 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
A few months ago, my colleague wrote an article highlighting some of the reasons traditional application security was overdue for an upgrade. The challenges detailed in that article remain top-of-mind for organizations around the world. Today’s cloud native applications are so complex and dynamic that traditional approaches to application security and vulnerability management just can’t keep up. This gap is increasingly putting organizations at a security risk. Now, new research highlights just how much more challenging this situation has become for DevSecOps teams.
As microservices, containers, Kubernetes, open source software and Agile development have become integral to organizations’ technology stacks and production pipelines, CISOs say these technologies and practices have created new blind spots in application security. Existing security tools weren’t designed for modern cloud environments, which are significantly more complex and dynamic than traditional compute environments. Consequently, it has become more difficult to detect and manage software vulnerabilities – so much so that 71% of CISOs surveyed in the new research say that when they move code into production, they aren’t confident the code is free of vulnerabilities. That’s not surprising when you consider that just 3% of the CISOs said they have real-time visibility into runtime vulnerabilities. The vast majority simply don’t know the extent of potential vulnerabilities in the code their teams put into production.
Because traditional application security tests and risk assessments can’t keep up with the pace of modern cloud environments and the rapid innovation cycles of DevOps teams, precise risk assessment has grown virtually impossible. This is due to a combination of factors that are becoming even more prevalent:
The research also highlights the degree to which DevSecOps teams are forced to manually triage a blizzard of security alerts, many of which are false positives — vulnerabilities that are present in the source code, but not actually used in production.
On average, organizations receive 2,169 new security vulnerability alerts per month, with 77% of CISOs identifying most of these alerts as false positives that don’t require action and aren’t actual vulnerabilities. Sorting through these false positives consumes the precious time and attention of security teams. Even worse, more than two-thirds of CISOs told us that it is hard to prioritize vulnerabilities based on their potential risk and impact. So not only are teams forced to deal with a high volume of alerts, they don’t even know which ones are the most pressing to tackle and which are unimportant.
Because manual tools and workflows are too slow, developers are asked to make a frustrating choice between speed and security. Business needs often drive teams to prioritize speed, but this choice exposes both the organization and its customers to unnecessary risk. When 28% of CISOs say their app developers are sometimes bypassing vulnerability scans to deliver software faster and 64% say that developers don’t always have time to resolve vulnerabilities before moving code into production, it is clear that a majority of organizations are exposing themselves to unnecessary risk.
The best way for DevSecOps to get these problems under control — and more importantly, create a viable, long-term, and future-proofed approach to vulnerability management — is to adopt a completely automated application security system that is designed specifically for today’s fast-paced cloud native environments.
To modernize and automate their approach to application security, DevSecOps teams should begin to focus on several key priorities:
DevSecOps teams will only be able to ensure that cloud native applications are secure if they have the means to identify and assess the precise impact of actual runtime vulnerabilities occurring in their production environments as they occur. The best way to address the false positive problem that plagues existing application security tools that operate on static source code is to adopt a runtime approach that is informed by real-time information from your production environment. By leveraging automatic, broad-spectrum observability with context-driven analysis across the full software development lifecycle, teams can instantly identify the vulnerability alerts that matter, based on actual exposure and business impact.
Automating DevSecOps processes and eliminating manual work helps teams eliminate blind spots and false positives, prioritize the vulnerability alerts that expose actual risk and reduce reliance on slow, manual security tests. All of this adds up to more precise answers on the cause, nature and impact of vulnerabilities in real-time.
DevSecOps shouldn’t be asked to choose between speed and security. Automated application security that is deployed into dynamic, containerized cloud native stacks and provides continuous, automatic coverage ensures that teams don’t have to make that false choice — and can instead drive innovative release cycles that are both faster and more secure.
