and 64% say that developers don’t always have time to resolve vulnerabilities before moving code into production, it is clear that a majority of organizations are exposing themselves to unnecessary risk.
The best way for DevSecOps to get these problems under control — and more importantly, create a viable, long-term, and future-proofed approach to vulnerability management — is to adopt a completely automated application security system that is designed specifically for today’s fast-paced cloud native environments.
4 Priority Areas for Modernizing Application Security
To modernize and automate their approach to application security, DevSecOps teams should begin to focus on several key priorities:
- Emphasize runtime visibility: 50% of CISOs say they are most worried about vulnerability exposure during an application’s runtime phase, where attacks are most likely to occur.
- Merge vulnerability testing tools with observability solutions: Modern observability solutions are uniquely capable of providing contextual data, such as the connections microservices are making, something that 89% of CISOs say would make risk assessment more automated and more accurate.
- Ensure real-time visibility into security issues across your entire software lifecycle, preproduction and production: 90% of CISOs believe this would make it easier to deliver new releases quickly without compromising security.
- Ensure that all security testing has been 100% automated, so developers can’t miss steps: This includes automatic and continuous analysis of applications, libraries and code at runtime, in both production and pre-production environments. 77% of CISOs believe this would ensure that application security can better keep pace with modern cloud native environments.
DevSecOps teams will only be able to ensure that cloud native applications are secure if they have the means to identify and assess the precise impact of actual runtime vulnerabilities occurring in their production environments as they occur. The best way to address the false positive problem that plagues existing application security tools that operate on static source code is to adopt a runtime approach that is informed by real-time information from your production environment. By leveraging automatic, broad-spectrum observability with context-driven analysis across the full software development lifecycle, teams can instantly identify the vulnerability alerts that matter, based on actual exposure and business impact.
Automating DevSecOps processes and eliminating manual work helps teams eliminate blind spots and false positives, prioritize the vulnerability alerts that expose actual risk and reduce reliance on slow, manual security tests. All of this adds up to more precise answers on the cause, nature and impact of vulnerabilities in real-time.
DevSecOps shouldn’t be asked to choose between speed and security. Automated application security that is deployed into dynamic, containerized cloud native stacks and provides continuous, automatic coverage ensures that teams don’t have to make that false choice — and can instead drive innovative release cycles that are both faster and more secure.