Last updated on April 11th, 2023 at 10:04 am
By Gregg Ostrowski, CTO Advisor, Cisco AppDynamics
Application security has become a massive challenge for technologists over the past two years, with the scale and sophistication of cybercrime threats seemingly growing by the day.
IT teams have been operating under relentless pressure to increase application velocity and deliver ever more intuitive and personalized digital experiences to customers and employees. And as a result, application security has largely failed to keep pace. The latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, reveals that 92 per cent of technologists feel that rapid innovation during the pandemic has come at the expense of robust application security.
With the availability of low-code and no-code platforms, IT teams have been able to develop apps at ever higher speeds and run them across a multitude of platforms. Application components increasingly run on a mix of platforms and on-premise databases, leading to a big expansion in attack surfaces and applications becoming increasingly vulnerable to gaps in security.
Acutely aware of the risks this presents, technologists are urgently looking to evolve their approach to application security to manage risk across cloud native applications and architectures.
The research identifies six steps that all organizations need to take to ensure robust application security within modern application stacks.
1. Adopt a security approach for the full application stack
A security approach to the full application stack delivers complete protection for applications, from development through to production, across code, containers and Kubernetes. Additionally, a full stack application approach also needs to have a view on how the business is being impacted.
With runtime application self-protection (RASP), technologists can protect applications from the inside out, wherever they live and however they are deployed. They can see what is happening inside the code to prevent known exploits and simplify vulnerability fixes. Developers can generate targeted insights into their application environments that allow them to respond to threats at scale—whether that’s in containers, on-premises, or in the cloud—and integrate security throughout the entire application lifecycle.
More than three quarters of technologists state that the implementation of a security approach to the full application stack is now a priority for their organization.
2. Continuous detection and prioritization
Robust automation strengthens security postures, identifying threats and resolving them independent of an admin. This reduces human error, increases efficiency, and drives greater agility in development — enabling teams to ship and deploy applications even faster.
Automation can also help to contextualize security, correlating risk in relation to other key areas such as the application, user and business. Business transaction insights enable technologists to measure the importance of threats based on severity scoring, factoring in the context of the threat. This means that they can prioritize threats that could damage a business critical area of the environment or application. Technologists can cut through the data noise caused by high volumes of security alerts and focus on the things that really matter.
3. Adopt a DevSecOps approach
IT departments are increasingly adopting a DevSecOpsapproach, which integrates application security throughout the development cycle from the very beginning. This is achieved through both security automation, which integrates security gates throughout development without slowing down the process, as well as a strategic and cultural shift to built-in security.
With DevSecOps, security becomes a consideration at every stage of the application lifecycle and a shared responsibility. Rather than security being an afterthought, DevOps works with SecOps to identify and prioritize security issues at every step, innovations that result in better user experiences, more secure products and improved security management before, during, and after release.
A vast majority of technologists now believe that a DevSecOps approach is critical to effectively protect against a multi-staged security attack on the full application stack.
4. Invest in upskilling the skillsets of developers and engineers
Currently, less than half of technologists are fully confident that they themselves and their teams have the skills required to manage current application security threats. This skills gap is something that organizations need to address as a matter of priority, through upskilling and cross-skilling.
In particular, the shift to a DevSecOps approach will require all technologists, whether they come from the development, performance or security side, to broaden their skill sets to be able to work effectively as part of an integrated application team. So security professionals will have to develop new skills and greater understanding in application development, and developers will need to become more knowledgeable about security.
79 per cent of technologists believe that successful modern technologists are those who can be both specialists in their particular field, but generalists across other areas of the technology stack.
5. Embed Artificial Intelligence into application security processes
Given the volume of new security threats which organizations are facing, Artificial Intelligence (AI) and Machine Learning (ML) is now essential to identify gaps, predict vulnerabilities and automate processes to remediate any security holes. As bad actors ramp up their use of AI and ML, it’s vital that enterprise security teams don’t fall behind. AIOps extend human capabilities in multiple cybersecurity tasks, including monitoring, assessing, and resolving security issues—freeing up security teams to focus on higher-value issues and enabling them to collaborate more effectively and strategically throughout the development lifecycle.
The need for AI will only increase in the future – 76 percent of technologists believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organization faces in application security.
6. Adopt an SRE model
Site Reliability Engineer (SRE) has become one of the hottest job titles across the IT industry.
Many development and operations teams have traditionally operated with a ‘silo mentality’, with essentially conflicting goals. Development teams have prioritized release velocity and product features above all else, while ops teams have been focused solely on production stability, ensuring that applications don’t suffer from performance issues or outages.
The SRE role is crucial to overcome this long-standing conflict of interests, bringing together these two functions for the overall benefit of the project, end users and business.
Application security can no longer be an afterthought within the application lifecycle; instead it must become a critical element of the application lifecycle, and a major consideration from the very outset. A holistic and integrated strategy for application security is now essential for organizations to reap the benefits of cloud native technologies, while managing an increasingly complex risk landscape.