Presented by Cisco AppDynamics
Digital innovation became a rush job during the pandemic, and along the way robust application security became a casualty, a report from Cisco AppDynamics found. A full 92% of technologists said changing customer needs and the swift switch to hybrid work environments meant that security fell by the wayside during software development.
Security today is many miles and decades past simply firewalling an on-premises, very static architecture where code changes may happen once or twice a year. Digital transformation means that applications are cloud native, micro-services dispersed across cloud platforms in an array of locations, where code changes can happen daily. Thus, to the dismay of 89% of IT leaders, their organizations are facing an expansion in its attack surfaces over the last two years.
“Security has become a challenge due to the speed of development and expansion of the attack surface when folks have been transforming their business applications,” says Gregg Ostrowski, CTO Adviser, Cisco AppDynamics. “Applications became so fundamental to business outcomes that businesses prioritized new features and capabilities. Now the challenge is to go back and understand where there are security gaps and determine where the security process should be plugged into the development cycle.”
New challenges to security in a dynamic environment
The research, which includes findings from 1,150 IT professionals interviewed across 13 markets worldwide, also found that technologists are at a bit of a loss, with 81% reporting that a lack of application security skills and resources is now an issue for their organizations, and 58% admitting that their organization often ends up in security limbo because they don’t know what to focus on and prioritize.
The overarching challenge now is to find a security model that maintains and supports the speed and scale of the development cycle, but also keeps the data and the enterprise protected. Dovetailing with that challenge is the need to do it quickly, since 78% of those surveyed feel that their organization is vulnerable to a multi-staged security attack in the next 12 months. They’re making moves now, with 79% of technologists stating that the implementation of a security approach for the full application stack is now a priority for their organization.
Regrettably, they’re starting out in an environment where multi-department communication is rare and silos are common. In fact, more than a third of technologists report that their ITOps teams only collaborate with security teams when there is a potential issue, if at all.
“The need right now is to establish a security mindset for developers, in which security is crucial to innovation and a critical part of the development pipeline, right from the start,” Ostrowski says. “The bigger challenge is that historically, IT has always worked in silos”
Silos more challenging than ever
From a traditional perspective, development teams and security teams have very different goals and values, and so it makes sense for each to work independently, Ostrowski says. Developers are cranking up the speed of iteration and launching as fast as they can. Meanwhile security is trying to protect the juicier-than-ever target that applications make, because they’re not only less secure but also more important than ever to organizations. Silos are security risks.
Security limbo comes when teams don’t have a way to monitor the full system, and thus don’t have the intel they need on how serious a threat is to the business when it pops up. They need to understand the business risk of vulnerabilities within the application stack. And they need to collaborate.
“Getting teams to work together requires not just a technology stack that’s conducive to doing so, but the internal culture,” Ostrowski explains. “That’s about making sure that teams are aligned on a full-stack observability strategy that gets everyone on the same page, that teams are collaborating together, and also have the right set of tools to do it successfully.”
The full stack approach becomes crucial
As applications grow in dependency and grow in importance to the organization, they become a more vulnerable asset, and bad actors, using AI technology, are faster than ever at spotting and taking advantage of vulnerabilities. In the meantime, IT security leaders are playing whack-a-mole with intrusion detection and expulsion, rather than proactively securing the application itself.
“The growth of the application landscape and the increasing number of threats against them pitches IT departments into a never-ending battle to stay ahead,” Ostrowski says. “Ultimately, a full stack approach, or gaining visibility across the entire stack of the application, is what’s required to identify, evaluate and address these new risks.”
Runtime level visibility into the application also ensures that security keeps pace as applications continue to evolve, grow larger and more complex. And IT leaders are starting to embrace the clear benefits, with 92% of technologists agreeing that a security approach for the full stack is an important move to increase application security. Meanwhile, 89% point to increased automation as crucial to detect and block security issues at runtime and improve security posture.
Driving business outcomes with DevSecOps
Unfortunately, while 55% percent of technologists still consider security as more of an inhibitor to innovation than an enabler, 76% believe that DevSecOps is essential for organizations to effectively protect against that multi-stage security attack on the overarching full stack of the application.
In other words, giving security a seat at the table during the development cycle, right at the start, rather than coming in at the last mile and bringing the whole show to a halt with security audits. With the latter, not only do you lose valuable time, you miss out on innovations from the security team.
“If you want to be able to operate fast, and work from a perspective that centers on business outcomes, you want to make sure that you have a streamlined DevSecOps strategy built into the product and development cycles,” Ostrowski says. “If your main goal is to drive business outcomes, user experiences are central to that – and if the security team has innovative solutions for easier log-ins or more secure user data, the development team should take advantage of that.”
This also increases the level of collaboration between security and the development teams, because now the security team understands the context of the application, while the application team gains context around the security within the application and how it impacts both performance and user experience. Today’s tight market makes it especially crucial to have a breadth of knowledge about what happens outside your home domain. In other words, when an issue crops up, whether that’s in the application or the infrastructure, or a security threat appears, you understand what impact it will have on both the business and business outcomes.
“This really exposes that need for technologists to increase their level of skill sets across different disciplines, so the whole team understands the end goal, which is driving better business outcomes,” Ostrowski says. “Ultimately it’s a shift in both technology and culture, making security swift and agile, and application development secure.”
Dig deeper: Access the full Application Security Report here.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact email@example.com.