The rising adoption of cloud-native architectures, DevOps and agile methodologies has broken traditional approaches to application security.
This is according to an independent global survey of 700 CISOs commissioned by Software intelligence firm Dynatrace.
As organizations shift more responsibility ‘left’ to developers to accelerate innovation, increasingly complex IT ecosystems and outdated security tooling can slow releases by leaving blind spots and forcing teams to manually triage countless alerts – many of which are false positives reflecting vulnerabilities in libraries that are not used in production. Organizations are calling for a new approach that is optimized for multi-cloud environments, Kubernetes and DevSecOps, according to Dynatrace.
The company’s research has revealed that 89% of CISOs say microservices, containers and Kubernetes have created application security blind spots.
97% of organisations do not have real-time visibility into runtime vulnerabilities in containerised production environments.
Nearly two-thirds (63%) of CISOs say DevOps and agile development have made it more difficult to detect and manage software vulnerabilities.
74% of CISOs say traditional security controls, such as vulnerability scanners, no longer fit today’s cloud-native world.
And 71% of CISOs admit they are not fully confident code is free of vulnerabilities before going live in production.
Bernd Greifeneder, founder and CTO at Dynatrace, said: “The increased use of cloud-native architectures has fundamentally broken traditional approaches to application security.
“This research confirms what we’ve long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today’s dynamic cloud environments and rapid innovation cycles.
“Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development which uses an ever-growing number of third-party technologies. Already stretched teams are forced to choose between speed and security, exposing their organisations to unnecessary risk.”
The study also found that, on average, organisations need to react to 2,169 new alerts of potential application security vulnerabilities each month.
77% of CISOs say most security alerts and vulnerabilities are false positives that do not require actioning as they are not actual exposures.
68% of CISOs say the volume of alerts makes it very difficult to prioritise vulnerabilities based on risk and impact.
77% of CISOs say the only way for security to keep up with modern cloud-native application environments is to replace manual deployment, configuration, and management with automated approaches.
Greifeneder. Added: “As organizations embrace DevSecOps, they also need to give their teams solutions that offer automatic, continuous, and real-time risk and impact analysis for every vulnerability, across both pre-production and production environments, and not based on point-in-time ‘snapshots’”