CISOs Agree That Traditional Application Security Measures Don't Work

Written by

Nearly three-quarters (71%) of CISOs aren’t confident that code in cloud-native architectures is free of vulnerabilities before it goes into production, according to new research from Dynatrace.

The software intelligence firm polled 700 global security chiefs in large enterprises with over 1,000 employees to better understand their concerns over microservices, containers, and Kubernetes in development.

Some 89% claimed their use had created dangerous application security blind spots.

These challenges appear to be compounded by time-to-market pressures and existing tools and processes not fit-for-purpose in the new cloud native era.

Over two-thirds (68%) of CISOs said the sheer volume of alerts coming through makes it difficult to prioritize. On average, their teams receive 2,169 flags about potential application security vulnerabilities each month, most of which are false positives, the research claimed.

Over a quarter (28%) said development teams sometimes bypass vulnerability checks to speed up delivery, while three-quarters (74%) said traditional scanning tools and other legacy security controls don’t work in today’s environments.

Bernd Greifeneder, founder and CTO of Dynatrace, argued that the growing use of cloud-native architectures had broken traditional approaches to app security.

“This research confirms what we’ve long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today’s dynamic cloud environments and rapid innovation cycles,” he added.

“Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development, which uses an ever-growing number of third-party technologies. Already stretched teams are forced to choose between speed and security, exposing their organizations to unnecessary risk.”

Most CISOs questioned for the research agreed that more automation of deployment, configuration and management was needed.

“As organizations embrace DevSecOps, they also need to give their teams solutions that offer automatic, continuous, and real-time risk and impact analysis for every vulnerability, across both pre-production and production environments, and not based on point-in-time snapshots,” said Greifeneder.

What’s hot on Infosecurity Magazine?