The events of 2020 greatly accelerated digital transformation, with organizations of all sizes scrambling to compete for online shoppers and service the needs of remote employees. This has increased use of the platforms and processes that underpin digital transformation efforts: multicloud environments, cloud-native applications, fast release cycles, and DevSecOps. At a time when teams are already stretched thin, the pace of digital transformation – and the complexity it’s created – has exploded over the last year.
Dynatrace’s 2020 research shows 89% of CIOs said their organizations’ digital transformation projects had accelerated over the prior year, with 86% facilitating that transformation through the adoption of cloud-native technologies such as Kubernetes, containers, and microservices. As organizations have adopted these technologies, they’ve found their dynamic multicloud environments have become too complex and too large to manage manually anymore—and those challenges also extend to application security.
Traditional security buckling under pressure
With increased reliance on cloud-native application architectures, traditional application security approaches are failing. Conventional application security tools, such as static application security testing (SAST) and software composition analysis (SCA), might have been adequate approaches in 2015. However, by today’s standards, they are too slow and place too large a burden on software development teams, who are forced to sift through page after page of vulnerability alerts, manually finding and applying corrections while also wasting time on false positives.
Similarly, most security tools that are designed for production environments, such as vulnerability scanners, have blind spots. These tools were not designed for the containers, microservices, and Kubernetes platforms that organizations commonly use today, and they fail to capture real-time changes as they occur in pre-production and production environments. These tools require too much manual configuration, and in many cases, they just don’t work as expected in modern production environments. Just as multicloud environments have outgrown any one person’s ability to monitor and manage them, they’ve also outgrown traditional application security methods.
DevSecOps has reached an unsustainable status quo. The typical security tools that development teams have at their disposal are built with waterfall-based development in mind. That doesn’t mesh with DevSecOps’ more agile approach. And it’s not just that these tools are too time consuming or not developer-friendly; they’re also heavily prone to generating false positives. If vulnerability scanners are already failing to separate the false positives from the real vulnerabilities, every alert will get treated like a real problem. Consequently, application developers end up spending unnecessary amounts of time and effort manually chasing down red flags that aren’t real .
As a result, DevOps teams are now dealing with the following issues:
- Increased responsibility on developers to ensure their code remains vulnerability-free.
- Manual processes that produce vulnerability assessments, which are imprecise in their risk and impact analysis.
- Too much time spent chasing down false positives.
- Little to no time available to manually assess risks because of a lack of automatic and continuous vulnerability scans. Consequently, even the most common vulnerabilities can end up slipping past their notice.
Make that next-generation upgrade to application security
If traditional application security can’t handle an organization's need for speed, automation, and accuracy, then it needs a next-generation upgrade. Organizations need to arm their DevSecOps teams with highly automated security systems that are built to handle the rapid pace of software development as well as rapidly changing production environments. That means prioritizing the following capabilities:
- Real-time, continuous runtime application self-protection features for cloud-native applications in preproduction and production environments.
- Real-time topology mapping and distributed tracing with code-level analysis that can help precisely identify vulnerabilities in preproduction and production environments, and ensure DevSecOps teams understand each vulnerability’s true impact on the business.
- Automatic, continuous discovery and instrumentation that provides complete vulnerability coverage, so that DevSecOps never misses a code change or new deployment.
- AI-powered risk and impact analysis and remediation, for continuous visibility into identifying changes, prioritizing alerts, and generating precise answers about the root cause, nature, and severity of any given vulnerability – ensuring that software developers can quickly and effectively remediate each vulnerability.
Application security is a ticking clock, where every second counts—and organizations simply don’t have time to waste with yesterday’s solutions. As IT environments become more complex, and as the scope of threats they face becomes more robust, organizations need to rely on an AI-driven, continuously automated system of vulnerability detection and risk assessment that keeps them secure.
Dave Anderson, digital and brand evangelist, Dynatrace