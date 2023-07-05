IT

Internet

See all Internet

IT

See all IT

Mobile Tech

See all Mobile Tech

Security

See all Security

Technology

See all Technology

Newsletters

See all Newsletters

AppSec, Devs Clash Flags Need for Paradigm Shift in Software Industry

business conflict

According to a recent software industry security report, there is a notable increase in tension between application security (AppSec) workers and application developers over consensus on cloud-native needs. Additionally, there is a growing concern about retaining developer talent in this context.

The fundamental issue lies in the inadequacy of traditional AppSec tools for cloud environments. As a result, AppSec teams grapple with the repercussions of lacking appropriate cloud-native tooling daily. This ongoing situation causes team friction, issues with talent retention, revenue concerns, reputation squabbles, and wasting more than half of their time chasing vulnerabilities.

The good news? AppSec teams know what they need, and AppSec pros are overwhelmingly aligned on what a modern, cloud-native AppSec paradigm should look like. However, despite this understanding, only a limited number of teams have the necessary capabilities to fulfill these requirements effectively.

Study Reveals Effect of Inadequate Cloud-Native Tools

In May, cloud-native AppSec solutions provider Backslash Security released a study titled “Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report.” It explores how application security has evolved since the rise of cloud-native application development.

The study examines the practices, tools, and needs of CISOs, AppSec managers, and AppSec engineers at enterprise organizations of 1,000 or more employees with mature cloud-native app development environments. The results show that 85% of AppSec pros said the ability to differentiate between real risks and noise is critical. Only 38% can do so today.

According to researchers, mature DevOps organizations cite widespread impact due to the lack of cloud-native tools. AppSec teams are stuck in a catch-up cycle, unable to keep up with the increasingly rapid, agile dev pace and playing security defense via an endless and unproductive vulnerability chase.

“Inadequate cloud-native tooling is a root cause of friction between AppSec teams and developers. Current-gen AppSec tools lack the ability to report the level of evidence required for dev teams to act on alerts,” Backslash Security CEO and co-founder Shahar Man told TechNewsWorld.

AppSec Playing Defense

Notably, while 58% of respondents report spending over 50% of their time chasing vulnerabilities, a shocking 89% spend at least 25% of their time in this defensive mode, according to the report. Far and wide, enterprises are victims of this costly defensive tax.

The so-called tax, estimated to be over $1.2 million annually, is the cost of employing AppSec engineers who chase vulnerabilities rather than drive a comprehensive cloud-native AppSec program. Application security teams are struggling to keep up with increasingly fast-paced development teams who are rapidly deploying code to the cloud, Man complained.

A significant problem is that their tools are outdated, he offered. They lack the cloud context critical to enabling AppSec teams to do their jobs successfully. Furthermore, the current application security tools exacerbate the issue by generating an excessive number of low-value alerts.

Man urged that AppSec teams need to be equipped with modernized, cloud-native tools. The most common complaints about the current tools AppSec pros have at their disposal are no surprise. AppSec workers claim their traditional tools are noisy and make prioritizing findings too time-consuming.

“That said, we have found that AppSec professionals are very much aligned on the cloud-native capabilities that are most important to their day-to-day. The core aspects of modern AppSec are the automatic correlation of AppSec risk to app exposure to the outside world,” Man explained.

A large majority of respondents (91%) said this is important. There is growing friction between AppSec and developers due to the lack of consensus on general code weaknesses and critical vulnerabilities. Furthermore, 82% of the respondents highlighted the importance of end-to-end visualization of cloud-native application threat models.

Lack of Action Fueling the Rift

Combined with the sheer volume of false positives reported, AppSec teams end up losing credibility in the eyes of developers. When surveyed about the impact of the lack of cloud-native tools for this report, respondents cited the growing AppSec/dev friction as the number one issue, followed by retaining dev and AppSec talent.

“Clearly, AppSec teams know what they need, but the bigger question is whether the industry is ready to give it to them,” challenged Man.

For example, an overwhelming majority (85%) of AppSec pros want the ability to differentiate real code risks from low-risk issues, making it the most crucial cloud-native capability. But only 38% are fully enabled to do this using their current toolset.

“These massive enablement gaps extend across core cloud-native capabilities,” he noted.

Pining for Easing Tensions

Man added that one of the things AppSec teams want most is to work well with their dev counterparts — a core concern that came up throughout the survey. Each AppSec role has its own perspective on how the lack of cloud-native tools impacts the growing friction between AppSec/devs relationships.

For instance, AppSec engineers spend their days very much in the trenches. They worry most about retaining dev talent. But their managers are concerned most with retaining AppSec talent. Meanwhile, CISOs, with their top-level view of both sides of the equation, worry about friction between the two teams.

