AppSec Teams Stuck in Catch-Up Cycle Due to Massive Cloud-Native Enablement Gap
85% of AppSec pros say ability to differentiate between real risks and noise is critical, yet only 38% can do so today; mature DevOps organizations cite widespread impact due to lack of cloud-native tools
May 19, 2023
PRESS RELEASE
Tel Aviv, May 17, 2023 - Backslash Security, the new cloud-native application security solution for enterprise AppSec teams, today released a new research study, Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report, exploring how the state of application security has evolved given the rise of cloud-native application development. The study examines the practices, tools, and needs of CISOs, AppSec managers, and AppSec engineers at enterprise organizations of 1,000 or more employees with mature cloud-native app development environments.
The study reveals that AppSec teams are stuck in a catch-up cycle, unable to keep up with the increasingly rapid, agile dev pace, and playing security defense via an endless and unproductive vulnerability chase. Notably, 58% of respondents report spending over 50% of their time chasing vulnerabilities, with a shocking 89% spending at least 25% of their time in this defensive mode. This costly 'defensive tax' — the cost of employing AppSec engineers who chase vulnerabilities rather than drive a comprehensive cloud-native AppSec program — is estimated to be upwards of $1.2 million annually.
Given the accelerated pace of digital innovation across enterprises of all sizes and the blurred lines between AppSec and CloudSec, enterprise AppSec teams are saddled with solutions that have not caught up to the cloud pace. As a result, AppSec professionals are losing faith in the prevailing AppSec tools:
Almost all organizations are seeing a widespread impact of the lack of cloud-native AppSec tools, including growing friction between AppSec and dev teams (39%), jeopardized ability to generate revenue (39%), and inability to retain high-value dev talent (38%) and AppSec talent (35%);
94% of respondents cited multiple issues with today’s AppSec technologies; top complaints were the considerable amount of time spent prioritizing findings (48%) and that existing AppSec tools are noisy (45%);
SAST and DAST are quickly losing ground, with just 32% of respondents stating that they use either of these prevailing standards extensively.
The report emphasizes the urgent need for a new AppSec paradigm that maps a clear path to a modern standard for cloud-native AppSec success, characterized by end-to-end visualization of all microservices, automatic identification and prioritization of real risks, and intelligent triaging and remediation. In assessing the importance of these three key tenets of modern AppSec:
82% agree that automating threat model visualization will help AppSec teams save time and manual labor analyzing cloud-native application risks;
91% believe correlating application security risks with the application’s exposure to the outside world, such as via open APIs, is important;
91% believe differentiating between general code weaknesses and critical vulnerabilities is important;
Eight out of the nine total capabilities that define this new cloud-native AppSec paradigm were ranked as “critical” or “important” by 70%+ of respondents.
However, the AppSec industry suffers from a massive cloud-native enablement gap. Across all of the most critical capabilities, respondents reported that enablement is sorely lacking:
85% of respondents say the ability to differentiate between real risks and noise is critical to their success, making it the #1 most important capability; yet only 38% of respondents are enabled to do so;
This trend persists throughout, including “correlating security findings to the developer or dev team responsible for the fix” (78% vs. 43%); “meeting compliance standards” (78% vs. 38%); and “efficient triaging between Dev and AppSec” (73% vs. 42%).
"What we're hearing across the board is a message of urgency – we've entered a new, cloud-native reality, and it’s time to put an end to the AppSec catch-up game," said Shahar Man, co-founder and CEO of Backslash. "These outdated AppSec methodologies hamper productivity, innovation and talent retention for both AppSec and dev teams. The cloud-native application development paradigm calls for a new, unified approach to application security that will make the friction between development and AppSec teams a thing of the past, enable enterprises to retain valuable talent, and accelerate innovation and growth."
This report surveyed 300 security professionals specifically tasked with application security for their organization, equally split between CISOs, AppSec managers and AppSec engineers from U.S. companies with 1,000 or more employees. Companies represent a wide range of industries.
Click here to download the report and learn more.
About Backslash Security
Backslash is the first Cloud-Native Application Security solution for enterprise AppSec teams to provide unified security and business context to cloud-native code risk, coupled with automated threat modeling, code risk prioritization, and simplified remediation across applications and teams.
With Backslash, AppSec teams can see and easily act upon the critical toxic code flows in their cloud-native applications; quickly prioritize code risks based on the relevant cloud context;
and significantly cut MTTR (mean time to recovery) by enabling developers with the evidence they need to take ownership of the process.
Backed by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co., and a roster of security veterans as angel investors, including technology entrepreneur and investor Shlomo Kramer, Ron Zoran (former CRO of CyberArk), and Brian Fielder (General Manager, CTO Enterprise Security at Microsoft), Backslash has been deployed across leading technology organizations and Fortune 100 companies.
More at https://www.backslash.security/.
You May Also Like
Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024