By Eyal Mamo, VP of Engineering at CrowdStrike
Applications
run the world. As organizations accelerate their focus on driving revenue
through software, the cybersecurity attack surface is shifting to applications
and APIs from classic infrastructure configuration and permissions.
Industry
data shows eight of the top 10 data breaches in 2023 were related to
application attack surfaces*. These eight breaches alone were estimated to have
exposed around 1.7 billion records.
To
better understand the challenges security teams are facing on the front lines,
CrowdStrike recently surveyed 400 U.S.-based security professionals across
industries. The CrowdStrike
2024
State of Application Security Report provides the clearest portrait to date
of the scale and complexity of the applications teams are responsible for
securing - and how they're securing them.
Here
are seven key takeaways from the report:
Pressure to deliver software drives complexity
With
each passing year, software teams are empowered to push more code into the
world faster than before. As the number of software projects and development
teams increases, so does the number of programming languages used within an
organization. The survey found 81% of respondents use Java at least once a day
and 74% use Python at least once a day, complicating the job of application
security professionals expected to learn secure coding paradigms in multiple
languages and find tools that support each language used internally.
Manual processes are prone to error
Despite
frequent deployment - 71% of organizations report releasing application updates
at least once a week - teams are primarily using documentation (74%) and
spreadsheets (68%) to catalog and inventory their applications and APIs. These
methods largely depend on humans, making them prone to error. Furthermore, a
faster deployment velocity makes it difficult for teams to keep a record of
updated and accurate information.
Lack of security reviews put code at risk
On
average, only 54% of major code changes undergo a full security review before
deploying to production. This could potentially lead to errors and
misconfigurations that could cause major problems after the code is deployed.
If the crew on your next flight decided to skip the standard preflight checks
because they had already covered their quota for the day, would you feel
safe?
Security reviews aren't scalable
A
full 81% of respondents indicated that a security review takes more than one
business day; 35% said it takes more than three business days. These reviews
are even more resource-depleting because of the number of people who need to
spend time on them: 10 is the median number of individuals involved. Despite
taking significant time to complete and involving several people, organizations
still report conducting a median of four security reviews per week, with 21%
doing 11 or more each week.
As
a result, CrowdStrike found the estimated annual cost of security reviews for
an average organization is over $1.2 million USD.
Organizations report visibility and prioritization challenges
Having
multiple vulnerability management tools is not necessarily solving teams'
challenges. Tool sprawl remains an obstacle for organizations of all sizes:
nearly 90% of security professionals use three or more tools to detect and
prioritize vulnerabilities and threats.
Asked
to name their top application security challenges today, respondents pointed to
prioritizing and triaging vulnerabilities and security alerts, as well as
getting full visibility into applications and APIs. When asked to rank the main
challenges in collaborating with engineering teams and developers, 22% of
respondents ranked prioritizing what to fix first as their top obstacle. More
than 60% ranked prioritization among their top three challenges.
Vulnerability remediation is slow
Resolving
critical security incidents is still a problem. Only 30% of respondents were
able to resolve incidents in 12 hours or less, meaning 70% of critical
incidents take longer than 12 hours to resolve. The fastest breakout time
CrowdStrike observed between July 2022 and June 2023 was just seven minutes. Today's adversaries can gain a foothold and move laterally
within a network at lightning speed. Organizations must be able to quickly
respond and rapidly remediate vulnerabilities to close the gaps.
Different-sized organizations have different views on AppSec
accountability
The
individual or team responsible for security applications varies across
organizations. Generally, organizations with less than 1,000 employees are more
likely to hold the CEO, CTO and software development team accountable for
secure software. As organizations grow past 1,000 employees, they are more
likely to consider the CISO, DevOps team and application security team
accountable.
The
data is clear: Applications and APIs are not secure enough. Organizations must
rethink their approach to application security. As adversaries evolve their
techniques and operate with greater speed, it is imperative that organizations
strengthen their application security posture. Fortunately, new technologies
address some of the greatest challenges in securing cloud-native applications.
Application security posture management (ASPM) tools help organizations scale
their application security so they can build strong, resilient applications and
prevent breaches.
* Source: "List of Data Breaches and Cyber Attacks in 2023" by IT
Governance, looking at data breaches by the total number of records impacted.
##
ABOUT THE AUTHOR
Eyal Mamo is VP of Engineering at CrowdStrike. Prior to joining CrowdStrike,
Eyal co-founded and served as CTO at application security posture management
(ASPM) company Bionic, which was acquired by CrowdStrike in 2023. Prior, Eyal
served as entrepreneur-in-residence at YL Ventures, an American-Israeli venture
capital firm that specializes in seed stage cybersecurity investments. He also
was VP R&D for cyber deception startup Cymmetria, and served six years in
the Israeli Defense Force's Unit 8200, the country's largest and most renowned
intelligence corp that specializes in signal intelligence, cybersecurity and
code decryption.