Legacy AppSec Tools Getting Lost in the Cloud
As the pace of application development accelerates, IT and security teams are losing faith in old application security (AppSec) tools. Legacy tools can’t keep up and are stuck in a perpetual game of catch-up, according to a Backslash survey of 300 CISOs, AppSec managers and engineers.
The impact is far-reaching, with most organizations seeing widespread impact of inadequate cloud-native AppSec tools.
The report indicated that the “people” impact is particularly significant, as the ability for teams to work well together and the ability to retain key AppSec and dev talent is directly connected to whether teams have modern, cloud-ready tools.
One of the most striking survey findings was the sheer volume of wasted time due to inadequate tools–a full 89% wasted at least a quarter of their workday (and 58% wasted more than half) chasing vulnerabilities rather than proactively establishing the right security policies.
The impact of that is extensive—employee frustration, friction between teams, issues retaining talent and beyond.
There is also the hard cost to enterprises of “playing defense”—aka the defensive tax—which can be over $1 million per year, and which doesn’t even consider the cost of inadequately securing the given enterprise’s applications.
Another concerning conclusion that stemmed from the report is that inadequate cloud-native tooling is a root cause of friction between AppSec teams and developers.
Current-gen AppSec tools lack the ability to report the level of evidence required for dev teams to act on alerts.
“Combined with the sheer volume of false positives reported, AppSec teams end up losing credibility in the eyes of developers,” explains Shahar Man, co-founder and CEO of Backslash.
When asked about the impact of the lack of cloud-native tools, respondents said growing AppSec/dev friction was the number-one cited issue, followed by retaining dev talent and AppSec talent.
“We found that one of the things AppSec teams want most is to work well with their dev counterparts–and this is a core concern that came up throughout the survey,” Man said.
Regarding the time spent chasing vulnerabilities, Man said it all comes back to the fact that although enterprises are embracing cloud-based application development, AppSec teams are not equipped with cloud-native tools.
“They struggle to keep up with fast-paced development teams who are rapidly deploying code to the cloud, and the problem is then compounded by application security tools that produce an excessive number of low-value alerts,” he noted.
The top complaints about the current tools at their disposal are that they are noisy and prioritizing findings takes too long–resulting in an endless, inefficient and unproductive vulnerability chase.
“The standard AppSec tools are simply not built for the cloud and lack the cloud context that is absolutely critical for AppSec teams to successfully do their jobs,” Man said.
He said that application security posture management (ASPM)–a new security approach–gives AppSec teams more control and improves the security posture of their applications.
“Finally, there’s a new mindset, one that provides a holistic view of application security posture, allowing AppSec to strike a balance between a shift left mentality and being empowered to identify and mitigate vulnerabilities before they can be exploited,’ he argued. “This is where the market is heading.”
Man adds AppSec pros have made it very clear that the standard AppSec tools are not cut out for the cloud, and they deal with the consequences daily–team friction, talent retention issues, threatened revenue, and diminished reputation.
“The AppSec industry is ready for a significant change and deserves tools that are built specifically to understand the cloud,” he says.
From Man’s perspective, the responsibility for driving this change should be driven top-down from CISO and AppSec teams and into the organization: The reason why is two-fold.
“First, cloud security has already proven to CISOs that they can get full visibility into and control of their cloud assets in a self-sufficient way–and this has raised the bar for AppSec, with the expectation that it, too, can be modernized, simplified with full visibility for AppSec teams,” he said.
Second, while the shift left trend can help manage fast delivery cycles by shifting responsibility toward the dev side, at the end of the day, the CISO and AppSec teams are responsible for the security of the applications.
“Therefore, CISOs and AppSec teams deserve full visibility and insight on cloud application security risk,” Man said.
