Brought to you by Cisco AppDynamics
By Joe Byrne, Executive CTO, Cisco AppDynamics
Application security has become a major concern for organisations over the last two years. Rapid digital transformation to meet constantly changing customer needs and enable hybrid work has meant a dramatic increase in release velocity. But application security simply hasn’t kept pace.
In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, 100 per cent of technologists in Singapore admit that rapid innovation during the pandemic has come at the expense of robust application security. And there is now widespread concern that applications are increasingly vulnerable to new and emerging cybersecurity threats.
With widespread adoption of multi-cloud environments, application components increasingly run on a mix of platforms and on-premise databases, expanding attack surfaces considerably. This is leaving major visibility gaps for IT teams and increasing the risk of a security event, the consequences of which are potentially catastrophic – service disruption and outages which can result in poor customer experience, reputational damage and lost revenue.
The move to cloud native technologies has highlighted the limitations of traditional approaches to application security, where security has often been overlooked until the very end of the production pipeline and there has been very little collaboration between developer and security teams. It has also exposed the shortcomings of siloed security solutions which make it impossible for technologists to cut through data noise to identify security issues which pose the greatest risk to customers and the business.
In order to address this growing challenge, IT departments need to take a security approach to the full application stack, leveraging the power of automation and Artificial Intelligence (AI), and integrating security at every stage of the application lifecycle from the very outset.
Cloud native technologies have dramatically expanded attack surfaces
The research finds that 96 per cent of organisations in Singapore have experienced an expansion in their attack surfaces over the last two years, and 48 per cent state that this is already presenting challenges.
Technologists cite a number of factors that have triggered this expansion in attack surfaces, the most prominent being the increased use of Internet of Things (IoT) and connected devices within their organisation. New hybrid working models have also served to expand attack surfaces.
In addition, rapid cloud adoption and the shift towards microservice-based application architectures are exposing applications to new and more varied vulnerabilities. The sheer volume of applications spread across multiple entities has made monitoring security throughout the DevOps pipeline extremely challenging.
IT teams are becoming overwhelmed by soaring complexity
Unfortunately, most IT teams currently don’t have the right level of visibility into these enlarged attack surfaces to identify and address vulnerabilities. Two thirds of technologists report that their current security solutions work well in silos but not together, meaning that they can’t get a comprehensive view of their organisation’s security posture.
IT teams are being bombarded with security alerts from across the application stack but they simply can’t cut through the data noise to understand the risk level of security issues in order to prioritise remediation based on business impact. And as a result, IT teams are feeling overwhelmed by new security vulnerabilities and threats. In fact, more than half of all technologists admit that their organisation often ends up in ‘security limbo’ because they don’t know what to focus on and prioritise.
The need for DevSecOps and a security approach to the full application stack
Across all industries, there is an acknowledgement that organisations need to take a new approach to application security, not just to avoid a potentially crippling security breach, but also to lay the foundations for a more sustainable approach to innovation. In particular, technologists know that they need to tighten up their security processes if they are to reap the full benefits of modern application stacks over the coming years.
One of the principal ways in which organisations are looking to address the challenge of application security is by moving to a DevSecOps approach, fostering much closer collaboration between DevOps and SecOps teams. DevSecOps integrates application security and compliance testing throughout the software development lifecycle, rather than them being an afterthought at the end of the development pipeline.
This new approach enables developers to embed robust security into every line of code, resulting in more secure applications and easier security management, before, during and after release. But crucially, when DevSecOps works well, it doesn’t slow down release velocity. It shatters the perception that security is an inhibitor of innovation.
Most technologists now regard DevSecOps as essential to effectively protect against a multi-staged security attack on the full application stack and we’re now seeing huge numbers of organisations shifting to this new approach.
As well as a cultural shift within IT departments, with IT teams having to change entrenched mindsets and embrace new ways of working, DevSecOps also requires the implementation of holistic monitoring systems which leverage AI and Machine Learning (ML) technologies to cope with the spiraling volumes of security threats organisations are facing across an expanded attack surface.
This type of automation is vital to identify weaknesses, predict future vulnerabilities and remediate issues. Once IT teams can teach AI tools to identify threats and resolve them independent of an admin, the benefits are game-changing – reduced human error, increased efficiency, and greater agility in development. Indeed, 85 per cent of technologists in Singapore believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organisation faces in application security.
Technologists are recognizing the need for a security approach for the full application stack that delivers complete protection for their applications, from development through to production, across code, containers and Kubernetes. Alongside this, IT teams are looking to integrate performance and security monitoring with business transaction insights to understand how vulnerabilities and incidents could impact end users and the business. This means that they can cut through data noise and prioritise those threats that could really damage a business critical area of the environment or application.
Ultimately, application security can no longer be an afterthought within digital transformation programs. Organisations need to recognise it as a key element of the application lifecycle, and the foundation for sustainable and accelerated innovation.