Also of note, according to Man, is the missing cloud-native capabilities that enable AppSec and dev to work well together. They are notably lacking, the survey disclosed.

For example, 78% of respondents said correlating security findings to the dev team responsible for the fix is essential. But only 43% are fully enabled to do this now.

The study showed that efficient triaging between Dev and AppSec is similar at 73% vs. 42%.

Costly Consequences

Man confided that one of the biggest surprises in the results was the sheer volume of wasted AppSec time attributed to inadequate tools. That inefficiency is costing companies immensely.

“The cost of playing defense, aka the defensive tax, is major. Conservative estimates put the average enterprise’s cost of wasted AppSec time at over $1 million per year,” he offered.

That estimate is based on average AppSec employee salaries and AppSec team size. That calculation fails to take into account the cost of inadequately securing the given enterprise’s applications, added Man.

Key Takeaways Show New Market Direction

Slightly less than half of the respondents reported their organizations push code at least once per day. The pace of developers is steadily increasing.

“Teams are losing faith in the traditional AppSec tools, as they can’t keep up and are stuck in a perpetual game of catch-up. The impact is far-reaching, with the vast majority of organizations seeing the widespread impact of inadequate cloud-native AppSec tools,” said Man.

The “people” impact is particularly significant, he added. The core takeaway is that the AppSec industry is ready for a substantial change and deserves tools explicitly built to understand the cloud.

Man believes that application security posture management (ASPM) — a new security approach — gives AppSec teams more control and improves the security posture of their applications.

“Finally, there is a new mindset, one that provides a holistic view of the application security posture, allowing AppSec to strike a balance between a ‘shift left’ mentality and being empowered to identify and mitigate vulnerabilities before they can be exploited,” concluded Man.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Get Permission to License or Reproduce this Article

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
developers
A Comprehensive App Development Strategy for Business Success
June 23, 2023
computer programmers
Selecting the Right SBOM for Your Enterprise
June 2, 2023
DevOps
Leapwork CEO: No-Code Platforms Democratize Testing Automation
July 14, 2022
More by Jack M. Germain
view all
Is Generative AI the Next Big CX Thing Despite Its Risks?
June 30, 2023
New MakuluLinux Release Brings AI to the Max
June 30, 2023
Tech Talent Trend: Hiring Eased, Upskilling in Limelight
June 26, 2023
This Gen AI for CRM Boasts ‘Like Having 1,000 Employees’
June 23, 2023
technology in healthcare
Redefining Health Care: Integrating Tech for a Consumer-Centric Focus
June 22, 2023
Canonical Broadens Commercial OpenStack to Small Clouds
June 14, 2023
The Future of AI in Retail: Beyond the ChatGPT Hype
June 9, 2023
Women Don't Play interviewer Emma Raz
‘Women Don’t Play’ Confronts Gender Disparity in the Tech Industry
June 8, 2023
Mobile Shopping Apps Linked to Digital Wallets: A Loyalty-Driving Duo
May 23, 2023
Poly Voyager Free 60 wireless earbuds
Poly Voyager 60 Series Earbuds Provide a Premium Audio Experience
May 18, 2023
More in IT
organizations can now control a secure enclave on a remote worker's personal computer
Venn Unveils Secure Enclave Tech To Control Remote Work Computers
June 28, 2023
computer programmers analyzing cybersecurity systems
HP Addresses Rising Security Threats Before an AI-Driven Wave of Pain
June 26, 2023
binder of standards and compliance
Calix Doubles Down on Genuine Industry Standards
May 9, 2023
HP Amplify Partner Conference, March 29, 2023 in Chicago
HP Affirms ‘Better Together’ at Its Amplify Event
April 5, 2023
Business Conditions Prime for More Open-Source Contributors
March 15, 2023
CIO using laptop in office
Distributed Workforces and the Human Cloud, Tech’s Recession Busters
February 24, 2023
Windows 365
Windows 365 and the Coming Abyss in the PC Market
February 16, 2023
employee laid off exiting office with a cardboard box of belongings
Excess Exuberance, Not ‘Bossism’ Behind Rash of Tech Layoffs
February 14, 2023
Cloud Computing
The Cloud Has Pushed Identity to its Breaking Point. What’s Next?
February 2, 2023
A team of information technology professionals
IT Execs Share Strategies for Managing Digital and Cyber Trends in 2023
January 12, 2023

Will you shop on Amazon during Prime Day, July 11-12?
Loading ... Loading ...

Technewsworld Channels

Applications

Applications

One More Thing…Apple Unveils Vision Pro Mixed-Reality Headset at WWDC23

Audio/Video

Audio/Video

Will Apple’s Vision Pro Dent the Universe?

