By Joe Byrne, Executive CTO, Cisco AppDynamics
Application security has become a major concern for organizations over the last two years. Rapid digital transformation to meet constantly changing customer needs and enable hybrid work has meant a dramatic increase in release velocity. But application security simply hasn’t kept pace.
In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, all surveyed technologists from the United Arab Emirates (UAE) admit that rapid innovation during the pandemic has come at the expense of robust application security. And there is now widespread concern that applications are increasingly vulnerable to new and emerging cybersecurity threats.
With the widespread adoption of multi-cloud environments, application components increasingly run on a mix of platforms and on-premise databases, expanding attack surfaces considerably. This is leaving major visibility gaps for IT teams and increasing the risk of a security event, the consequences of which are potentially catastrophic — service disruption and outages which can result in poor customer experience, reputational damage and lost revenue.
The move to cloud-native technologies has highlighted the limitations of traditional approaches to application security, where security has often been overlooked until the very end of the production pipeline and there has been very little collaboration between developer and security teams. It has also exposed the shortcomings of siloed security solutions which make it impossible for technologists to cut through data noise to identify security issues which pose the greatest risk to customers and the business.
In order to address this growing challenge, IT departments need to take a security approach to the full application stack, leveraging the power of automation and Artificial Intelligence (AI), and integrating security at every stage of the application lifecycle from the very outset.
Cloud-native technologies have dramatically expanded attack surfaces
The research finds that 95% of UAE organizations have experienced an expansion in their attack surfaces over the last two years, and 49% state that this is already presenting challenges.
Technologists cite several factors that have triggered this expansion in attack surfaces, the most prominent being the increased use of the Internet of Things (IoT) and connected devices within their organization. New hybrid working models have also served to expand attack surfaces.
In addition, rapid cloud adoption and the shift towards microservice-based application architectures are exposing applications to new and more varied vulnerabilities. The sheer volume of applications, spread across multiple entities, has made monitoring security throughout the DevOps pipeline extremely challenging.
IT teams are becoming overwhelmed by the soaring complexity
Unfortunately, most IT teams currently don’t have the right level of visibility into these enlarged attack surfaces to identify and address vulnerabilities. 81% of technologists across the Emirates report that their current security solutions work well in silos but not together, meaning that they can’t get a comprehensive view of their organization’s security posture.
IT teams are being bombarded with security alerts from across the application stack but they simply can’t cut through the data noise to understand the risk level of security issues in order to prioritize remediation based on business impact. And as a result, IT teams are feeling overwhelmed by new security vulnerabilities and threats. In fact, more than half of all technologists admit that their organization often ends up in ‘security limbo’ because they don’t know what to focus on and prioritize.
The need for a DevSecOps approach
Across all industries, there is an acknowledgement that organizations need to take a new approach to application security, not just to avoid a potentially crippling security breach, but also to lay the foundations for a more sustainable approach to innovation. In particular, technologists know that they need to tighten up their security processes if they are to reap the full benefits of modern application stacks over the coming years.
One of the principal ways in which organizations are looking to address the challenge of application security is by moving to a DevSecOps approach, fostering much closer collaboration between DevOps and SecOps teams. DevSecOps integrates application security and compliance testing throughout the software development lifecycle, rather than them being an afterthought at the end of the development pipeline.
This new approach enables developers to embed robust security into every line of code, resulting in more secure applications and easier security management, before, during and after release. But crucially, when DevSecOps works well, it doesn’t slow down release velocity. It shatters the perception that security is an inhibitor of innovation.
Most technologists now regard DevSecOps as essential to effectively protect against a multi-staged security attack on the full application stack and we’re now seeing huge numbers of organizations shifting to this new approach.
As well as a cultural shift within IT departments, with IT teams having to change entrenched mindsets and embrace new ways of working, DevSecOps also requires the implementation of holistic monitoring systems which leverage AI and Machine Learning (ML) technologies to cope with the spiralling volumes of security threats organizations are facing across an expanded attack surface.
This type of automation is vital to identify weaknesses, predict future vulnerabilities and remediate issues. Once IT teams can teach AI tools to identify threats and resolve them independently of an admin, the benefits are game-changing — reduced human error, increased efficiency, and greater agility in development. Indeed, 88% of UAE technologists believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organization faces in application security.
Technologists are recognizing the need for a security approach for the full application stack that delivers complete protection for their applications, from development through to production, across code, containers and Kubernetes. Alongside this, IT teams are looking to integrate performance and security monitoring with business transaction insights to understand how vulnerabilities and incidents could impact end users and the business. This means that they can cut through data noise and prioritize those threats that could damage a business-critical area of the environment or application.
Ultimately, application security can no longer be an afterthought within digital transformation programs. Organizations need to recognize it as a key element of the application lifecycle, and the foundation for sustainable and accelerated innovation.
