The increased use of cloud-native architectures, DevOps, and agile processes has shattered traditional approaches to application security, according to an independent global survey of 700 CISOs, commissioned by software intelligence company Dynatrace.
Increasingly complex IT ecosystems and antiquated security technology can hinder releases by exposing blind spots and forcing teams to manually triage innumerable alarms, many of which would be false positives indicating vulnerabilities in libraries that are not utilized in production.
This research reveals the following:
- 89% of CISOs say microservices, containers, and Kubernetes have created application security blind spots
- 97% of organizations do not have real-time visibility into runtime vulnerabilities in containerized production environments
- Nearly two-thirds (63%) of CISOs say DevOps and Agile development have made it more difficult to detect and manage software vulnerabilities
- 74% of CISOs say traditional security controls such as vulnerability scanners no longer fit today’s cloud-native world
- 71% of CISOs admit they are not fully confident code is free of vulnerabilities before going live in production
Organizations are requesting a new method that is designed for multicloud, Kubernetes, and DevSecOps settings, says Dynatrace.
“The increased use of cloud-native architectures has fundamentally broken traditional approaches to application security,” said Bernd Greifeneder, Founder and Chief Technology Officer at Dynatrace. “This research confirms what we’ve long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today’s dynamic cloud environments and rapid innovation cycles. Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development which uses an ever-growing number of third-party technologies. Already stretched teams are forced to choose between speed and security, exposing their organizations to unnecessary risk.”
Additional findings of the global survey of 700 CISOs include:
- On average, organizations need to react to 2,169 new alerts of potential application security vulnerabilities each month
- 77% of CISOs say most security alerts and vulnerabilities are false positives that do not require actioning as they are not actual exposures
- 68% of CISOs say the volume of alerts makes it very difficult to prioritize vulnerabilities based on risk and impact
- 64% of CISOs say developers do not always have time to resolve vulnerabilities before code moves into production
- 77% of CISOs say the only way for security to keep up with modern cloud-native application environments is to replace manual deployment, configuration, and management with automated approaches
- 28% of CISOs say application teams sometimes bypass vulnerability scans to speed up software delivery
“As organizations embrace DevSecOps, they also need to give their teams solutions that offer automatic, continuous, and real-time risk and impact analysis for every vulnerability, across both pre-production and production environments, and not based on point-in-time ‘snapshots’,” added Mr. Greifeneder. “With the Application Security Module on the Dynatrace Software Intelligence Platform, organizations can leverage the automation, AI, scalability, and enterprise-grade robustness of Dynatrace, and extend this to deliver more secure release cycles with confidence their cloud-native applications are free from exposures.”
Dynatrace in 2021 commissioned Coleman Parkes to undertake this global study of 700 CISOs in enterprises with over 1,000 employees. The sample included 200 respondents from the United States, 100 from the United Kingdom, France, Germany, and Spain, and 50 each from Brazil and Mexico.