Legit Security, a leader in application security posture management (ASPM), and TechTarget’s Enterprise Strategy Group (ESG), a renowned IT analyst and research firm, have released a new report titled Modernizing Application Security to Scale for Cloud-Native Development. This report explores the pressing need for updating application security practices to keep pace with modern development trends and highlights the challenges that security teams face with their existing tools.
As organizations increasingly adopt cloud-native technologies to enhance software development, the tactics of attackers are evolving. Joe Nicastro, Field CTO at Legit Security, notes that while these technologies drive efficiency and innovation, they also expand the attack surface due to potential misconfigurations, vulnerable plugins, and excessive permissions throughout the software development lifecycle (SDLC). To counter these threats, companies need comprehensive security solutions that protect the entire software factory and provide developers with the necessary safeguards.
The report reveals that application teams struggle with several issues, including keeping up with the rapid pace of releases and prioritizing remediation efforts. These difficulties emphasize the need for a modernized security approach that aligns with development and DevOps teams to enhance collaboration. A significant finding is that nearly all organizations have faced challenges in fixing vulnerabilities post-deployment, underscoring the importance of integrating security processes into the development build.
Key findings from the report include:
- 60% of organizations use Infrastructure as Code (IaC) to streamline infrastructure provisioning and application deployment. However, increased IaC adoption has led to a rise in misconfigurations, with 67% of respondents noting this issue.
- 45% of security teams involved in cloud-native development cite managing risks associated with generative AI as their biggest challenge, followed by measuring the effectiveness of AppSec programs and understanding developer environments to manage security effectively.
- Most organizations experienced a cybersecurity incident related to their cloud-native application stack in the past year, with stolen secrets from source code repositories being the most common issue (32%).
- Only 39% of organizations report that their security teams have adequate visibility into certain applications, highlighting the need for better visibility into security testing during development.
Melinda Marks, Practice Director of Cybersecurity at ESG, emphasizes that traditional security solutions must evolve to support modern development processes. She points out that securing applications is not enough; security teams must also address risks associated with how developers work, including managing secrets, pipeline tools, containers, and source code repositories. These elements, while facilitating rapid development and collaboration, also introduce greater attack surfaces and potential for errors. Addressing these issues is crucial to improving security programs and preventing severe consequences such as data loss, business disruption, and compliance fines.