A recent report from analyst firm ESG highlighted the following statistic:
61% of organizations only secure half of their applications with some form of testing tool, which means many go unscanned altogether.
Not confidence-inducing. And given the severity of the cyber threat landscape, application security (AppSec) is critical. This stat demonstrates how organizations are struggling to ramp up their security programs, and secure their applications. But what it doesn’t show, is how vulnerability discovery allows us to test more applications while also taking advantage of the actionable results.
Even the Best-Case Scenario is Pretty Bad
We did some simple math to determine how many applications are deployed into production without some form of application security testing. We started with the best-case scenario. We assumed the 61%, who scan no more than half, scan exactly half their applications. And we assumed the remaining 39% scan all their applications. Under this scenario, 31% of all applications lack security testing.
Let that sink in. In the absolute best case scenario—which is highly unlikely—1/3 of all applications are vulnerable. It’s worth noting, many scenarios are only testing, which means found vulnerabilities are not necessarily addressed. This compounds an already dire situation.
Re-running the numbers with less optimistic assumptions provides a more realistic (and more disturbing) picture. Let’s assume the 61% scan 1/3 of their applications, and the 39% scan 75% of their applications. We’re now up to 52% of unscanned applications getting released into production. Yikes.
Why It’s So Hard
These stats are not intended to cast blame or suggest organizations are willfully developing and releasing vulnerable software. There are several external and internal realities making AppSec so difficult. Companies must release new features often to compete well in an increasingly software-driven market. And with the ongoing shortage in cybersecurity skills, it’s a challenge to keep security teams fully staffed. These two factors alone make it difficult to develop and deploy secure applications, but there are even more issues at play. As the ESG report outlines, organizations are grappling with other issues as well.
Six Common Operational Challenges
- Gaining software risk visibility and assurance. You can’t prioritize, let alone manage, risk you’re not aware of. But most companies have a periodic, fragmented view into where their risks lie and how they might affect the business.
- Scaling an application management risk framework. Policies help your teams implement practices consistent with your desired security posture. Because each tool has its own policy model, it takes time and resources, both of which are in short supply, to keep them all aligned.
- Securing DevOps. Many companies adopted a DevOps model to accelerate time to market. But neither Dev nor Ops are security specialists, so those controls were never baked into the process. Bolting on security after the fact adds time and cost and defeats the purpose of DevOps in the first place.
- Integrating fragmented security scanning tools. Many companies have multiple development teams as well as third-party software supply chains. With agility and speed as the watchword, each group invests in tooling as needed. This may work for individual teams, but the organization ends up with a large and disparate collection of security tools. Not only is this inefficient, but it’s also nearly impossible to get a company-wide view.
- Automating application and infrastructure testing. You need different testing tools to secure various components across all stages of the software development lifecycle (SDLC). Each tool has its own integration requirements and data outputs. With the sheer number of tools in your portfolio, you simply don’t have the resources to manage it all manually.
- Ensuring PCI DSS compliance. To address key PCI DSS requirements, companies use tools to continuously monitor application security throughout the SDLC and the infrastructure. But even with these controls in place, they often lack a complete and actionable view of risk, resulting compliance violations not to mention exploitable gaps in security.
Vulnerability Orchestration Addresses These Challenges
The ZeroNorth platform improves vulnerability discovery by enabling orchestration of security tools and automating control of testing. This ability delivers an aggregated view of risk across the entire application portfolio. It will also:
- Enable comprehensive and consistent management of application vulnerabilities, from discovery to remediation
- Make it possible to both scan and use actionable results to improve application quality
- Eliminate noise to quickly find and remediate the critical application vulnerabilities
- Make the most informed decisions on where to focus remediation efforts based on continuous, prioritized visibility of software vulnerabilities across the SDLC
- Unleash the collective potential of your existing application security tools to deliver higher quality results, with more speed and less cost
- Orchestrate application security, including tools and vulnerability data
- Facilitate seamless collaboration with development by integrating security into DevOps processes and CI/CD pipeline tools
- Quickly stand-up application security programs with integrated open source scanning tools, built-in workflows, automation and management, without additional overhead
By addressing operational challenges, vulnerability orchestration helps organizations protect more of their applications. Because the more we can drive down that 61%, the better it is for everyone.
The ZeroNorth orchestration platform enables security teams to scale up their application security initiatives while increasing the effectiveness of their efforts. Please contact us for more information or to request a demo.
*** This is a Security Bloggers Network syndicated blog from Blog | ZeroNorth authored by ZeroNorth. Read the original post at: https://www.zeronorth.io/blog/sick-and-tired-of-struggling-with-application-security/