The massive Log4j vulnerability in 2021 that wreaked havoc on hundreds of millions of at-risk devices stands as one example of over 65 documented zero-day instances last year. At double the threats from the previous year, and with each instance representing potential million-plus dollar losses, this growth underscores a sizable challenge as the attack surface continues to evolve alongside rising technological complexity. With no end in sight — what are the chances 2021 was an anomaly?
Rising app security threats plague technologists
IT teams are now beholden to exceed user demand for fast, flawless and safe application experiences as they race to push code faster. And as app delivery ecosystems grow to meet the need, complexity and challenges mount. According to a recent study, 93% of technologists acknowledge they lack resources to address every incoming security alert on the day it occurs, and 83% report alert fatigue. Something has to give.
Unfortunately, without visibility, there’s no easy way to guess the potential outcome when an alert goes unaddressed. It may impact users (or not), but to what degree is difficult to predict, and when prioritizing alerts is a guessing game — the impact on user trust can be catastrophic to profitability. All of this leaves organizations at a dangerous crossroads where teams are forced to guess which alerts to timely resolve and risk potentially devastating consequences for the business.
Increasingly collaborative app delivery environments
As application development environments grow, many companies begin adopting cross-functional team approaches to streamline complex IT processes. For example, a recent EMA study shows 73% of respondents currently have DevOps in place and another 15% plan to implement this function before 2024. While doing so up-levels visibility across application lifecycles — from planning to performance monitoring — it doesn’t adequately address app security.
To ensure optimal balance between user demands for high performing apps and the need for security, DevSecOps emerged as a cross-functional model that layers security scanning into DevOps processes before code releases. EMA reports the DevSecOps team model for security has been adopted by 38% of orgs, and another 35% have plans to implement it before 2024 — a clear sign that app security is a top priority across all sectors.
Addressing security gaps in DevSecOps
Without visibility across the entire app delivery chain, including third-party and open source components, DevOps and DevSecOps remain challenged — sometimes to the breaking point. As reported in the 2022 Agents of Transformation report, top concerns for IT leaders are: increased security threats, tech stack availability and performance and speed of innovation. In addition, there’s overwhelming agreement (95%) that almost every aspect of these roles is equally or more difficult now compared to four years ago. No argument, a lack of time as teams shift to align processes with business priorities is taking its toll on technologists everywhere. And while DevSecOps is a solid step in protecting apps before release, components are always at risk of becoming outdated, and post-production vulnerabilities can slip through unnoticed along the app delivery chain.
Five ways to align security, collaboration and business outcomes
- Emphasize security from the top-down: Security should be a company-wide concern at all times due to how threats can disrupt organizations at all levels. Initiatives, training and internal communications need to come from leadership (as a non-negotiable) and trickle down through human resources, marketing, sales, finance, IT and other departments to ensure the entire workforce collaborates to prevent incidents and responds in unison to remediate when security events occur.
- Unify siloed IT teams: Embrace one, unified platform across app development that delivers a shared context across the IT estate to achieve transparency needed for optimal visibility into security risks that impact business goals.
- Leverage artificial intelligence and machine learning (AI/ML): Automation is arguably the only way to keep up. Attackers use AI/ML as a first line of offense, which leaves orgs lacking automated visibility, an easy target for being outsmarted and slow to react at almost every turn.
- Dampen alert fatigue: Technologists need a deep understanding of exactly how security integrates with and supports underlying, critical business outcomes. That knowledge is imperative to gauge severity when an incident occurs and alert volumes skyrocket. Without that knowledge, it’s difficult, especially in the throes of incident response, to confirm which tactic will efficiently mitigate the vulnerabilities.
- Reduce exposure to threats: Cisco Talos security leader, Martin Lee says that his team finds approximately 250 new vulnerabilities per year and recommends companies think about layers of security. Doing so enables teams to verify and contain software so that when a vulnerability is exposed or the code gets compromised, it can’t cause too much damage.
Looking forward: The future of app security
It’s difficult to think and plan too far into the future due to the constant rapid innovation exceeding what’s currently possible. It is safe to say collaborative team approaches supported by transparency and security-first cultures will have an advantage as automated vulnerability detection evolves. Monitoring and observability tools, delivering shared context across application delivery chains, are well-positioned to become the norm as AI/ML assisted code development continues to expose vulnerabilities while code is being written.