DEVOPSdigest

The pace of cloud-native innovations is accelerating — more enterprise organizations are deploying code multiple times per week, with many doing so daily. In fact, the percentage of large organizations that deploy code to production daily is expected to increase from 5% in 2021 to 70% in 2025 (IDC FutureScape).

Cloud-native has changed application development in other significant ways. The configuration of the layers of cloud-native applications (e.g. code, containers, apps as containers) is now done with Infrastructure as Code (IaC) tools, which effectively blur the lines between application security (AppSec) and infrastructure security. Security risks that were once squarely in the domain of AppSec now bleed over into infrastructure security.

Access to complementary cloud-native capabilities does not extend to AppSec teams, who struggle to match the pace of their development counterparts and take Infrastructure security into account. This burden is compounded by current AppSec solutions like SAST and SCA, which often produce excessive low-value alerts and "noise" because assessments are performed without the full cloud context required.

My colleagues and I at cloud-native application security provider Backslash Security have been fascinated by the fact that dev teams outnumber AppSec teams and the amount of alert noise the latter struggle with on a daily basis. We wanted to dig deeper, so we commissioned a report to find out from US-based AppSec professionals (managers and engineers) themselves how they are faring with these dynamics at play. The resulting report, Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report, illuminated our understanding of AppSec teams' day-to-day challenges and their perspective on the solution capabilities needed to likewise usher in their own cloud-native era.

Appsec Teams Using Cloud-Native Solutions See Declining Utility for Traditional Appsec Solutions

The study revealed that SAST and SCA solutions — long considered staples of the AppSec ecosystem — are losing ground, with just 32% using either of the tools extensively. However, there's evidence that the size and resources of enterprises do influence what solutions are used by its AppSec teams. Enterprise organizations with lower employee headcounts (<5,000 employees) use SAST and SCA technologies more extensively, as they lack the budget and resources to abandon the tools in favor of more complex solutions.

Enterprises Using Traditional Appsec Tools Are Subject to a Costly "Defensive Tax"

AppSec teams using current solutions spend an inordinate amount of time to compensate for their shortcomings. Over half (58%) of AppSec teams report that they spend 50%+ their workday chasing vulnerabilities, and a mind-blowing 89% of AppSec respondents said they spend at least 25% of their time on the same pursuit.

As the old adage goes, "Time is Money." AppSec professionals forced to work in a state of perpetual defense instead of establishing and driving a comprehensive cloud-native application security program has consequences. It introduces Defensive Tax, which refers to the financial loss suffered by stifled efficiency and innovation. By conservative estimates, enterprises lose an average of $1.2 million annually to unnecessary operating costs.

Low "Signal-To-Noise" Ratio Is Chief of Several Prevailing Appsec Solution Shortcomings

The challenge of noisy AppSec solutions were well documented by the time cloud-native development innovations came into play. However, its arrival substantially magnified the "signal-to-noise" shortcomings current AppSec solutions have. Research showed that most oft-cited grievances AppSec had regarding their solutions were: "Prioritizing findings takes a considerable amount of time" (at 48%); and "Existing AppSec tools are pretty noisy" (at 45%). Nearly all respondents (94%) had multiple grievances, but respondents working on the front lines — AppSec engineers — consistently cited more grievances with current tools than the AppSec managers surveyed.

Appsec Solution Shortcomings Can Negatively Affect Other Professional Spheres of the Enterprise

Nearly all AppSec professionals surveyed said current cloud-native AppSec tooling limitations drove negative business impact across multiple aspects of their enterprise organization. The list of challenges includes: increased friction between AppSec and development teams (39%); jeopardized ability to generate revenue (39%); and an inability to retain high-value dev talent (38%) and AppSec talent (35%).

Despite a Consensus on the Cloud-Native Solution Capabilities They Need, Most Appsec Teams Are Not Enabled by Their Organizations to Act

The new cloud-native AppSec paradigm is best characterized by three core tenets: end-to-end visualization of cloud-native app threat models (reduces manual work); correlating AppSec risk to an app's exposure to the outside world; and effective differentiation between general code weakness and critical vulnerabilities.

Despite the consensus of this paradigm within the AppSec world, there is a considerable gap between what AppSec teams need and the enablement to introduce change. While 85% of respondents agree it's critical to differentiate between real security risks and noise in their daily work, only 38% feel that their organization is enabled to do so. This trend persists across all of the most other critical capabilities, including: "Correlating security findings to the developer or dev team responsible for the fix" (78% vs. 43%); "Meeting compliance standards" (78% vs. 38%); "Analyzing threat impact in the context of their production environment" (74% vs 30%); and "Efficient triaging between Dev and AppSec" (73% vs. 42%).

The State of Cloud-Native Application Security Is in a State of Flux - How Do We Move the Needle Forward?

Much like the inflection point that led to the development life cycle shift from the legacy waterfall model to today's model of continuous development, the insights gained from this study illustrate that we've arrived at a similar point for AppSec tools — one that will prompt its adaptation to today's new, cloud-native reality. The cloud-native application development paradigm calls for a new, unified approach to application security — spanning code, application, and production context. Traditional dividing lines between application security and cloud security are quickly dissolving, and this study makes it abundantly clear that today's teams need only the enablement for the tools and technologies that similarly bridge the gap of this dichotomy and meet cloud-native application development where it stands.