CISOs are worried too many application vulnerabilities leak into production

79% of CISOs say continuous runtime vulnerability management is an essential capability to keep up with the expanding complexity of modern multicloud environments.

Dynatrace has published the findings of an independent global survey of 1,300 chief information security officers (CISOs) in large-size organizations. The research reveals that the speed and complexity created by using multicloud environments, multiple coding languages, and open source software libraries are making vulnerability management more difficult. 75% of CISOs say that despite having a multi-layered security posture, persistent coverage gaps allow vulnerabilities into production. This highlights the growing need for observability and security to converge, paving the way toward AISecDevOps practices. This will empower organizations with a more effective way of managing vulnerabilities at runtime, and the ability to detect and block attacks in real time. The complimentary report, Observability and security must converge to enable effective vulnerability management, is available for download.

Findings from the research include:

•69% of CISOs say vulnerability management has become more difficult as the need to accelerate digital transformation has increased.

•More than three-quarters (79%) of CISOs say that automatic, continuous runtime vulnerability management is key to filling the gap in the capabilities of existing security solutions. However, just 4% of organizations have real-time visibility into runtime vulnerabilities in containerized production environments.

•Only 25% of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time.

“These findings underscore that there are always opportunities for vulnerabilities to slip past security teams, regardless of how robust their defenses might be. Both new applications and stable legacy software are prone to vulnerabilities that are more reliably detected in production. Log4Shell was the poster child for this problem, and there will undoubtedly be other scenarios like it in the future,” said Bernd Greifeneder, Chief Technology Officer at Dynatrace. “It’s also clear that most organizations still lack real-time visibility into runtime vulnerabilities. The problem stems from the growing use of cloud-native delivery practices, which enable greater business agility, but also introduce new complexity for vulnerability management, attack detection, and blocking. The rapid pace of digital transformation means that already overstretched teams are bombarded by thousands of security alerts that make it impossible to see through the noise and focus on what matters. Teams find it impossible to respond manually to every alert, and organizations are exposed to unnecessary risk by allowing vulnerabilities to escape into production.”

Additional findings include:

•On average, organizations receive 2,027 alerts of potential application security vulnerabilities each month.

•Less than a third (32%) of the application security vulnerability alerts organizations receive each day require action, compared to 42% last year.

•On average, application security teams waste 28% of their time on vulnerability management tasks that could be automated.

“Organizations realize that to manage vulnerabilities in the cloud-native era effectively, security must become a shared responsibility. The convergence of observability and security is critical to providing development, operations, and security teams with the context needed to understand how their applications are connected, where the vulnerabilities lie, and which need to be prioritized. This accelerates risk management and incident response,” continued Greifeneder. “To be truly effective, organizations should look for solutions that have AI and automation capabilities at their core, enabling AISecDevOps. These solutions empower their teams to quickly identify and prioritize vulnerabilities at runtime, block attacks in real time, and remediate software flaws before they can be exploited. This means teams can stop wasting time in war rooms or chasing false positives and potential vulnerabilities that will never make it into production. Instead, they confidently deliver better, more secure software faster.”

Checkmarx has introduced Checkmarx API Security, the first true “shift-left” API security solution. Building on the launch of Checkmarx Fusion, which prioritizes and correlates vulnerability data from across different AppSec engines, Checkmarx API Security is delivered as part of the industry-leading application security platform Checkmarx One. The developer workflow-oriented solution inventories even shadow and zombie APIs as part of the most comprehensive inventory and remediation solution available to secure the entire API lifecycle.
In expanded collaboration between the two companies, joint DevOps teams will provide an optimised experience across all touchpoints for Vodafone Germany’s customers.
Kong’s API platform streamlines innovation processes to enhance competitive advantage at banking group.
According to a recent research study from Epicor, a resounding 96 percent of organisations surveyed worldwide have confidence in their ability to navigate the early stages of the ERP purchase process, from initial evaluation to requirements planning. However, 48 percent cited a strong need for more support and partnership from their ERP providers during the latter stages of the purchase journey – from implementation, go-live, and ongoing customer care – to ease migration and realise faster time-to-value.
World’s largest software development platform launches innovative new workspace initiative in landmark deal to “fill the gap” in its remote first workforce strategy.
A new survey from leading market research firm IDC reveals that a unified view of digital infrastructure is essential for IT teams that must improve the digital customer experience while boosting overall organizational productivity.
Delphix has launched two new data appliances powered by Dell Technologies. Both appliances are fully engineered software solutions optimized for performance and reliability.
Offering automates cloud-native application security from design to production.