Accelerated innovation is now mission-critical but it must not come at the expense of security
Across all industries, rapid digital transformation is now essential to meet constantly changing customer needs and to enable hybrid work at scale on a sustainable basis. Since the start of the pandemic, application development and release velocity has skyrocketed, and it shows no signs of slowing down.
However, as many organizations are now realizing, application security simply hasn’t kept pace. In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, 92% of technologists admit that rapid innovation during the pandemic has come at the expense of robust application security. More and more technologists are expressing grave concerns that their applications are increasingly vulnerable to emerging cybersecurity threats.
The shift to multi-cloud and hybrid environments means that application components are now running on a mix of platforms and on-premise databases, and this has led to a massive expansion in attack surfaces. IT teams are faced with major visibility gaps across highly dynamic and fragmented IT estates and this, is increasing the risk of a security event. Nobody needs reminding of the potential consequences of this – we’ve seen too many examples of businesses that have experienced a serious security breach and, as a result, suffered loss of customers, revenue and reputation.
The transition to cloud-native technologies has exposed the shortcomings of traditional approaches to application security, where security is often overlooked until the very end of the production pipeline and security teams operate in isolation, separate to development and operations teams within the IT department. The move to low code and no code platforms has also highlighted the limitations of siloed security solutions which are unable to cut through data noise to identify which security issues pose the greatest threat.
IT teams need to address this growing challenge as a matter of urgency, to avoid a worst-case scenario becoming reality. And this means integrating security at every stage of the application lifecycle from the very outset, ensuring all IT teams have unified visibility across multi-cloud and hybrid environments and leveraging the power of automation and AI to identify and remediate issues.
Modern application environments are expanding attack surfaces
The research finds that 89% of organizations have experienced an expansion in their attack surfaces over the last two years, and 46% state that this is already presenting challenges.
There are a wide range of factors that are causing this expansion in attack surfaces, including increased deployment of Internet of Things (IoT) and connected devices, new hybrid working models and rapid cloud adoption. Undoubtedly, the move to microservices-based application architectures is opening applications up to new and more varied vulnerabilities. The sheer volume of applications spread across multiple entities is making monitoring security throughout the DevOps pipeline extremely difficult.
Technologists are struggling to manage soaring complexity and overwhelming data noise
The major challenge for most IT teams is that they don’t have adequate visibility into these enlarged attack surfaces to identify and address vulnerabilities. Two thirds of technologists report that their current security solutions work well in silos but not together, meaning that they can’t generate a unified or comprehensive view of their organization’s security posture.
Security teams are being bombarded with alerts from across the application stack but they can’t cut through the data noise to assess the risk level of security issues. They’re unable to prioritize remediation based on potential impact to customers and the business. Technologies are stuck on the back foot, feeling overwhelmed by new security vulnerabilities and threats. In fact, more than half of all technologists admit that they end up in ‘security limbo’ because they don’t know where to focus their resources.
Embracing DevSecOps and an integrated approach to application
Evidently, IT teams need to adopt a new approach to application security, firstly to avoid a potentially crippling security breach and, secondly, to establish the foundations for a more sustainable approach to digital transformation. Technologists simply have to tighten up their security processes in order to maximize the benefits of the switch to modern application stacks.
The starting point for this needs to be the adoption of a DevSecOps approach, with much closer collaboration between development, ITOps and SecOps teams. DevSecOps integrates application security and compliance testing throughout the software development lifecycle, rather than security only being considered at the very end.
DevSecOps ensures that robust security is embedded into every line of code, delivering more secure applications and more seamless security management, before, during and after release. Importantly, DevSecOps challenges and breaks the perception that security must always be an inhibitor of innovation. When DevSecOps processes are working properly, it doesn’t slow down release velocity, it just leads to better products.
Huge numbers of organizations are now shifting to this new approach, with IT teams recognizing that the shift is vital to protect against a multi-staged security attack on the full application stack. Technologists are embracing this cultural change, working alongside other IT teams and broadening their knowledge and skill sets.
But beyond new ways of working, DevSecOps also requires the implementation of holistic monitoring systems which leverage Artificial Intelligence (AI) and Machine Learning technologies to handle the volumes of security threats that IT teams are encountering across an expanded attack surface.
Automation is essential to identify weaknesses, predict future vulnerabilities and remediate issues. IT teams can teach AI tools to identify threats and resolve them independent of an admin, and this reduces human error, increases efficiency, and delivers greater agility in development. The benefits of AI within security for technologists, their teams and their organizations are truly game-changing. In fact, 76% of technologists believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organization faces in application security.
Encouragingly, most technologists now recognize the need for a security approach for the full application stack that delivers complete protection for their applications, from development through to production, across code, containers and Kubernetes. Alongside this, IT teams are looking to integrate performance and security monitoring with business transaction insights to understand how vulnerabilities and incidents could impact end users and the business. This will enable them to make smarter decisions and focus their efforts in the right places – namely those threats that have the potential to damage a business critical area of the environment or application.
As organizations continue to transition to multi-cloud and hybrid environments to support their digital transformation goals, application security can no longer be overlooked. It must be approached as a core focus throughout the application lifecycle and the foundation for sustainable innovation.