Microservices, containers, and Kubernetes have created security blind spots
A new study released today from Dynatrace finds that CISOs are increasingly concerned that rising adoption of cloud-native architectures and DevSecOps practices may have broken traditional approaches to application security.
The research finds that 89 percent of CISOs believe microservices, containers, and Kubernetes have created application security blind spots. While 71 percent admit they are not fully confident code is free of vulnerabilities before going live in production.
In addition the global survey of 700 CISOs shows 97 percent of organizations do not have real-time visibility into runtime vulnerabilities in containerized production environments. Nearly two-thirds (63 percent) of CISOs say DevOps and Agile development have made it more difficult to detect and manage software vulnerabilities, and 74 percent say traditional security controls such as vulnerability scanners no longer fit today's cloud-native world.
"The increased use of cloud-native architectures has fundamentally broken traditional approaches to application security," says Bernd Greifeneder, founder and chief technology officer at Dynatrace. "This research confirms what we've long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today's dynamic cloud environments and rapid innovation cycles. Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development which uses an ever-growing number of third-party technologies. Already stretched teams are forced to choose between speed and security, exposing their organizations to unnecessary risk."
Among other findings are that, on average, organizations need to react to 2,169 new alerts of potential application security vulnerabilities each month. But 77 percent of CISOs say most security alerts and vulnerabilities are false positives that don’t require action as they are not actual exposures. In addition 68 percent say the volume of alerts makes it very difficult to prioritize vulnerabilities based on risk and impact.
The full report is available from the Dynatrace site.