Across all industries, technologists are worried that their organisations are becoming less secure. The shift to cloud-native applications and architecture over the past two years has led to a dramatic expansion in attack surfaces, while at the same time, the scale and sophistication of cybercrime threats have increased significantly.
In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, 84% of United Arab Emirates (UAE) technologists express concern that their organisation is vulnerable to a multi-staged security attack that would affect the full application stack over the next 12 months.
While IT departments have steamed ahead with digital transformation programs, using low-code and no-code platforms to accelerate release velocity and build more dynamic applications, security has largely failed to keep pace. All surveyed technologists in the Emirates admit that the rush to rapidly innovate and respond to the changing needs of customers and users during the pandemic has come at the expense of robust application security during software development.
The potential consequences of security vulnerabilities are well understood, from slow run times and outages which dent digital experiences and erode customer trust to digital transformation initiatives being undermined and, ultimately, loss of revenue.
Encouragingly, technologists are urgently looking to evolve their approaches to application security in order to get to grips with a complex risk landscape and support the shift to modern application stacks. They are looking to implement a security approach for the full application stack, moving to a DevSecOps model where application security is integrated throughout the software development lifecycle and embracing artificial intelligence (AI) and automation to cope with soaring volumes of security threats.
But in order to embed this type of robust application security approach within their organisations over the next 12 months, technologists identify six key challenges that they will need to overcome:
Lack of visibility into attack surfaces and vulnerabilities
Eighty-one per cent of technologists in the UAE state that their current security solutions work well in silos but not together, meaning that they can’t get a comprehensive view of their organisation’s security posture.
This is why IT teams need to integrate performance and security monitoring to understand how vulnerabilities and incidents could impact end users and the business. Technologists need to be able to understand the code, and everything around it, with continuous detection and prioritisation so that they can detect and block exploits automatically, maximising speed and uptime while minimising risk.
Difficulties prioritising threats based on severity, impact and business context
IT teams are being bombarded with security alerts from across the application stack, and they have no way to cut through this data noise to understand which alerts really could do the most damage. As a result, about two-thirds of local IT departments find themselves in ‘security limbo’ because they don’t know what to focus on and prioritise.
Business transaction insights are vital to helping IT teams to measure the importance of — and to prioritise — threats based on severity scoring. These scores factor in the context of the threat, meaning technologists can see which issues are likely to affect a business critical area of the environment or application.
Discovery and protection of sensitive data
Many technologists are now losing control of where data sits within their application portfolios, with application components running across multi-cloud environments and on-premise databases.
This opens up visibility gaps and increases the risk of a major security event, given the volumes of customer data which exist within many of these applications.
Technologists, therefore, need to implement runtime application self-protection (RASP), which provides visibility from inside apps so they can be secured wherever they live and however they are deployed. Validating data requests directly inside the app helps to prevent vulnerabilities from being exploited and provides threat intelligence that identifies attacks down to the code level. Developers can have targeted insight into their application environments that allow them to respond to threats at scale — whether that’s in containers, on-premises, or in the cloud.
Difficulties keeping up with a rapidly changing application security landscape
Overall, as many as 88% of technologists across the UAE report that it is now a challenge to keep up with emerging threats. Attack surfaces are growing exponentially due to the rapid deployment of the Internet of Things (IoT) and connected devices and the adoption of microservice-based application architectures. New hybrid working models have also exposed new vulnerabilities for organisations in all sectors.
In response, technologists need to lean on partners for data and insights into new security threats and to map these threats against their own organisation’s security posture.
Difficulties balancing speed, application performance and security
Security is still viewed as an inhibitor of innovation within many organisations and with release velocity the overriding priority, security teams have been cut out of the application development process until the very end of the development pipeline.
Traditionally, DevOps and SecOps teams have worked in silos, often with little understanding or appreciation of one another’s role.
With a DevSecOps approach, application security and compliance testing are integrated throughout the software development lifecycle rather than being an afterthought at the end of the development pipeline. It makes security a shared responsibility across teams and encourages developers to prioritise security issues at every stage of the application lifecycle.
DevSecOps involves significant cultural change — technologists need to put aside entrenched mindsets and embrace a more collaborative way of working, as well as develop new skills and knowledge outside of their own specific discipline.
However, it’s extremely worthwhile. A DevSecOps approach makes life a lot easier and less stressful for everyone in the IT department!
Volume of security threats and alerts
Many technologists feel overwhelmed by the volume of security threats and vulnerabilities to their organisations. IT departments simply haven’t got enough time in the day to identify and analyse the number of threats they now face.
AI and machine learning (ML) is now essential to identify gaps, predict vulnerabilities and automate processes to remediate any security holes. As bad actors ramp up their use of AI and ML, it’s vital that enterprise security teams don’t fall behind. Indeed, 88% of UAE technologists believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organisation faces in application security.
Organisations simply can’t afford to neglect application security any longer. It needs to be treated as a critical element of the application lifecycle and the foundation for organisations to deliver agile development and accelerated innovation.
Technologists must therefore do all they can to overcome the challenges they face and ensure they have the tools, insights and structures they need to adopt a security approach for the full application stack.
If you liked reading this, you might like our other stories
How Can Enterprises Judge Their Privacy Maturity?
How Attack-signal Intelligence Can Stop Cybersecurity Talent Drain