New cloud-native solution aims to address time-consuming, manual methods for discovering and mapping application code security risks. Credit: picjumbo Backslash Security has announced its launch with a new cloud-native application security (AppSec) solution designed to identify toxic code flows and automate threat models. The solution is built to address time-consuming and manual methods for discovering and mapping applications code risks, along with filling the cloud-native context gaps left by traditional static application security testing (SAST) tools, Backslash stated.Organizations are embracing the cloud and cloud-native application development with the percentage of large businesses that deploy code to production daily expected to increase from 5% in 2021 to 70% in 2025, according to IDC research. Meanwhile, AppSec teams face ongoing challenges in keeping pace with their fast-paced development counterparts.Backslash helps AppSec teams reduce false positive alerts and alert fatigueThe Backslash solution provides AppSec teams with security insights and business context surrounding code risks, tracking the security posture of different applications and teams involved, the vendor said. Through unified visual mapping of threat models and application posture, AppSec teams can reduce false positive alerts and alert fatigue, cutting mean time to recovery (MTTR) by enabling developers with the evidence they need to take ownership of the process, Backslash added. The firm said the solution offers: Contextual visibility that empowers AppSec teams with automatic discovery and mapping of cloud-native application code and its dependencies via contextual visual dashboards, without the need to read or understand the underlying codeAutomatic threat model visualization that maps and serves up preferred threat modelsAutomatic high-risk code prioritization informed by application cloud posture in productionQuick-fix remediation that simplifies vulnerability and risk remediation with automated risk identificationScale by policy alignment that frees up AppSec teams to set and enforce optimal cloud-native security policies and cutting the time and resources needed to chase code issuesTraditional AppSec methods create friction between developers, security teamsFriction can arise between developers and security teams because traditional AppSec methods are disruptive to cloud-native development, commented Melinda Marks, senior industry analyst at ESG. “Developers need an accurate way to efficiently identify and fix code issues in their workflows without being overwhelmed by alerts or false positives, while security needs a scalable way to manage risk,” she added. Brian Fielder, general manager, CTO enterprise security at Microsoft, echoed similar sentiments. “AppSec teams are struggling as companies rapidly shift to cloud-based deployment environments, because the traditional solutions just aren’t keeping up.”Problems are compounded by AppSec tools that produce an excessive number of low-value alerts, leading to an overwhelming amount of noise and security false positives. What’s more, security teams spend upwards of 25 minutes investigating each one and, due to the volume, cost, and time involved, almost a quarter of alerts are simply ignored. The Backslash solution addresses such challenges by using the properties of the stack and modern development environments to give security teams the context they need to support development as it scales, Marks said.Tailoring cybersecurity training to developers to tackle risksAside from investing in more effective AppSec and developer-focused security technologies, another approach security leaders support is to tailor security awareness training to software developers to help address a lack of cohesion between software development teams and cybersecurity functions. Security awareness training has, for a long time, failed developers, Tiffany Ricks, CEO and founder of automated security and awareness training provider HacWare, previously told CSO. “The tricky thing about security training for developers is it has to be relevant content, at the right time, to promote innovation.”Legacy, classroom-based approaches don’t engage developers or impart the knowledge required to match the fast-paced threat landscape and dynamic technology fundamentals of the software development lifecycle, whilst 81% of developers have knowingly released vulnerable applications, according to an Immersive Labs report. Related content news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe