Virtualization Technology News and Information
Article
RSS
7 Key Takeaways from the CrowdStrike 2024 State of Application Security Report

By Eyal Mamo, VP of Engineering at CrowdStrike

Applications run the world. As organizations accelerate their focus on driving revenue through software, the cybersecurity attack surface is shifting to applications and APIs from classic infrastructure configuration and permissions. 

Industry data shows eight of the top 10 data breaches in 2023 were related to application attack surfaces*. These eight breaches alone were estimated to have exposed around 1.7 billion records. 

To better understand the challenges security teams are facing on the front lines, CrowdStrike recently surveyed 400 U.S.-based security professionals across industries. The CrowdStrike 2024 State of Application Security Report provides the clearest portrait to date of the scale and complexity of the applications teams are responsible for securing - and how they're securing them. 

Here are seven key takeaways from the report:

Pressure to deliver software drives complexity

With each passing year, software teams are empowered to push more code into the world faster than before. As the number of software projects and development teams increases, so does the number of programming languages used within an organization. The survey found 81% of respondents use Java at least once a day and 74% use Python at least once a day, complicating the job of application security professionals expected to learn secure coding paradigms in multiple languages and find tools that support each language used internally.

Manual processes are prone to error

Despite frequent deployment - 71% of organizations report releasing application updates at least once a week - teams are primarily using documentation (74%) and spreadsheets (68%) to catalog and inventory their applications and APIs. These methods largely depend on humans, making them prone to error. Furthermore, a faster deployment velocity makes it difficult for teams to keep a record of updated and accurate information.

Lack of security reviews put code at risk

On average, only 54% of major code changes undergo a full security review before deploying to production. This could potentially lead to errors and misconfigurations that could cause major problems after the code is deployed. If the crew on your next flight decided to skip the standard preflight checks because they had already covered their quota for the day, would you feel safe? 

Security reviews aren't scalable

A full 81% of respondents indicated that a security review takes more than one business day; 35% said it takes more than three business days. These reviews are even more resource-depleting because of the number of people who need to spend time on them: 10 is the median number of individuals involved. Despite taking significant time to complete and involving several people, organizations still report conducting a median of four security reviews per week, with 21% doing 11 or more each week.

As a result, CrowdStrike found the estimated annual cost of security reviews for an average organization is over $1.2 million USD.

Organizations report visibility and prioritization challenges

Having multiple vulnerability management tools is not necessarily solving teams' challenges. Tool sprawl remains an obstacle for organizations of all sizes: nearly 90% of security professionals use three or more tools to detect and prioritize vulnerabilities and threats.

Asked to name their top application security challenges today, respondents pointed to prioritizing and triaging vulnerabilities and security alerts, as well as getting full visibility into applications and APIs. When asked to rank the main challenges in collaborating with engineering teams and developers, 22% of respondents ranked prioritizing what to fix first as their top obstacle. More than 60% ranked prioritization among their top three challenges.

Vulnerability remediation is slow

Resolving critical security incidents is still a problem. Only 30% of respondents were able to resolve incidents in 12 hours or less, meaning 70% of critical incidents take longer than 12 hours to resolve. The fastest breakout time CrowdStrike observed between July 2022 and June 2023 was just seven minutes. Today's adversaries can gain a foothold and move laterally within a network at lightning speed. Organizations must be able to quickly respond and rapidly remediate vulnerabilities to close the gaps. 

Different-sized organizations have different views on AppSec accountability

The individual or team responsible for security applications varies across organizations. Generally, organizations with less than 1,000 employees are more likely to hold the CEO, CTO and software development team accountable for secure software. As organizations grow past 1,000 employees, they are more likely to consider the CISO, DevOps team and application security team accountable.

The data is clear: Applications and APIs are not secure enough. Organizations must rethink their approach to application security. As adversaries evolve their techniques and operate with greater speed, it is imperative that organizations strengthen their application security posture. Fortunately, new technologies address some of the greatest challenges in securing cloud-native applications. Application security posture management (ASPM) tools help organizations scale their application security so they can build strong, resilient applications and prevent breaches.

* Source: "List of Data Breaches and Cyber Attacks in 2023" by IT Governance, looking at data breaches by the total number of records impacted.

##

ABOUT THE AUTHOR

Eyal Mamo 

Eyal Mamo is VP of Engineering at CrowdStrike. Prior to joining CrowdStrike, Eyal co-founded and served as CTO at application security posture management (ASPM) company Bionic, which was acquired by CrowdStrike in 2023. Prior, Eyal served as entrepreneur-in-residence at YL Ventures, an American-Israeli venture capital firm that specializes in seed stage cybersecurity investments. He also was VP R&D for cyber deception startup Cymmetria, and served six years in the Israeli Defense Force's Unit 8200, the country's largest and most renowned intelligence corp that specializes in signal intelligence, cybersecurity and code decryption.

Published Tuesday, February 13, 2024 8:01 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<February 2024>
SuMoTuWeThFrSa
28293031123
45678910
11121314151617
18192021222324
252627282912
3456789