CISOs Say Application Security is Broken

Nearly three-quarters of CISOs aren’t confident that code in cloud-native architectures is free of vulnerabilities before it goes into production, according to research from Dynatrace.

The report, based on a global survey of 700 CISOs in large enterprises with over 1,000 employees, was conducted by Coleman Parkes and revealed 89% of CISOs think microservices, containers and Kubernetes have created application security blind spots.

In addition, nearly all (97%) of organizations surveyed do not have real-time visibility into runtime vulnerabilities in containerized production environments, and nearly two-thirds (63%) of CISOs surveyed said DevOps and Agile development have made it more difficult to detect and manage software vulnerabilities.

“Whenever you introduce frequent change, you introduce the opportunity for new vulnerabilities or misconfigurations to occur,” said Douglas Murray, CEO at Valtix, a provider of cloud-native network security services. “Because of how frequently teams deploy and update software in the Agile and DevOps world, security teams must approach the problem differently.”

This starts with deploying security policy and network segmentation that can at least reduce the blast radius if a newly introduced vulnerability is compromised.

Application Security Best Practices

Murray explained that vulnerability management best practices, app security and posture management can supplement by performing detailed vulnerability assessment at critical release points.

“CISOs need to look at security best practices in the new cloud world with emphasis on training their IT organizations to understand the nuances so that they can understand and make sure that security is moving at the speed of the cloud and working hand-in-hand with the app teams,” he said.

In fact, 74% of the CISOs surveyed in the Dynatrace report say traditional security controls such as vulnerability scanners no longer fit today’s cloud-native world, and 71% admitted they were not fully confident code is free of vulnerabilities before going live in production.

Setu Kulkarni, vice president of strategy at WhiteHat Security, a provider of application security, said one of the problems is organizations do not prioritize continuous testing of digital systems and applications in production; doing a point-in-time penetration test is not the answer.

“While the digital systems and applications may not change from a day-to-day point of view, the threat landscape continues to evolve at a rapid pace and the incentives for malevolent actors to gain access to private data continue to rise unabated as more of the population comes online,” he said.

That means CISOs must prioritize continuous assessment of their in-production attack surface across all things digital and then put in place strategies to test these systems in production.

At the same time, they need to be prepared for cybersecurity incidents with a robust incident response (IR) plan in place and a workforce that is trained in executing that IR plan.

“Organizational IT security and CISOs need to become facilitators instead of the office of ‘No,’” Kulkarni said. “The security team should focus on building the right security culture, hiring the right facilitation-minded experts and putting in place a scalable program.”

Shifting Vulnerability Detection Left

Tal Morgenstern, co-founder and CPO at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation, said CISOs needs to shift vulnerability detection left in the software development process and automate the alerting and fixing of vulnerabilities as much as possible.

He noted technologies like Kubernetes, containers and spot instances make tracking runtime vulnerabilities even harder because of their immutable nature.

“Understanding CI/CD and how to integrate security tools into it will also help,” he said. “While not security-related, supporting automated testing coverage will help the organization deploy changes in a safer manner and also make patching changes easier to deploy.”

Jack Marsal, director of product marketing for Dynatrace, explained that two shifts need to happen. First, security tooling needs to become easier to use and more automated. Only then will a high percentage of CISOs report that developers are actually using the tools. Second, Marsal said security tooling needs to do a better job assessing risks, as well as detecting and blocking attacks on modern applications.

“Today, that means containerized applications that run in complex, multi-cloud environments,” he said. “Most IT organizations are running security tests on individual applications, one at a time, in development environments. That approach is simply not able to provide the kind of intelligence needed for modern applications, which involve multiple dependencies across cloud boundaries.”

To get this level of information, IT security needs to think about shifting right, meaning continuously testing software in production, not just pre-production.

In fact, the survey indicated CISOs are already thinking about this: 89% said application security would be easier to manage if vulnerability testing tools and observability solutions converged into a single platform that could monitor real-time context of applications.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy