New report shines light on application security challenges impacting global businesses. Credit: Possessed Photography The growth of the internet of things (IoT) and connected devices are the biggest contributing factors to organizations’ expanding attack surfaces. That’s according to a new report from Cisco AppDynamics, which revealed that 89% of global IT professionals believe their organization has experienced an expansion in its attack surface over the last two years. The Shift to a Security Approach for the Full Application Stack report surveyed 1,150 IT professionals in organizations across a range of sectors and international markets to outline the current application security challenges impacting IT departments.Businesses face significant application security risks in 2023Along with IoT and connected device growth, rapid cloud adoption, accelerated digital transformation, and new hybrid working models have also significantly expanded the attack surface, the report noted. Microservice-based application architectures and DevOps methodologies are playing a notable role too, exposing applications to new vulnerabilities, it added. These factors will affect the application security challenges businesses face in 2023, with 78% of respondents stating their organization’s full application stack could be vulnerable to attack over the next 12 months.The top six application security challenges detailed in the report in 2023 are: Lack of visibility into attack surfaces and vulnerabilitiesDifficulty prioritizing threats based on severity, impact, and business contextDiscovery and protection of sensitive dataIssues keeping up with a rapidly changing application security landscapeChallenges balancing speed, application performance and securityVolume of security threats and alertsInefficient visibility and contextualization of application security risks leave organizations in “security limbo” because they don’t know what to focus on and prioritize, 58% of respondents said. “IT teams are being bombarded with security alerts from across the application stack, but they simply can’t cut through the data noise,” the report read. “It’s almost impossible to understand the risk level of security issues in order to prioritize remediation based on business impact. As a result, technologists are feeling overwhelmed by new security vulnerabilities and threats.” Lack of collaboration and understanding between IT operations teams and security teams is having several negative effects too, the report found, including increased vulnerability to security threats and blind spots, difficulties balancing speed, performance and security priorities, and slow reaction times when addressing security incidents. Tellingly, 55% of technologists said they consider security to be more of an inhibitor than an enabler of innovation within their organizations.Technology, culture shifts key to achieving DevSecOpsDevSecOps is key to addressing the application security risks modern businesses face, but the shift to a DevSecOps approach requires both technological and cultural change, the report stated. Increased automation to detect and block security issues is an avenue most respondents are exploring, but the report also exposed a need for ITOps/developer teams to become more aware of and knowledgeable about security, and for security professionals to gain a deeper understanding of application development and factors that affect performance. One approach experts think can assist organizations in this area is to tailor security training to developers to help tackle risks. This involves replacing outdated security education with awareness training that is more engaging and relevant for developers to better impart the knowledge required to match the threat landscape and dynamic technology fundamentals of application security. Related content news UK’s revamped surveillance rules become law despite industry opposition A new law expanding the Investigatory Powers Act, the UK’s already-controversial surveillance and data access rules, became law last week. By John Leyden Apr 29, 2024 4 mins Government Mobile Security Security feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers opinion Navigating personal liability: post data-breach recommendations for CISOs CISOs can avoid being liable for data breaches by following legal advice, communicating effectively with internal and external stakeholders, and demonstrating commitment to avoid future incidents. By Daniel B. Garrie and Richard A Kramer Apr 29, 2024 8 mins CSO and CISO Data Breach Legal news 2024 CSO30 ASEAN Awards: Call for nominations By Xiou Ann Lim Apr 29, 2024 2 mins Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe