Recent reports from the software industry highlight growing tensions and disagreements between application security (AppSec) staff and application developers concerning the needs of cloud-native applications. The concern also extends to the challenge of retaining skilled developers in this environment.
The crux of the problem is the unsuitability of traditional AppSec tools for cloud environments. This predicament leaves AppSec teams dealing with the fallout of not having the right cloud-native tools, leading to internal friction, retention problems, revenue issues, reputation disputes, and a significant amount of time spent identifying vulnerabilities.
However, there is a silver lining. AppSec teams understand their needs and have a clear consensus on what a modern, cloud-native AppSec model should look like. But, unfortunately, only a small number of teams currently possess the capabilities to effectively meet these requirements.
An Exploration of the Impact of Inadequate Cloud-Native Tools
In May, Backslash Security, a provider of cloud-native AppSec solutions, released a study titled “Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report.” The study delves into how application security has evolved with the advent of cloud-native app development.
The research investigates the practices, tools, and needs of CISOs, AppSec managers, and AppSec engineers in large enterprises with mature cloud-native app development environments. The findings reveal that while 85% of AppSec professionals believe that differentiating between real threats and false positives is vital, only 38% have the ability to do so.
The study indicates that mature DevOps organizations are negatively impacted by the shortage of cloud-native tools. AppSec teams are caught in a constant cycle of playing catch-up, struggling to keep pace with the increasingly fast and agile development schedules, and continuously addressing vulnerabilities.
Playing Defense in AppSec
The report shows that a staggering 58% of respondents spend more than half their time addressing vulnerabilities, and an alarming 89% spend at least a quarter of their time in this defensive state. This predicament, referred to as a “defensive tax,” costs companies over $1.2 million annually, the report estimates.
AppSec teams are struggling to keep pace with the rapid deployment of code to the cloud by their development counterparts, causing this costly issue. A significant part of the problem is outdated tools that don’t provide the necessary cloud context for AppSec teams to effectively perform their jobs. Current application security tools compound the problem by generating an excessive number of low-value alerts.
A Modernized Approach Needed
AppSec teams are calling for the introduction of modern, cloud-native tools. The most common complaints about the current tools include excessive noise and time-consuming prioritization of findings.
AppSec professionals were found to agree on what cloud-native capabilities are most important for their daily tasks. These include the automatic correlation of AppSec risk to an app’s exposure to the outside world.
A large majority (91%) of respondents said that this is important, highlighting the growing tension between AppSec and developers due to disagreements on code weaknesses and critical vulnerabilities. Furthermore, 82% of respondents emphasized the importance of visualizing end-to-end cloud-native application threat models.
The Impact of Inaction
The inability to address false positives effectively causes AppSec teams to lose credibility among developers. The lack of cloud-native tools has led to increased friction between AppSec teams and developers, and difficulty in retaining talent in both areas.
AppSec teams know what they need, but the question is whether the industry is ready to provide it. An overwhelming majority (85%) of AppSec professionals want the ability to differentiate actual code risks from low-risk issues, but only 38% have the capabilities to do this with their current tools.
Addressing the Tensions
AppSec teams want to have a good working relationship with their developer counterparts. The lack of cloud-native tools affects this relationship differently depending on the role. For example, AppSec engineers worry about retaining developer talent, while their managers are more concerned about keeping AppSec talent. CISOs, who oversee both teams, are worried about the friction between the two.
The survey also revealed a lack of cloud-native capabilities that enable AppSec and developer teams to work well together. For instance, 78% of respondents said it’s essential to correlate security findings to the developer team responsible for the fix, but only 43% have the tools to do this.
The Cost of Inaction
The inefficiency caused by inadequate tools leads to a significant amount of wasted AppSec time, costing companies a lot of money. The cost of this “defensive tax” is estimated to be over $1 million per year.
The Future of AppSec
Less than half of the survey respondents reported that their organizations deploy code at least once per day, indicating that the pace of development is increasing. The traditional AppSec tools cannot keep up with this pace, resulting in teams perpetually playing catch-up. The lack of adequate cloud-native AppSec tools has wide-ranging impacts, particularly on personnel.
The key takeaway from the study is that the AppSec industry is ready for a significant shift and needs toolsthat are designed for cloud-native applications. These tools need to be able to effectively differentiate between real threats and false positives, provide a clear understanding of an application’s exposure to the outside world, and correlate security findings to the developer team responsible for the fix.
In order to foster better collaboration between AppSec and developer teams, these tools also need to be able to visualize end-to-end cloud-native application threat models. These capabilities will help to reduce the friction between the two teams and improve the overall security posture of the organization.
The industry should take these findings seriously. Ignoring the urgent need for cloud-native AppSec tools will only exacerbate the issues of internal friction, talent retention, and wasted resources. With the increasing pace of development and the rapid deployment of code to the cloud, the need for these tools is only going to grow.
In conclusion, organizations should prioritize investing in cloud-native AppSec tools. Not only will this investment improve the overall security of their applications, but it will also increase the efficiency of their AppSec teams, improve collaboration with developers, and ultimately save them money in the long run.
