Legit Security Enterprise Strategy Group (ESG) announced the publication of
Modernizing Application Security to Scale for Cloud-native Development.
The report delves into the development trends driving the need to
modernize application security programs and evaluates pressing
challenges that application security teams encounter with their current
tools. The findings underscore the urgency for organizations to
modernize their application security practices so that they can support
growth and mitigate risks.
"Organizations
are increasingly adopting new technologies so that they can bolster
their software development, and as modern development has changed, so
have attacker tactics," said Joe Nicastro, Field CTO, Legit Security.
"Development teams are using cloud-native technologies to drive
efficiency and optimize innovation, but this often leads to a larger
attack surface due to misconfigurations, vulnerable plug-ins, and
excessive permissions throughout the SDLC. In today's environment,
organizations must adopt security solutions that can protect their
software factory from end-to-end while providing developers with the
guardrails they need to do their best work safely."
The report
found that application teams face a number of challenges, such as
keeping up with the speed and volume of releases and prioritizing
remediation. These challenges highlight the importance of a modernized
approach and alignment with development and DevOps teams for improved
collaboration. Additionally, nearly all organizations reported
difficulties in fixing vulnerabilities after applications are deployed,
reinforcing the significance of incorporating security processes and
tools in the build process.
The report's key findings include:
- 60% of organizations
use IaC to simplify infrastructure provisioning and easily deploy
software applications. However, with increased IaC adoption,
misconfigurations can be magnified because flaws are easily proliferated
if not addressed. Of particular concern, 67% of respondents report an
increase in IaC misconfigurations.
- 45% of security teams
supporting cloud-native development processes said understanding and
managing risks related to usage of generative AI is their biggest
challenge, followed by measuring and improving AppSec program
effectiveness, and understanding developer environments and assets to
effectively manage security.
- The majority of
organizations experienced a cybersecurity event involving their
cloud-native application stack in the last 12 months, with secrets
stolen from a source code repository (32%) coming in as the most common
incident.
- Only 39% of
organizations report that their security teams have visibility for
certain applications, reinforcing the necessity for visibility into
security testing in development.
"Our research
calls attention to how traditional application security teams need
solutions that support modern development processes as they scale to
drive productivity and business growth," said Melinda Marks, Practice
Director, Cybersecurity, Enterprise Security Group. "The research showed
that in addition to securing the applications, security teams need to
address security related to how developers work, including secrets,
pipeline tools, containers, and source code repositories. While these
elements enable developers to work quickly and collaborate, the added
attack surfaces and chance for mistakes become greater as development
scales. By understanding and addressing these areas, organizations can
improve their security programs. This is important as we have seen all
too often that just one incident can have severe ramifications on the
business, including data loss, business disruption, application
downtime, customer data loss, malware, and compliance fines."
To download the report, visit http://info.legitsecurity.com/esg-modernizing-application-security-to-scale-for-cloud-native-development