There has been a noticeable rise in conflict between application security (AppSec) professionals and application developers regarding agreement on cloud-native requirements, according to a recent report on software industry security. A growing concern in this context is also the retention of developer talent.
The primary problem is that traditional AppSec tools are inadequate for cloud environments. As a result, AppSec teams deal daily with the effects of a lack of suitable cloud-native tooling. This persistent problem leads to team conflict, issues with talent retention, revenue concerns, reputational disputes, and a loss of more than half of their time in the pursuit of vulnerabilities.
The good news is that AppSec teams are aware of their needs and that AppSec professionals are largely in agreement about what a modern, cloud-native AppSec paradigm should entail. Although this understanding exists, only a small number of teams actually possess the skills needed to successfully meet these requirements.
Effect of Inadequate Cloud-Native Tools Is Revealed by Study
Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report was a study published in May by Backslash Security, a provider of cloud-native AppSec solutions. It examines how application security has changed since the emergence of cloud-native application development.
The study looks at the practices, resources, and requirements of CISOs, AppSec managers, and AppSec engineers at enterprise organizations with 1,000 or more employees and established cloud-native app development environments. 85% of AppSec experts surveyed said it was essential to be able to distinguish between real risks and noise. In the present, only 38% are capable.
Researchers claim that the absence of cloud-native tools has a significant impact on mature DevOps organizations. Due to their inability to keep up with the increasingly fast-paced, agile development environment, app security teams are forced to play security defense by pursuing endless and fruitless vulnerability hunts.
Inadequate cloud-native tooling is a significant cause of friction between AppSec teams and developers. The level of evidence needed for dev teams to respond to alerts is not currently being reported by current AppSec tools, according to Shahar Man, co-founder and CEO of Backslash Security.
AppSec is putting up a fight
Interestingly, the report found that while 58 percent of respondents claimed to spend more than half of their time looking for vulnerabilities, a startling 89 percent claimed to spendthey spend a minimum of 25% of their time in this defensive state.Enterprises across the globe pay this expensive defensive tax.
The cost of hiring AppSec engineers who pursue vulnerabilities rather than overseeing a thorough cloud-native AppSec program is the so-called tax, which is estimated to be over $1.2 million annually. Man lamented that the rapid code deployment to the cloud by ever-rapidly developing development teams is making it difficult for application security teams to keep up.
Their outdated equipment, he said, is a serious issue. They lack the cloud context necessary for AppSec teams to successfully carry out their duties. Additionally, the issue is made worse by the current application security tools’ excessive production of low-value alerts.
Man argued that modern, cloud-native tools should be available to AppSec teams. It should come as no surprise that the most frequent criticisms of the tools available to AppSec experts are common. Employees in the AppSec industry complain that their traditional tools are noisy and take too long to prioritize findings.
The automatic correlation of AppSec risk to app exposure to the outside world is one of the central features of contemporary AppSec, according to Man.
This was deemed important by a sizable majority of respondents (91 percent). Due to the lack of agreement on fundamental code flaws and serious vulnerabilities, tension between AppSec and developers is increasing. In addition, 82 percent of the respondents emphasized the significance of end-to-end visualization of threat models for cloud-native applications.
Inaction is causing the Rift
AppSec teams eventually lose developers’ trust due to the sheer volume of reported false positives and other factors. Respondents to a survey conducted for this report regarding the effects of the lack of cloud-native tools identified the growing AppSec/dev friction as the main problem, followed by the difficulty in finding and retaining dev and AppSec talent.
The bigger question is whether the industry is prepared to provide it to them, Man said, “Clearly, AppSec teams know what they need.”.
For instance, the ability to distinguish between real code risks and low-risk issues is desired by an overwhelming majority (85 percent) of AppSec professionals, making it the most important cloud-native capability. However, only 38% of people can do this completely with their current toolkit.
“These enormous enablement gaps extend across core cloud-native capabilities,” he claimed. “.
Wanting the tension to go down
The ability to collaborate effectively with their dev counterparts, a key concern that surfaced throughout the survey, is one of the things that Man added that AppSec teams want most. Each AppSec role has a unique perspective on how the absence of cloud-native tools affects the escalating tension in relationships between AppSec and developers.
For example, AppSec engineers work hard in the trenches all day long. They are most concerned with keeping development talent. But the retention of AppSec talent is what their managers are most worried about. CISOs are concerned about conflict between the two teams because they have a high-level view of both sides of the situation.
Man also points out the absence of cloud-native capabilities that would facilitate collaboration between dev and appsec. The survey revealed a glaring lack of them.
As an illustration, 78 percent of respondents said it is crucial to relate security findings to the development team in charge of the fix. However, only 43% of people have this capability right now.
The study revealed that efficient triaging between Dev and AppSec is comparable at 73% vs. 42 %.
Expensive Repercussions
Man confided that the sheer amount of wasted AppSec time attributed to inadequate tools was one of the biggest surprises in the results. Companies are paying a high price for that inefficiency.
“Defense is expensive, or there is a heavy defensive tax. Conservative estimates place the annual cost of lost AppSec time for the average enterprise at over $1 million,” he said.
Based on average AppSec employee salaries and AppSec team sizes, that estimate was created. Man continued, “That calculation neglects to account for the cost of insufficiently securing the given enterprise’s applications.
Key Lessons Illustrate New Market Direction
A little under half of the respondents said their companies push code at least once every day. The speed of developers is accelerating consistently.
Because they can’t keep up and are mired in a never-ending game of catch-up, teams are losing faith in traditional AppSec tools. The widespread effects of inadequate cloud-native AppSec tools are significant, as the vast majority of organizations have observed, according to Man.
He continued that the impact on “people” is particularly important. The key takeaway is that the AppSec sector is prepared for a significant shift and deserves tools that are specifically designed to comprehend the cloud.
Man thinks that application security posture management (ASPM), a new security strategy, gives AppSec teams more control and enhances the security posture of their applications.
Last but not least, Man said, “there is a new mindset, one that provides a holistic view of the application security posture, allowing AppSec to strike a balance between having the ability to detect and address vulnerabilities before they can be exploited, as well as having a “shift left” mindset.