In early 2023 we surveyed 300 CISOs, AppSec managers and AppSec engineers at enterprise organizations with mature cloud-native app development environments. We wanted to explore how the state of application security has evolved given the rise of cloud-native application development. The data reveals some interesting insights. Let’s dive in.
According to data from our new survey report, "Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm," organizations are deploying cloud-native applications faster than ever. Unsurprisingly AppSec teams are struggling to keep up as they are hampered by tools that can't manage the complexities of cloud-native architectures or move as quickly as modern software delivery cycles. This means that the typical application security team spends most of its time chasing vulnerabilities, rather than being proactive. That work leaves little capacity for investing in other key application security practices, such as static and dynamic application security testing.
But don't just take our word for it. Read on for key data points from the survey that highlight the need for a new take on AppSec.
Before diving into the specifics of modern security practices, let's talk about the state of the AppSec landscape in general.
Firstly, any Dev will tell you that cloud-native application development has skyrocketed in popularity. O'Reilly reports that more than two-thirds of businesses are already using cloud-native deployment technologies, like containers and serverless, or are on their way to doing so.
On top of this, software delivery cycles are faster than ever. According to our survey findings, 47% of respondents indicated that they deploy code to production on a daily basis, while 29% mentioned pushing code to production multiple times each day.
So, what does this mean? Put simply, the typical organization is delivering significantly more complex code on a significantly more rapid basis than just a few years ago.
Cloud-native technologies and fast delivery cycles are great for developers. They make it possible to deploy more agile and scalable applications quickly. They're also good for users, who benefit from faster introduction of new features.
But from a security perspective, the current state of software delivery presents significant challenges – ones that traditional AppSec tools are struggling to meet. Most commonly used code security tools were designed before the cloud-native age, and they lack the ability to understand the complete context of cloud-native environments.
Worse, traditional AppSec tools have a tendency to produce a high volume of low-value alerts – about half of which are false positives, according to ESG. That translates to a lot of distraction for AppSec teams, who struggle to identify and prioritize real security risks – and who therefore can't keep pace with fast-moving application delivery chains.
Think about it: If you're pushing new code into production on a daily basis but your AppSec tools are firing off hundreds of alerts per day, how are you ever going to deem your new code secure before it's deployed into a user-facing environment? There are just too many alerts and too little time to manage them all.
As a result, AppSec teams that work with traditional AppSec tools are faced with a pretty dismal set of choices: Either they can ask development teams to delay releases while they sort through all of the alerts. That's bad because it idles development operations. It also means that users have to wait longer to receive application updates. This has led to a situation where 94% of respondents in our survey report multiple grievances with today’s tools.
Alternatively, AppSec teams can give the greenlight to a new release before they manage all of the security alerts. That, of course, creates a serious risk of pushing out code that can potentially contain security vulnerabilities and suffering a breach as a result.
The reality of the unhappy situation that modern AppSec teams face is borne out by our survey, which shows that:
This is just a sampling of the survey data, but these numbers highlight just how much AppSec teams are struggling to keep up with fast-moving delivery cycles and complex application architectures.
Cloud-native architectures have changed the AppSec game by blurring the boundaries between application and cloud infrastructure. Meanwhile, continuous software delivery cycles are forcing teams to move more quickly than ever. Put together, these challenges are a recipe for headache. This is especially true if you depend on traditional AppSec tools that were not designed with today's realities in mind.
That's why businesses need to rethink the way they handle application security. They must approach AppSec using a unified set of tools that can effectively address security risks that span both applications and infrastructure. They also need tools that minimize false positives that make it easy to recognize high-risk alerts.
That's precisely what Backslash is designed to do. Backslash helps AppSec teams to operate more intelligently and effectively. It also reduces the time they waste on low-value alerts, making it possible to squash security issues within hours, not days or weeks.
The result? AppSec teams will be liberated from mundane tasks such as sifting through extensive alert volumes. Developers experience increased satisfaction due to the elimination of release delays caused by sluggish security operations. And users also benefit from expedited, fortified releases, leading to enhanced satisfaction.
Einstein famously said “Insanity is doing the same thing over and over and expecting different results.” Yet this is precisely what we do when it comes to the traditional AppSec approach. It’s time for that to change - It’s time to bet on Application Security Posture Management. Are you ready to take the leap? Then contact us today.