CISO Research: Traditional application security measures are broken

Today’s cloud-native, multicloud environments have broken traditional approaches to application security, bringing organizations more questions than answers. And with 89% of CISOs agreeing microservices, containers, and Kubernetes have created application security blind spots, it’s unsurprising teams are looking for a new approach to application security to help.

Traditional approaches to security are broken

Traditionally, CISOs would instruct teams to manually carry out vulnerability scans and impact assessments. Applying this approach in a rapid-pace development environment, where new software releases are happening on a weekly basis, has grown untenable. And so as teams are met with the growing need to innovate faster, shifting to a cloud-native way of working isn’t reaping all the benefits it once promised. The survey also showed that increasingly complex IT environments are creating significant vulnerability blind spots with outdated security tooling unable to see inside containers to monitor application vulnerabilities at runtime.

This report found almost three-quarters (74%) of CISOs believe traditional security controls such as vulnerability scanners no longer fit today’s cloud-native world, with almost all (97%) CISOs stating they don’t have real-time visibility into runtime vulnerabilities in containerized production environments. More concerning, 71% of CISOs admit they are not fully confident code is free of vulnerabilities before going live in production.

Managing the number of security vulnerabilities in modern cloud environments is now beyond human ability. Indeed, participants in this research reported, on average, organizations need to react to 2,169 new alerts of potential security vulnerabilities each month. That’s a lot of alerts for teams to work through, identify as a problem, and determine which needs actioning. With this volume of alerts, and without effective automation, it’s inevitable teams will waste time and miss acting on important vulnerabilities.

Bernd Greifeneder, Founder and Chief Technology Officer at Dynatrace commented, “This research confirms what we’ve long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today’s dynamic cloud environments and rapid innovation cycles.”

Effective DevSecOps requires automation

As the need to innovate faster increases, developers’ time becomes more precious. They cannot waste time triaging problems and chasing false positives. Even alternative approaches, such as scanning source code or container images in pre-production environments, cannot offer real-time visibility into live exposures.

Instead, the findings from our research reveal organizations need to adopt a new strategy for application security management, with 77% of CISOs saying the only way for security to keep up with modern cloud-native application environments is to replace legacy vulnerability assessment approaches with more automated approaches.

Leveraging a single, automated platform for application security, performance and reliability will eliminate all guesswork, false positives, and blind spots by providing the full context needed to manage digital services effectively across the entire environment. Overall, this will give teams time back to innovate and focus on things that matter.

With Dynatrace’s newest module, Dynatrace® Application Security, teams to do just this. Using Dynatrace Application Security teams can accelerate DevSecOps processes through automation and the elimination of mundane work. Runtime application security automatically and continuously analyzes applications at runtime in production and pre-production. This helps ensure development teams don’t have to waste time with manual scans. In addition, this provides the C-suite with confidence in the security of their cloud-native production deployments.