Header background

Runtime vulnerability management is still a vexing challenge for organizations

Organizations are releasing code faster to keep up with today’s competitive landscape. But rapid code cycles also introduce runtime vulnerability management threats.

Vulnerability management continues to be a key concern as organizations strive to innovate more rapidly and adopt cloud-native technologies to achieve their goals.

But with cloud-based architecture comes greater complexity and new vulnerability challenges. Even robust cybersecurity tools are unable to effectively monitor the dynamic multicloud environments that containers, microservices, and cloud-based resources generate.

As a result, C-level executives say that cloud environments have bolstered cybersecurity challenges.

According to the Dynatrace 2022 CISO Report, 69% of roughly 1,300 surveyed chief information security officers (CISOs) say vulnerability management has become more difficult as digital transformation accelerates. At the same time, only 4% say they have real-time visibility into runtime vulnerabilities in containerized production environments.

Further, software development in multicloud environments introduces multiple coding languages and third-party libraries. Many of these libraries have not been adequately tested before deployment. As a result, these code sources compound opportunities for vulnerabilities to enter the software development lifecycle (SDLC).

According to the Dynatrace CISO report, organizations still lack the insight they need to monitor this code. Only 25% of security teams can access a fully accurate report of every application and code library running in production.

CISOs want—but lackvisibility into runtime threats

For many organizations, that lack of real-time visibility in production became a bugbear in late 2021. Log4Shell, a security vulnerability, was a prime example of how cloud-native software development can usher in risks.

Log4Shell was a zero-day vulnerability in Log4j, a popular Java logging framework. Log4Shell enables a malicious actor to execute Java code and take control of a target server.

Less than 40% of organizations have runtime vulnerability management capabilities.

Months after Log4Shell, only 41% of CISOs are confident that their teams could identify and resolve all instances of Log4Shell in their environment.

Moreover, 51% of respondents say that the speed of modern software delivery makes it easier for vulnerabilities to re-enter production after they have been resolved.

According to the report, 79% of CISOs say that automatic, continuous runtime vulnerability management is key to filling the gap in existing security solutions.

Further, 75% of CISOs say that despite having a robust, multi-layered security posture, there are still gaps that allow vulnerabilities into production.

Automation for real-time vulnerability identification and prioritization

The proliferation of security issues has exceeded the ability of humans to identify, prioritize, and remediate these problems.

As a result, CISOs see artificial intelligence and automation as key to their vulnerability management arsenal to address Log4Shell-type incidents.

In the report, 69% of CISOs say the volume of alerts they receive makes it difficult to prioritize vulnerabilities based on risk and impact.

According to 63% of respondents, AI is key to prioritizing vulnerabilities so teams can make the most effective use of time. And 53% of respondents say AI is critical for real-time, continuous insight into code libraries and applications in production.

Further, the number of useful alerts is declining. Less than one-third (32%) of application security vulnerability alerts that organizations receive daily require action, compared with 42% last year.

DevSecOps key to mature vulnerability management strategy

For automation in cloud-native environments to achieve its potential, organizations need to hone their security approaches to meet future Log4Shell-like threats.

According to the report, however, only one-third (34%) of organizations have a mature DevSecOps culture. In this case, “mature” means the majority of teams have integrated security practices across the SDLC.

In order for organizations to “shift left” and identify vulnerabilities in software code that is in development as well as “shift right” to identify security issues in production, organizations need to build their DevSecOps muscle memory.

Further, DevSecOps teams need to build automation into the SDLC for a comprehensive vulnerability management strategy. This automation eliminates manual steps, configurations, and custom scripts. For instance, developers might want to circumvent security testing because it slows down the development process. Automation provides key information about the security of an application in development without needing to manually test.

Ultimately, mature DevSecOps practices may speed code development rather than block it.

Recent ESG research reveals that 78% of those with a more mature approach to DevSecOps report that code deployment has accelerated.

Further, in ESG’s research, IT teams with the most mature DevSecOps practices also rated the reliability of their code higher.

The good news is that DevSecOps adoption is on the rise. According to GitLab’s 2021 Global DevSecOps Survey, 36% of respondents develop software using DevSecOps, compared with only 27% in 2020.

But mature DevSecOps takes time to build. According to recent research, only about 20% of organizations have mature, collaborative DevSecOps culture. Another 40% have a siloed culture. Here’s the work of tomorrow.