How AppSec can help enterprises make sense of cloud-native development [Q&A]
Today's application security landscape is complex and can lead to teams spending a lot of time hunting down vulnerabilities. Add in the move to cloud-based development and there's an even higher volume of code to deal with
We spoke to Shahar Man, CEO at Backslash Security, to learn more about what AppSec needs to look like in this world and how it ties in with greater use of the cloud.
BN: How does the application security landscape look today? What are the primary challenges AppSec teams face?
SM: The application security landscape today presents significant challenges for AppSec teams. Many find themselves trapped in a catch-up loop chasing one vulnerability to the next in an effort to keep pace with the agile methodologies of their developer counterparts. Despite the dramatic shift in development methodology (agile, DevOps) and infrastructures (cloud deployments), the application security landscape hasn't really changed much in the last decade. Existing AppSec solutions have not adequately adapted to the cloud-native development environment, leading to difficulties in differentiating between high-risk security alerts and noise. This cloud-native gap has resulted in growing friction between AppSec and development teams.
According to a survey of 300 CISOs and AppSec leaders conducted by Backslash Security, 58 percent of respondents report spending over 50 percent of their time chasing vulnerabilities. On top of this, 89 percent spend at least 25 percent of their time in this defensive mode. And it's not just about time lost. The resulting cost of employing AppSec engineers who chase vulnerabilities rather than driving a comprehensive cloud-native AppSec program is estimated to be upwards of $1.2 million annually.
BN: How does this impact AppSec teams' day-to-day?
SM: Cloud-native app development has shifted code output levels to new heights, making a substantial day-to-day impact on AppSec teams. According to the survey report, 47 percent of AppSec respondents push code into production at least once per day, with 29 percent reporting doing so multiple times per day. Yet despite this significant volume, AppSec professionals face near-constant hindrances to their productivity and effectiveness. Due to the constant chase of vulnerabilities, teams spend a considerable amount of their time prioritizing vulnerabilities they find and dealing with noisy AppSec tools.
These challenges lead to a firefighting mode of operation, where AppSec teams struggle to address vulnerabilities rather than proactively implementing comprehensive security measures. Consequently, productivity, innovation, and talent retention suffer for both AppSec and development teams.
BN: How important is cloud context when it comes to effective application security?
SM: Cloud context -- and context in general -- plays a crucial role in application security. By establishing context, AppSec teams can better understand the perspective of potential threats and stop them at their source, rather than aimlessly approaching vulnerabilities. AppSec teams need to consider the specific cloud environment and its associated risks to secure cloud-native applications effectively.
According to our survey report, 91 percent of respondents believe it is important to correlate application security risks with the application's exposure to the outside world, such as through open APIs. Understanding the cloud context allows AppSec teams to gain end-to-end visualization of all microservices within cloud-native applications. This visualization enables them to analyze risks more efficiently and tailor their security measures to address the unique challenges posed by the cloud environments they operate in.
BN: Why is prioritization crucial for successful application security?
SM: The feverish pace of modern code development requires a system of prioritization to not just identify code that carry the highest security risks, but allow AppSec teams to allocate their limited resources effectively and frees up AppSec teams to set and enforce the optimal cloud-native security policies. Effective prioritization allows for quick and efficient triaging, as AppSec can immediately know which team or developer is responsible for fixing the vulnerability in question. Currently AppSec teams have very limited time to set and enforce the optimal cloud-native security policies to make their lives -- and those of developers -- easier. By prioritizing vulnerabilities and focusing on critical areas, AppSec teams can optimize their workflow and address the most significant security risks promptly.
82 percent of respondents to the Backslash survey report agreed that automating threat model visualization will help AppSec teams save time and manual labor in analyzing cloud-native application risks. Effective prioritization not only helps AppSec teams utilize their resources efficiently but also reduces the mean time to recovery (MTTR) for potential security incidents.
BN: What does a modern AppSec paradigm look like?
SM: A modern AppSec paradigm should encompass key elements that align with the needs of cloud-native application development. These elements include: end-to-end visualization, automatic identification and prioritization, and intelligent triaging and remediation.
End-to-end visualization of all microservices within cloud-native applications gives AppSec teams a comprehensive view of the application's security posture, enabling them to identify potential vulnerabilities and risks across the entire application architecture. From there, automatic identification and prioritization of high security risks allows AppSec teams to focus their efforts on addressing application code that pose significant threats to the application's security. In doing so, the final step of intelligent triaging and remediation ensures that security issues are appropriately addressed, reducing the time and effort required for resolution.
The integration of these capabilities helps bridge the gap between AppSec and development teams, enhances collaboration, and enables organizations to effectively address security challenges in cloud-native environments. By adopting this paradigm, enterprises can accelerate innovation, retain valuable talent, and ensure the security of their cloud-native applications.
Image credit: Wavebreakmedia/depositphotos.com