The Software Development Trends Challenging Security Teams
September 09, 2024

Joe Nicastro
Legit Security

TechTarget's Enterprise Strategy Group (ESG) recently surveyed 350 IT and cybersecurity professionals and application developers to create a report called Modernizing Application Security to Scale for Cloud-Native Development. The survey results and analysis offer insights into the strategies, tools, and investments security and development teams are leveraging to address modern AppSec. It also generated some compelling data related to AppSec teams' challenges in the face of a rapidly changing development environment.

When asked to identify their top challenges for AppSec teams supporting cloud-native dev processes, "understanding developer environments and assets to effectively manage security" was one of the top three responses provided. With the explosion of innovations like APIs, multi-cloud deployments, containers, and AI-generated code, the attack surface has grown exponentially in recent years, and security teams are struggling to achieve the visibility and context required to effectively mitigate risk.

More evidence of the struggle to keep up with changing development practices emerged in the survey responses about the speed of development and infrastructure as code.

Speed of Development

Software development cycles today run at a lightning-fast pace and often leave security teams struggling to keep up. When asked about the security challenges with faster development cycles, survey respondents cited the following three areas as their top challenges:

■ Prioritizing needed remediation based on business criticality, reachability, or exploitability (35%)

■ Security lacks visibility and control in development processes (34%)

■ Software is released without going through security checks and/or testing (34%)

With the intense pace of development, chasing down each and every vulnerability becomes unfeasible – it is therefore not surprising to see prioritizing remediation top the list of challenges. Security teams can't afford to spend time, money, and effort fixing something that doesn't actually represent real risk to the organization.

What's missing is contextual prioritization of the overall development environment in order to select which vulnerabilities to fix first based on the impact to the business. Security teams should aim to shift the focus to overall product security rather than creating silos for cloud security, application security, and other components of the software supply chain. They should also seek out a clear view of the full software factory, its assets, its owners, its security controls, its vulnerabilities, and how all are related.

Increasing IaC Misconfigurations

With the software development factory becoming increasingly complex and automated, there are increasing opportunities for misconfigurations to create risk, and AppSec teams are struggling to manage that increase.

For example, the misconfiguration of build servers is a common problem that creates significant vulnerabilities. Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren't treated as critical from a security perspective. In many cases, these systems, like Jenkins, for example, are misconfigured or otherwise vulnerable and unpatched.

Another increasingly common risk is infrastructure as code (IaC) misconfigurations.

Infrastructure as code use is exploding as developers look for ways to move faster. With IaC, developers can provision their own infrastructure without waiting for IT or operations. However, with increased use comes increased chance of misconfigurations. In fact, 67% of survey respondents noted that they are experiencing an increase in IaC template misconfigurations. These misconfigurations are especially dangerous because one flaw can proliferate easily and widely.

Examples of these misconfigurations include:​ 

■ Not using the latest version of TLS ​

■ Relying on username/passwords instead of SSH keys​

■ Creating cloud assets with excessive permissions, i.e., S3 buckets with read/write permissions

Development tool misconfigurations often stem from privileges issues. Many tools are over-privileged because they're easier to integrate if users have full access. To avoid this in IaC, security teams should pay special attention to access controls in IaC definitions:​ 

■ Determine what users need to do, then craft policies allowing them to perform only those tasks.​ 

■ Do not allow all users full administrative privileges.​

■ Start with a minimum set of permissions and grant additional permissions as necessary.​ 

Context and Clarity

It's clear that modern software security requires better context and more clarity. With the speed and complexity of development environments, security teams need visibility that allows them to make sense of the complexity and move at the speed of development, but current application security tools are falling short.

With different application security tools scanning code in different ways across the development lifecycle, most AppSec tools generate a lot of results without a lot of context. Without contextual risk ranking among applications and vulnerabilities, either "everything" is a priority, or "nothing" is a priority.

Additionally, AppSec teams need the kind of visibility that is standard for endpoint and network protection — where security teams collect a complete list of assets and a map of the environment to know what needs to be protected and where proper controls should be put in place.

For example, creating an automated SDLC asset inventory for development pipelines allows security teams to apply security policies to that inventory and check for risky violations — quickly and accurately. Threat modeling will then allow the team to identify risky implementations before starting development.

Joe Nicastro is Field CTO at Legit Security
Share this

Industry News

May 01, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Quantum Firewall Software R82 — the latest version of Check Point’s core network security software delivering advanced threat prevention and scalable policy management — has received Common Criteria EAL4+ certification, further reinforcing its position as a trusted security foundation for critical infrastructure, government, and defense organizations worldwide.

May 01, 2025

Postman announced full support for the Model Context Protocol (MCP), helping users build better AI Agents, faster.

May 01, 2025

Opsera announced new Advanced Security Dashboard capabilities available as an extension of Opsera's Unified Insights for GitHub Copilot.

May 01, 2025

Lineaje launched new capabilities including Lineaje agentic AI-powered self-healing agents that autonomously secure open-source software, source code and containers, Gold Open Source Packages and Gold Open Source Images that enable organizations to source trusted, pre-fixed open-source software, and a software crawling and analysis engine, SCA360, that discovers and contextualizes risks at all software development stages.

April 30, 2025

Lenses.io announced the release of Lenses 6.0, enabling organizations to modernize applications and systems with real-time data as AI adoption accelerates.

April 30, 2025

Sonata Software has achieved Amazon Web Services (AWS) DevOps Competency status.

April 29, 2025

vFunction® announced significant platform advancements that reduce complexity across the architectural spectrum and target the growing disconnect between development speed and architectural integrity.

April 29, 2025

Sonatype® introduced major enhancements to Repository Firewall that expand proactive malware protection across the enterprise — from developer workstations to the network edge.

April 29, 2025

Aqua Security introduced Secure AI, full lifecycle security from code to cloud to prompt.

April 29, 2025

Salt Security announced the launch of the Salt Model Context Protocol (MCP) Server, giving enterprise teams a novel access point of interaction with their API infrastructure, leveraging natural language and artificial intelligence (AI).

April 28, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of in-toto, a software supply chain security framework developed at the NYU Tandon School of Engineering.

April 28, 2025

SnapLogic announced the launch of its next-generation API management (APIM) solution, helping organizations accelerate their journey to a composable and agentic enterprise.

April 28, 2025

Apiiro announced Software Graph Visualization, an interactive map that enables users to visualize their software architectures across all components, vulnerabilities, toxic combinations, blast radius, data exposure and material changes in real time.

April 24, 2025

Check Point® Software Technologies Ltd.(link is external) and Illumio, the breach containment company, announced a strategic partnership to help organizations strengthen security and advance their Zero Trust posture.