Vulnerability management made harder by complex supply chains

New research reveals that CISOs are finding it increasingly difficult to keep their software secure as hybrid and multicloud environments become more complex, and teams continue to rely on manual processes that make it easier for vulnerabilities to slip into production.

The study from Dynatrace shows 68 percent of CISOs say vulnerability management is more difficult because the complexity of their software supply chain and cloud ecosystem has increased.

Only half say they are fully confident that the software delivered by development teams has been completely tested for vulnerabilities before going live in production environments. In addition 77 percent of CISOs say it's a significant challenge to prioritize vulnerabilities because of a lack of information about the risk these vulnerabilities pose.

The report shows that 58 percent of the vulnerability alerts that security scanners flag as 'critical' are not important in production, wasting valuable development time chasing down false positives. On average, each member of development and application security teams spends 28 percent of their time -- or 11 hours each week -- on vulnerability management tasks that could be automated.

"Organizations are struggling to balance the need for faster innovation with the governance and security controls they established to keep their services and data safe," says Bernd Greifeneder, chief technology officer at Dynatrace. "The growing complexity of software supply chains and the cloud-native technology stacks that provide the foundation for digital innovation make it increasingly difficult to quickly identify, assess, and prioritize response efforts when new vulnerabilities emerge. These tasks have grown beyond human ability to manage. Development, security, and IT teams are finding that the vulnerability management controls they have in place are no longer adequate in today's dynamic digital world, which exposes their businesses to unacceptable risk."

Among other findings, 75 percent of CISOs say the prevalence of team silos and point solutions throughout the DevSecOps lifecycle makes it easier for vulnerabilities to slip into production. 81 percent believe they will see more vulnerability exploits if they can't make DevSecOps work more effectively, however, just 12 percent of organizations say they have a mature DevSecOps culture.

The report is available from the Dynatrace site.

Photo Credit: Mopic/Shutterstock