The rising adoption of cloud-native architectures, DevOps, and agile methodologies has broken traditional approaches to application security, according to Precise, automatic risk and impact assessment is key for DevSecOps, a new report from Dynatrace, based on an independent global survey of 700 CISOs.
As organizations shift more responsibility "left" to developers to accelerate innovation, increasingly complex IT ecosystems and outdated security tooling can slow releases by leaving blind spots and forcing teams to manually triage countless alerts, many of which are false positives reflecting vulnerabilities in libraries that are not used in production.
Organizations are calling for a new approach that is optimized for multicloud environments, Kubernetes, and DevSecOps.
This research reveals:
■ 89% of CISOs say microservices, containers, and Kubernetes have created application security blind spots.
■ 97% of organizations do not have real-time visibility into runtime vulnerabilities in containerized production environments.
■ Nearly two-thirds (63%) of CISOs say DevOps and Agile development have made it more difficult to detect and manage software vulnerabilities.
■ 74% of CISOs say traditional security controls such as vulnerability scanners no longer fit today's cloud-native world.
■ 71% of CISOs admit they are not fully confident code is free of vulnerabilities before going live in production.
"The increased use of cloud-native architectures has fundamentally broken traditional approaches to application security," said Bernd Greifeneder, Founder and Chief Technology Officer at Dynatrace. "This research confirms what we've long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today's dynamic cloud environments and rapid innovation cycles. Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development which uses an ever-growing number of third-party technologies. Already stretched teams are forced to choose between speed and security, exposing their organizations to unnecessary risk."
Additional findings include:
■ On average, organizations need to react to 2,169 new alerts of potential application security vulnerabilities each month.
■ 77% of CISOs say most security alerts and vulnerabilities are false positives that do not require actioning as they are not actual exposures.
■ 68% of CISOs say the volume of alerts makes it very difficult to prioritize vulnerabilities based on risk and impact.
■ 64% of CISOs say developers do not always have time to resolve vulnerabilities before code moves into production.
■ 77% of CISOs say the only way for security to keep up with modern cloud-native application environments is to replace manual deployment, configuration, and management with automated approaches.
■ 28% of CISOs say application teams sometimes bypass vulnerability scans to speed up software delivery.
"As organizations embrace DevSecOps, they also need to give their teams solutions that offer automatic, continuous, and real-time risk and impact analysis for every vulnerability, across both pre-production and production environments, and not based on point-in-time 'snapshots'," continued Greifeneder.
Methodology: The report is based on a global survey of 700 CISOs in large enterprises with over 1,000 employees, conducted by Coleman Parkes and commissioned by Dynatrace in 2021. The sample included 200 respondents in the US, 100 in the UK, France, Germany, and Spain, and 50 in Brazil and Mexico, respectively.
The Latest
IT engineers and executives are responsible for system reliability and availability. The volume of data can make it hard to be proactive and fix issues quickly. With over a decade of experience in the field, I know the importance of IT operations analytics and how it can help identify incidents and enable agile responses ...
For businesses with vast and distributed computing infrastructures, one of the main objectives of IT and network operations is to locate the cause of a service condition that is having an impact. The more human resources are put into the task of gathering, processing, and finally visual monitoring the massive volumes of event and log data that serve as the main source of symptomatic indications for emerging crises, the closer the service is to the company's source of revenue ...
Our digital economy is intolerant of downtime. But consumers haven't just come to expect always-on digital apps and services. They also expect continuous innovation, new functionality and lightening fast response times. Organizations have taken note, investing heavily in teams and tools that supposedly increase uptime and free resources for innovation. But leaders have not realized this "throw money at the problem" approach to monitoring is burning through resources without much improvement in availability outcomes ...
Although 83% of businesses are concerned about a recession in 2023, B2B tech marketers can look forward to growth — 51% of organizations plan to increase IT budgets in 2023 vs. a narrow 6% that plan to reduce their spend, according to the 2023 State of IT report from Spiceworks Ziff Davis ...
Users have high expectations around applications — quick loading times, look and feel visually advanced, with feature-rich content, video streaming, and multimedia capabilities — all of these devour network bandwidth. With millions of users accessing applications and mobile apps from multiple devices, most companies today generate seemingly unmanageable volumes of data and traffic on their networks ...
In Italy, it is customary to treat wine as part of the meal ... Too often, testing is treated with the same reverence as the post-meal task of loading the dishwasher, when it should be treated like an elegant wine pairing ...
In order to properly sort through all monitoring noise and identify true problems, their causes, and to prioritize them for response by the IT team, they have created and built a revolutionary new system using a meta-cognitive model ...
As we shift further into a digital-first world, where having a reliable online experience becomes more essential, Site Reliability Engineers remain in-demand among organizations of all sizes ... This diverse set of skills and values can be difficult to interview for. In this blog, we'll get you started with some example questions and processes to find your ideal SRE ...
US government agencies are bringing more of their employees back into the office and implementing hybrid work schedules, but federal workers are worried that their agencies' IT architectures aren't built to handle the "new normal." They fear that the reactive, manual methods used by the current systems in dealing with user, IT architecture and application problems will degrade the user experience and negatively affect productivity. In fact, according to a recent survey, many federal employees are concerned that they won't work as effectively back in the office as they did at home ...
Users today expect a seamless, uninterrupted experience when interacting with their web and mobile apps. Their expectations have continued to grow in tandem with their appetite for new features and consistent updates. Mobile apps have responded by increasing their release cadence by up to 40%, releasing a new full version of their app every 4-5 days, as determined in this year's SmartBear State of Software Quality | Application Stability Index report ...