Chips

Chips

Gaming Industry Know-How Created AMD’s Winning Data Center Strategy

Computing

Computing

New MakuluLinux Release Brings AI to the Max

Cybersecurity

Cybersecurity

Gen AI Fueling Surge of Sophisticated Email Attacks

Data Management

Data Management

Personal Data Harvesting and How To Reduce Your Digital Footprint

Developers

Developers

Tech Talent Trend: Hiring Eased, Upskilling in Limelight

Emerging Tech

Emerging Tech

Is Generative AI the Next Big CX Thing Despite Its Risks?

Exclusives

Exclusives

The Future of AI in Retail: Beyond the ChatGPT Hype

Gaming

Gaming

EdTech Developer’s Study Game Approach Aces Med School Testing Curve

Hacking

Hacking

AI ‘Hallucinations’ Can Become an Enterprise Security Nightmare

Hardware

Hardware

Climate Change, Power Chips Spur Submersible Server Trend

Health

Health

Digital Health Care Flourishing Despite Legal, Logistical Hurdles

Home Tech

Home Tech

New HP and Sonos Devices Accentuate the Ultimate Home Office Workstation

How To

How To

Leverage the Power of Data To Monitor Home Energy Efficiency

Internet of Things

Internet of Things

Unresolved Conflicts Slow eSIM Upgrade Path to Better IoT Security

IT Leadership

IT Leadership

Selecting the Right SBOM for Your Enterprise

Malware

Malware

DOJ, Five Eyes Nations Unite To Dismantle Russian Cyber-Espionage Network

Mobile Apps

Mobile Apps

Mobile Shopping Apps Linked to Digital Wallets: A Loyalty-Driving Duo

Operating Systems

Operating Systems

Windows 11 AI Integration Signals New Era for User Experiences

Privacy

Privacy

Researchers Instantly Crack Simple Passwords With AI

Reviews

Reviews

Poly Voyager 60 Series Earbuds Provide a Premium Audio Experience

Science

Science

Is ChatGPT Smart Enough To Practice Mental Health Therapy?

Search Tech

Search Tech

Google Invites Public To Test Drive Its AI Chatbot Bard

Servers

Servers

Are Mainframes an Indicator of Banking Reliability?

Smartphones

Smartphones

Qualcomm’s Gen AI: A Unique Opportunity Beyond Innovation

Social Networking

Social Networking

Social Media Fueled the Run on Silicon Valley Bank: Study

Space

Space

DARPA Moves Forward With Project To Revolutionize Satellite Communication

Spotlight Features

Spotlight Features

‘Women Don’t Play’ Confronts Gender Disparity in the Tech Industry

Tablets

Tablets

2024 and How the Coming CPU War Is Likely To Play Out

Tech Buzz

Tech Buzz

Apple Vision Pro: Gateway to a New Computing Future

Tech Law

Tech Law

The Importance of Microsoft’s 5-Point Blueprint for Public Governance of AI

Transportation

Transportation

Study Finds EV Battery Replacement Rare, Most Covered by Warranty

Virtual Reality

Virtual Reality

Gen AI and AR/VR: Unintended Consequences, Unproven Mainstream Appeal

Wearable Tech

Wearable Tech

HP Affirms ‘Better Together’ at Its Amplify Event

Women In Tech

Women In Tech

Study Finds AI Threatening Many Women’s Jobs

More from ECT News Network

E-Commerce Times

Blue Chip Ads Feeding Unreliable AI-Generated News Websites
Blue Chip Ads Feeding Unreliable AI-Generated News Websites
June 27, 2023
Retail Sector Bearing the Brunt of Cyber Assaults
Retail Sector Bearing the Brunt of Cyber Assaults
June 14, 2023
The Future of AI in Retail: Beyond the ChatGPT Hype
The Future of AI in Retail: Beyond the ChatGPT Hype
June 9, 2023

LinuxInsider

New MakuluLinux Release Brings AI to the Max
New MakuluLinux Release Brings AI to the Max
June 30, 2023
Tech Talent Trend: Hiring Eased, Upskilling in Limelight
Tech Talent Trend: Hiring Eased, Upskilling in Limelight
June 26, 2023
Canonical Broadens Commercial OpenStack to Small Clouds
Canonical Broadens Commercial OpenStack to Small Clouds
June 14, 2023

CRM Buyer

Is Generative AI the Next Big CX Thing Despite Its Risks?
Is Generative AI the Next Big CX Thing Despite Its Risks?
June 30, 2023
This Gen AI for CRM Boasts 'Like Having 1,000 Employees'
This Gen AI for CRM Boasts 'Like Having 1,000 Employees'
June 23, 2023
Salesforce's Trusted AI Layer Makes Sense After All
Salesforce's Trusted AI Layer Makes Sense After All
June 13, 2023