Across all industries, technologists are worried that their organizations are becoming less secure. The shift to cloud native applications and architecture over the past two years has led to a dramatic expansion in attack surfaces, and at the same time, the scale and sophistication of cybercrime threats has increased significantly.
In the latest research from Cisco AppDynamics on the shift to a security approach for the full application stack, 78 per cent of technologists express concern that their organization is vulnerable to a multi-staged security attack that would affect the full application stack over the next 12 months.
While IT departments have steamed ahead with a digital transformation program, using low-code and no-code platforms to accelerate release velocity and build more dynamic applications, security still needs to catch up. As many as 92 per cent of technologists admit that the rush to rapidly innovate and respond to the changing needs of customers and users during the pandemic has come at the expense of robust application security during software development.
The potential consequences of security vulnerabilities are well understood; from slow run times and outages which dent digital experiences and erode customer trust, through to digital transformation initiatives being undermined and, ultimately, loss of revenue.
Encouragingly, technologists are urgently looking to evolve their approaches to application security in order to get to grips with a complex risk landscape and support the shift to modern application stacks. They are looking to implement a security approach for the full application stack, moving to a DevSecOps model where application security is integrated throughout the software development lifecycle, and embracing Artificial Intelligence (AI) and automation to cope with soaring volumes of security threats.
In order to embed this type of robust application security approach within their organizations over the next 12 months, technologists identify six key challenges that they will need to overcome:
- Lack of visibility into attack surfaces and vulnerabilities
More than two-thirds of technologists state that their current security solutions work well in silos but not together, meaning that they can’t get a comprehensive view of their organization’s security posture.
This is why IT teams need to integrate performance and security monitoring to understand how vulnerabilities and incidents could impact end users and the business. Technologists need to be able to understand the code, and everything around it, with continuous detection and prioritization, so that they can detect and block exploits automatically, maximizing speed and uptime while minimizing risk.
- Difficulties prioritizing threats based on severity, impact and business context
IT teams are being bombarded with security alerts from across the application stack and they have no way to cut through this data noise to understand which alerts really could do most damage. As a result, more than half of IT departments find themselves in ‘security limbo’ because they don’t know what to focus on and prioritize.
Business transaction insights are vital to help IT teams to measure the importance of – and to prioritize – threats based on severity scoring. These scores factor in the context of the threat, meaning technologists can see which issues are likely to affect a business critical area of the environment or application.
- Discovery and protection of sensitive data
Many technologists are now losing control of where data sits within their application portfolios, with application components running across multi-cloud environments and on-premise databases.
This opens up visibility gaps and increases the risk of a major security event, given the volumes of customer data which exist within many of these applications.
Technologists, therefore, need to implement runtime application self-protection (RASP) which provides visibility from inside apps so they can be secured wherever they live and however they are deployed. Validating data requests directly inside the app helps to prevent vulnerabilities from being exploited and provides threat intelligence that identifies attacks down to the code level. Developers can have targeted insight into their application environments that allow them to respond to threats at scale – in containers, on-premises, or in the cloud.
- Difficulties keeping up with a rapidly changing application security landscape
Overall, as many as 83 per cent of technologists report that it is now a challenge to keep up with emerging threats. Attack surfaces are growing exponentially due to the rapid deployment of the Internet of Things (IoT) and connected devices, and the adoption of microservice-based application architectures. New hybrid working models have also exposed new vulnerabilities for organizations in all sectors.
In response, technologists need to lean on partners for data and insights into new security threats and to map these threats against their own organization’s security posture.
- Difficulties balancing speed, application performance and security
Security is still viewed as an inhibitor of innovation within many organizations and, with release velocity the overriding priority, security teams have been cut out of the application development process until the very end of the development pipeline.
Traditionally, DevOps and SecOps teams have worked in silos, often with little understanding or appreciation of one another’s role. Indeed, only 24 per cent of IT departments currently see regular and ongoing collaboration between developers and security professionals.
With a DevSecOps approach, application security and compliance testing are integrated throughout the software development lifecycle, rather than being an afterthought at the end of the development pipeline. It makes security a shared responsibility across teams and encourages developers to prioritize security issues at every stage of the application lifecycle.
DevSecOps involves significant cultural change – technologists need to put aside entrenched mindsets and embrace a more collaborative way of working, as well as develop new skills and knowledge outside of their own specific discipline.
However, it’s incredibly worthwhile. A DevSecOps approach makes life a lot easier and less stressful for everyone in the IT department!
- Volume of security threats and alerts
Many technologists feel overwhelmed by the volume of security threats and vulnerabilities to their organization. IT departments simply haven’t got enough time in the day to identify and analyze the number of threats they now face.
AI and Machine Learning (ML) are now essential to identify gaps, predict vulnerabilities and automate processes to remediate any security holes. As bad actors ramp up their use of AI and ML, it’s vital that enterprise security teams don’t fall behind. Indeed, more than three quarters technologists believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organization faces in application security.
Organizations simply can’t afford to neglect application security any longer. It needs to be treated as a critical element of the application lifecycle and the foundation for organizations to deliver agile development and accelerated innovation.
Technologists must therefore do all they can to overcome the challenges they face, and ensure they have the tools, insights and structures they need to adopt a security approach for the full application stack.