False alarms: Cloud-native architectures overwhelm conventional security solutions. Study: Only 3 percent of companies have real-time visibility into runtime vulnerabilities.
Traditional approaches to application security are overwhelmed by the increasing use of cloud-native architectures, DevOps and agile methods. That is one of the results of the independent global survey on behalf of the software intelligence provider Dynatrace. The study was carried out among 700 people responsible for information and data security in the company (CISO).
Too many false positives
Companies are shifting more and more responsibility onto developers in order to accelerate innovation. But complex IT systems and outdated security tools slow down the process by leading to a large number of alarm messages which, after extensive manual testing, often turn out to be false positives. A so-called false positive or false positive is an error in a check in which a predefined state was incorrectly recognized as such. Companies need a new approach that is optimized for multicloud environments, Kubernetes and DevSecOps.
The free study "Precise, automatic risk and impact assessment is key for DevSecOps" is available for download. She shows:
- According to 89 percent of CISOs, microservices, containers and Kubernetes have created blind spots in application security.
- 74 percent of CISOs say that conventional security solutions such as vulnerability scanners no longer fit into today's cloud-native world.
- 97 percent of companies have no real-time visibility into runtime vulnerabilities in containerized production environments.
- Almost two-thirds (63%) of CISOs believe that DevOps and agile development have made it difficult to identify and manage software vulnerabilities.
- 71 percent of CISOs are not entirely sure that the code is free of vulnerabilities before going live.
Study "Precise, automatic risk and impact assessment is key for DevSecOps" (Photo: dynatrace).
"The increasing use of cloud-native architectures completely overwhelms the traditional approaches to application security," says Bernd Greifeneder, founder and chief technology officer at Dynatrace. “This study confirms what we have long expected: Manual vulnerability scans and impact assessments can no longer keep up with the pace of change in today's dynamic cloud environments and the rapid innovation cycles. Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and multilingual software development using an ever-increasing number of third-party technologies. Teams that are already overloaded are forced to choose between speed and security. In this way they expose their organizations to unnecessary risks. "
Further results of the study
- On average, companies have to respond to 2.169 new alerts about possible security vulnerabilities in applications every month.
- According to 77 percent of CISOs, most security warnings and reported vulnerabilities are false positives and require no action.
- For 68 percent of CISOs, the amount of warning messages makes it very difficult to prioritize vulnerabilities according to risk and impact.
- 64 percent of CISOs say developers don't always have the time to fix vulnerabilities before code goes into production.
- 77 percent of CISOs believe: The only way to keep up with modern cloud-native application environments is to replace manual provisioning, configuration and management with automated approaches.
- According to 28 percent of CISOs, application teams sometimes bypass vulnerability scans to speed software delivery.
"When companies introduce DevSecOps, they also have to provide their teams with solutions that offer automatic, continuous risk and impact analysis for every vulnerability in real time - for both preproduction and production environments," Greifeneder continued. “With the Application Security Module on the Dynatrace Software Intelligence Platform, companies can leverage the automation, AI, scalability and robustness of Dynatrace. It can be expanded to ensure more secure release cycles - with the certainty that the cloud-native applications are free of vulnerabilities. "
The study is based on a global survey of 700 CISOs in companies with more than 1.000 employees, carried out by Coleman Parkes on behalf of Dynatrace in 2021. It comprises 200 respondents in the USA, 100 each in Germany, France, Great Britain and Spain and 50 each in Brazil and Mexico.
More at dynatrace.com
About Dynatrace
Dynatrace delivers software intelligence to simplify the complexities of the cloud and accelerate digital transformation. With automated and intelligent, highly scalable observability, our all-in-one platform provides precise answers about the performance and security of applications, the underlying infrastructure and the experience of all users. This enables companies to drive innovations faster, work together more efficiently and generate added value with significantly less effort. That's why many of the world's largest companies trust Dynatrace® to modernize and automate their cloud operations, release better software faster, and deliver unrivaled digital experiences.