Comprehensive study shows an urgent need for organizations to adopt a modernized approach to their application security processes
BOSTON, Aug. 16, 2024: Legit Security, the definitive application security posture management (ASPM) leader providing end-to-end visibility and protection across the entire software factory, and TechTarget’s Enterprise Strategy Group (ESG), a leading IT analyst, research, and strategy firm, today announced the publication of Modernizing Application Security to Scale for Cloud-native Development. The report delves into the development trends driving the need to modernize application security programs and evaluates pressing challenges that application security teams encounter with their current tools. The findings underscore the urgency for organizations to modernize their application security practices so that they can support growth and mitigate risks.
“Organizations are increasingly adopting new technologies so that they can bolster their software development, and as modern development has changed, so have attacker tactics,” said Joe Nicastro, Field CTO, Legit Security. “Development teams are using cloud-native technologies to drive efficiency and optimize innovation, but this often leads to a larger attack surface due to misconfigurations, vulnerable plug-ins, and excessive permissions throughout the SDLC. In today’s environment, organizations must adopt security solutions that can protect their software factory from end-to-end while providing developers with the guardrails they need to do their best work safely.”
The report found that application teams face a number of challenges, such as keeping up with the speed and volume of releases and prioritizing remediation. These challenges highlight the importance of a modernized approach and alignment with development and DevOps teams for improved collaboration. Additionally, nearly all organizations reported difficulties in fixing vulnerabilities after applications are deployed, reinforcing the significance of incorporating security processes and tools in the build process.
The report’s key findings include:
- 60% of organizations use IaC to simplify infrastructure provisioning and easily deploy software applications. However, with increased IaC adoption, misconfigurations can be magnified because flaws are easily proliferated if not addressed. Of particular concern, 67% of respondents report an increase in IaC misconfigurations.
- 45% of security teams supporting cloud-native development processes said understanding and managing risks related to usage of generative AI is their biggest challenge, followed by measuring and improving AppSec program effectiveness, and understanding developer environments and assets to effectively manage security.
- The majority of organizations experienced a cybersecurity event involving their cloud-native application stack in the last 12 months, with secrets stolen from a source code repository (32%) coming in as the most common incident.
- Only 39% of organizations report that their security teams have visibility for certain applications, reinforcing the necessity for visibility into security testing in development.
“Our research calls attention to how traditional application security teams need solutions that support modern development processes as they scale to drive productivity and business growth,” said Melinda Marks, Practice Director, Cybersecurity, Enterprise Security Group. “The research showed that in addition to securing the applications, security teams need to address security related to how developers work, including secrets, pipeline tools, containers, and source code repositories. While these elements enable developers to work quickly and collaborate, the added attack surfaces and chance for mistakes become greater as development scales. By understanding and addressing these areas, organizations can improve their security programs. This is important as we have seen all too often that just one incident can have severe ramifications on the business, including data loss, business disruption, application downtime, customer data loss, malware, and compliance fines.”