Tool sprawl is hurting application security, US CSOs say

Tool sprawl is hurting application security, US CSOs say

Eight out of the top 10 data breaches in 2023 can be attributed to application attack surfaces, as attackers shift focus from classic infrastructure configurations to targeting vulnerable applications and APIs, according to a study from CrowdStrike.

Eight breaches alone exposed around 1.7 billion records, according to the study, which surveyed 400 US-based security professionals across different industries.

“Companies are getting more mature around securing the basic infrastructure with tooling like cloud security posture management (CSPM) as their first line of defense against attacks,” said Raj Rajamani, chief product officer at CrowdStrike. â€œNaturally, attackers are moving to the newer and weaker links, or to the path of lower resistance: the applications.”

The CrowdStrike survey focused on application security (AppSec) observed complex code architecture and poor security reviews added to the application attack surface.

Evolving coding architecture adds to complexity

The survey found that as the number of applications and development teams and the frequency of deployment increased, the number of programming languages used within an organization peaked too, adding to the security workload.

Java, JavaScript, Python, and C++ were the cloud-native application programming languages with the highest deployment frequencies in 2023, but they’re being joined by others.

“Newer languages show up every few years and it definitely adds to the complexity,” Rajamani said. “For instance, Golang and Rust have become popular in the last two-three years. The tooling used for security reviews and finding application vulnerabilities isn’t always mature enough to support new languages and generally needs time to catch up.”

Documentation is often a sticking-point, regardless of language. While 71% of organizations reported releasing application updates at least once a week, teams are still using maual documentation (74%) and spreadsheets (68%) to catalog and inventory their applications and APIs. The over-reliance on manual efforts, the study points out, opens these practices to errors.

The study also uncovered a lack of attention paid to security reviews.

Security requires more support

Survey respondents estimated that, on average, only 54% of major code changes undergo a full security review before deploying to production, with 22% respondents reviewing 24% or fewer code changes.

That finding didn’t surprise Forrester senior Analyst Janet Worthington.

“Cloud, containers, and DevOps tools have empowered product development teams to deploy more frequently,” said Worthington. “Teams are now able to release on a monthly, weekly, daily, and even hourly basis in some cases. Considering the limited number of security professionals in comparison to the number of developers, it is impossible for security teams to manually review all code changes.”

In order for security to scale, organizations must embrace a DevSecOps methodology where security validation is automated and integrated into developer workflows and CI/CD pipelines, she said.

“In this scenario, developers receive prompt feedback on the impact of their code changes on the application’s security posture, either through their IDE or a pull request,” Worthington added. “This allows developers to address any security findings before the code is integrated into the larger application.”

AppSec suffers visibility and prioritization challenges

Security reviews took more than one business day for 81% of respondents, while another 35% said it took them more than three. This has to do with security teams facing alerts that have grown in complexity and frequency, according to the study.

When it comes to detecting and prioritizing vulnerabilities and threats, no one tool stands out, with 90% of respondents using three or more tools to do the job.

Prioritization was among the top three challenges for 61% of respondents, and 22% said deciding what to fix first was their top obstacle.

Multiple challenges made that prioritization difficult. These included receiving too many alerts (cited by 37% of respondents), having too many tools (31%), and the difficulty of correlating alerts among multiple tools (55%).

For Paul Furtado, vice president and analyst at Gartner, those numbers highlight the importance of finding a balance.

“It ultimately comes down to two items: efficacy and efficiency,” Furtado said. â€œThe chosen tool must work in that it must be effective in finding the security holes, but equally important is the speed at which it happens. Each organization must decide whether the efficacy and efficiency needed for an organization lies within a single toolset or a combination of disparate tools.”

Sometimes the challenge isn’t related to technology per se, but rather corporate resistance to modify existing processes to accommodate the time necessary for security activities, Furtado added.

Application Security

Go to Source